By Wade Williamson on September 19, 2011
An Introduction to Modern Malware
Today’s threat landscape is in flux and modern malware is emerging as one of the most concerning forces at play. With the ability to potentially coordinate millions of infected nodes, pass through security boundaries undetected on demand, and to adapt functionality on demand, modern malware has more in common with a fully distributed cloud-based application than it does with the simple self-replicating viruses and worms that we have known in the past. This transformation demands an update to the ways that we think about these threats if we are to have a fighting chance and protecting our enterprise networks against them.
A Brief History of Malware
40 years ago while working at BBN, Bob Thomas began experimenting with the concept of a mobile application. To this end he developed the Creeper program, which had the ability to move from machine to machine. Creeper quickly proliferated through ARPANET infecting everything in its path, and the emergence of the computer virus was upon us.
However, even this modest beginning exposed a fundamental lesson about malware that we still grapple with today – a decentralized, mobile application is implicitly tied to the presence of a network or some similar communication media. Creeper needed ARPANET, and malware has mirrored the evolution of networking ever since.
By 1988, the Morris Worm had taken hold and shown the power of relatively simple programs to use applications and the Internet to rapidly infect large numbers of machines in very short periods of time. Throughout the 1990s and early 2000s, malware continued to evolve, adding new functions and pushing the bar higher in terms of infection rates. Despite these advances, malware still remained very much a self-replicating message in a bottle. The power of the malware was largely predetermined at the time it was written. The program had a job to do, but the logic of the threat was largely contained within the malware’s code itself.
The Emergence of Malware Synthesis
By 2007, the steady evolution of malware gave way to a seismic lurch forward. Around this time the first botnets began to appear, and fundamentally changed the world of malware (and IT security along with it). Botnets differed from their predecessors in that all of the infected hosts could be centrally controlled by a remote attacker, allowing all the individual machines to cooperate as one massive distributed malware application. This alone would be a major step, however there is another equally important point – the intelligence behind the malware was now dynamic instead of fixed. A person could continually direct and modify the malware based on his needs as opposed to being locked into the capabilities that were initially written into the malware.
This evolutionary jump fundamentally changed the game, and impacted how malware writers developed their code. Instead of the focus of malware being some set action such as sending spam, now the attention shifted to designing a platform that could sustain an ongoing and dynamic attack. The command-and-control infrastructure charged with organizing the operation became paramount. Stealth became a primary objective because intruders could now control and take advantage of an infected machine for an indefinite period of time.
The attacker could always update the malware program as his needs changed—send spam one day, and steal credit card numbers the next. The strength of a piece of malware came to rest on the quality of its communication, management and ability to avoid detection. On the endpoint, this meant taking advantage of years of experience in hiding from and disabling client-side security, and at the network level it meant evolving into one of the most powerful and resilient network applications in the world.
Understanding Today’s Modern Malware
Given the evolution of malware, it is important that we look at more than simply the function of the malware (i.e. a banking botnet). It is just as important to understand how malware protects itself, communicates and foils our existing defense in depth. To assist in this classification we can follow the malware through its lifecycle:
• Infection: How is the malware delivered? Via an executable, packed into a file, delivered via an infected webpage? How does the malware communicate?
• Persistence: Once on the host, how is the host able to persist on the infected host without triggering host-based security? Does it use a rootkit? Does it disable antivirus? Does it install backdoors? This area can be very deep because malware authors have a long cat-and-mouse history relative to the anti-virus industry and there are a wealth of techniques to avoid detection.
• Communication: The malware expects to be resident on the infected machine for a long time, so it is going to need a method of communicating that does not trigger network security solutions. Furthermore the ability to communicate largely represents the power of the malware. Without the ability to communicate, modern malware would quickly begin to look like our more traditional worms and viruses. Does it communicate on non-standard ports, encrypt its traffic, use proxies, or tunnel within other approved applications?
• Command and Control: How is the command-and-control managed? Does it get updated configuration files, or send and receive messages from peer-to-peer networks? How does the malware cope with the loss of a command-and-control server?
• Malicious Functions: Of course we ultimately must keep track of the end behavior of the malware. Some malware will remain very focused, targeting a specific type of information within a specific organization. Others will vary over time, shifting with the needs and desires of bot owner.
These are the key factors that we can use to define an instance of modern malware, and in the process, provide a roadmap for how we will ultimately be able to control malware. The methods of communication, persistence and command-and-control provide malware with power, but also represent points of vulnerability. And contrary to popular opinion, we actually have the tools and best practices today to defend ourselves today. In my next column, I will dive into the specifics of what IT security teams can do today and the best practices that will be required to manage modern malware going forward.
Wade Williamson is a Senior Security Analyst at Palo Alto Networks. He has extensive industry experience in intrusion prevention, secure mobility, and both wired and wireless networking. Prior to joining Palo Alto Networks, he led the product management team at AirMagnet, Inc. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and mobile end-users. He also brings well-rounded experience from silicon-valley visionaries Netscape and Sun Microsystems.