With the Q4 State of the Internet - Security Report due out later this month, we continue to preview sections of it.
Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Today, we preview the evolution of malware -- including the way security researchers label it.
Malware distribution has evolved through the years -- from the first worms transferred via diskettes (Elk CLoner) to sophisticated viruses spread across USB interfaces (Conficker). As new types of malicious software were developed, the term malware was introduced to describe a broad category that included Trojans, viruses, worms and more.
Innovative attack tactics and techniques have proliferated over the years as defenders of computing systems have become more aware of the tricks malware developers use to infect systems. Malware authors, in turn, have developed new infection approaches for new operating systems and now look for ways to widen their nets further to infect not just one type of machine at a time, but multiple operating systems at once.
As the line between the types of malicious software begins to blur, the target platform needs to be considered. In recent years, there has been an increase in malware code that is both modularized and framework-oriented. Cross-platform malware, such as Flame and Regin, can infect multiple platforms and architectures. For example, it may target devices with one of several processors (ARM, MIPS,x86) or computers with varied operating systems, and it may have the ability to infect files of differing formats.
The exploitation of publicly known vulnerabilities as zero-day attacks (the day the vulnerability becomes known) is increasingly being combined with newly-modified malware to create a complex multi-stage exploit. This often involves multiple malware items that have been weaponized to destroy host systems. In Q4 2014, PLXsert observed such attack campaigns involving the Shellshock (bash bug) vulnerability exploitation where attackers chained additional malware to the campaign after successful exploitation.
Today's campaigns typically consist of several stages that include surveillance, infiltration and persistence. One of the first actions usually taken after a successful infiltration is to establish persistence on the victim system. In the case of a campaign carried out by DarkSeoul, a group responsible for a string of attacks against the South Korean government, a dropper component of the attack contained embedded resources.
For more on this topic, pre-register for first-day delivery of the Q4 2014 State of the Internet - Security Report.