Welcome to the first of a series of blog posts on Malware Evolution. Through the series we’ll be covering modern malware types including bots, denial of service attacks, Ransomware and banking Trojans. We will look at the tactics and trends that have utilised new techniques. In addition, we’ll examine the reuse of existing methodology in new ways, which attempt to thwart detection and increase malicious efficiency. The series will highlight why it is essential for us as Incident Responders to be prepared for what our adversaries are operating with.
As everyone knows, it is essential to defend against and respond readily to the inevitable network attack. Part of our structured defence regime must be to understand the nature of a threat, its delivery mechanisms and its operational and evasion techniques.
The evolution of malware species has taken a drastically alternative route to that of the first recognised PC virus, the Brain virus. Written in 1986 and believed to have been conceived by the Alvi brothers in Lahore, Pakistan in an attempt to determine the extent of software piracy relative to one of their own designed programs. The virus was so-named as it labelled each infected floppy disk with ©Brain. It infected the first sector or boot sector of the floppy disk in order to load and was memory resident, demonstrating an element of stealth functionality.
By stark contrast today’s malware is malevolent. Its potency lies in the fact that it is almost entirely driven by financial gain to the attacker - or loss to the victim. The range of modern malware is wide and far reaching. It may encompass a denial of service program designed to transform an innocent user’s computer into an unsuspecting conscript to a botnet army, used for business disruption or online extortion. Alternatively infection from a sophisticated banking Trojan, its payload constructed to exfiltrate financial credentials and other user data from infected computers, could be the weapon of choice.
Not only is the individual online user exposed to a raft of generic malware, organisations and governments too are regularly exposed to targeted attacks. These customised warheads may be crafted and deployed to gain unauthorised access to data, which has a specific value to its owner. Alternatively the victim’s brand itself may be affected, undermined by seemingly successful attacks, leading to lack of confidence in the business by its users.
Aside from alleged politically motivated online attacks there are numerous examples of how malware has been developed and has shifted towards monetary incentives. This series will give insight and examples to help you understand the adversary’s arsenal.
As well as code evolution we will also examine what crime types have been facilitated by malware and how it is delivered to the end-point. Looking back twenty years, floppy disks were the primary sources of infection; ten years ago email borne viruses were the most prevalent sources of infection. The continued use of social engineering techniques now coupled with drive-by-downloads successfully enabled by exploit packs, covertly hosted on legitimate web sites, are now commonplace. The Incident Response threat landscape is changing in what some have compared to an arms race.
The result of this attack evolution is clear; there is no one-stop shop or easy solution for protecting both organisations and individuals alike against attack or being prepared for an attack. Stand by for our next installment.