banner

Thales Blog

Angrier, Smarter, Tougher Malware

January 28, 2014

Sol Cates Sol Cates | Principal Technologist, Data Protection More About This Author >

Screen Shot 2014-01-28 at 10.26.52 AMHang on everyone, it looks like it’s going to be a wild ride in 2014 on the malware front. Malware source code moved to be “open” in 2013.  As a result of this “open source” style —where building blocks and code are readily available to malware writers — both the speed of change and the effectiveness of malware are set to accelerate.  Attackers will be able to start with standard code that can then be easily adapted, modified and obfuscated in executables to change the patterns that AV and other malware prevention software looks for, and expand the attacks that a given piece of malware uses. What that means to all of us is that traditional malware prevention methods will continue to become less and less effective.

I think we will also start to see sandbox techniques become less relevant. Today’s sandbox techniques that identify new malware rely on the malware being executed immediately, or at most, after an initial reboot. This is an easy challenge for hackers to overcome and I predict we’ll see a new generation of “wait to invade” malware. This type of malware will be written to fly under the radar, avoiding detection techniques for long periods of time, then trying to maximize damage.

In addition to an increase in “wait to invade” malware, I think we’ll see memory resident-only malware used increasingly in attacks. Such malware is never written to disk, and is only resident in memory on systems. After the malware is in the system, attackers attempt to perform their work before the system is rebooted. The danger here is greatest in systems that have a “high uptime” or a set of systems like an email or database cluster that have “5 nines” uptime requirements.  In such instances, “until next reboot” could be a very lengthy period. Combine the time spent in the database with the recent trend for malware to use multiply pathways and the initial “in memory only” infection could be just the initial stepping stone that gets an attacker closer to stealing credentials or accessing other systems where more permanent malware can be installed.

Malware will also become “smarter” in that attackers will begin to build malware that learns from its environment and attacks profiles accordingly. This new type of malware will learn how to act just as the environment does, so the activity in the system does not appear to be anomalous.

With Gartner projecting that the Internet of Things (IoT) will produce 30 billion connected devices by 2020, IoT also starts to become a key vulnerability and entry point. Internet-connected devices (that are not PCs, phones, tablets, servers) will become an increasingly vulnerable entry point for organizations because they are so rarely updated, making them much more vulnerable to security exploits.  Think about it: what if a loading dock’s Internet-connected garage door opener, or an employee break room’s “smart” refrigerator, or even some of the new “wearables” started to become targets of choice precisely because of their easily exploited vulnerabilities? IoT portends great things, but it also provides a plethora of new entry points for malware to land and expand.

With malware stepping into its angry teenager phase just as all of these new data points are poised to come online, it’s more important than ever to encrypt valuable data at the source. How are you ensuring that YOUR sensitive data remains protected against the best malware out there?