Malware slips by threat detection software
If you think threat detection software will keep you safe from malware, think again. Researchers conducting independent tests of threat detection software have managed to create malware that slips by five of the major vendors of threat detection software, according to a report released yesterday by MRG Effitas and CrySyS Lab.
The tests looked at the efficacy of threat detection software in detection of Advanced Persistent Threats (APT). An APT generally uses spear phishing emails to trick users into either following a link to a phishing site, where their login credentials can be captured, or fooling the user into downloading malware via an email attachment. Drive by downloads are a variation of the user following a link, except following the link leads to a compromised site which downloads the malware onto the user’s PC.
In this case, the researchers spent two weeks without access to threat detection software whilst they developed their own malware. Four samples were ultimately produced, ranging in complexity from very simple to very complex.
Simulated attacks were then carried out using each of the four malware samples against the threat detection software. The vendors of the five threat detection products are not named in the report. The results were stunning; the two least complex malware samples were detected by the threat detection software, but only low level alarms were raised. The third malware sample managed to slip by three of the products. The fourth sample evaded all five products.
According to the report, the malware samples written were designed to closely resemble known malware. The most complex of the four (and the one that successfully evaded all five threat detection products) was hidden in an image file; when the user downloaded the file, the malware was downloaded too. The malware was able to disguise it’s communications with a command and control server by using HTTP as a cloak.
As the report notes, threat detection software is not a “silver bullet” that can keep users safe. It is dangerous if users are led to believe that threat detection software can protect them from malware downloads done via phishing sites or phishing emails. The author’s purpose on making their findings available to the general public is partly to make users aware of the current shortcomings of threat detection software, whilst simultaneously sending a message to the threat detection vendors to improve their products.