Advanced Evasion Techniques and Other Dangerous Malware Trends

Anthony Freed
By | December 10, 2012

Posted in: Network Security Trends

Like any other business, the continued success of malware depends on innovation in the development of malicious code that can stay one step ahead of detection efforts, and 2013 is sure to see some advances on the part of criminal coders. Analysis by researchers at security provider Trusteer indicates we can expect to see an increase in the presence of 64-bit Windows malware with advanced evasion capabilities such as those that are able to detect virtual environments and negate sandboxing defenses.

"Our researchers have identified evidence of what we believe will be the top five most dangerous trends in malware next year, including Google attacks, native 64-bit Windows malware and increasingly advanced evasion techniques,” said Amit Klein, CTO of Trusteer.

The emergence of native 64-bit Windows malware is of concern because 32-bit code was easier to detect as it was not able to compensate for the 64-bit system processes in order to evade detection. As new malware variants are developed which support 64-bit processes, they will become ever more difficult to detect on the 64-bit machines.

The increasing presence of variants which are adept at detecting monitoring processes such as sandboxes and virtual environments designed to protect networks allows these advanced malware strains to defeat defenses by appearing as non-malicious code, giving the code greater latitude and increasing significantly the infection periods.

Trusteer's analysis indicates that the Malware lifecycle - described as incubation, outbreak, botnet and then retirement of malicious code - is gaining speed. "Because security products continue to improve detection, the window of opportunity for malware to remain undetected is decreasing. The incubation and outbreak phases decreased from one month or more in 2011 to approximately two weeks in 2012. We expect this time frame to shrink even further next year," the researchers state.

The accelerated lifecycle is advantageous to attackers because it undermines the ability for traditional antivirus products to be effective, and that often the malicious code has already been deployed and rendered obsolete by the developers prior to being categorized as malicious by security products.

The analysis also noted a near doubling of financial malware families with a correspnding increase in the number of variants detected over levels present in 2011, and this trend is expected to continue through 2013. "More financial malware families mean more infections, longer detection times, and consequently more financial fraud incidents," the researchers said.

The researchers noted that 2012 witnessed an increase in sophisticated evasion techniques by financial fraud agents like Zeus and SpyEye, as well as malware that was adapted for cross-over attacks against enterprise endpoints, and they predict the trend against organizations to continue to escalate in 2013.

Another development on the malware scene is malicious code designed to undermine defenses present in Google's Chrome, widely hailed as one of the safest of the browsers on the market, and notes that Chrome is already no longer immune to Man-in-the-Browser (browser) attacks, a spin on the Man-in-th-Middle techniques that can allow attackers to covertly alter transactions and circumvent multi-factor authentication protocols.

All in all, the continued advancement of malware capabilities will bee keeping researchers and anti-malware vendors on their toes in the coming months, and end users are encouraged to be vigilant in their online endeavors to reduce the likelihood of an infection.

You May Also Be Interested In: