How past threats and technical developments influence the evolution of malware

If we want to anticipate how malware will evolve in the near future, we have to keep two things in mind: past threats and current technical developments.

“The evolution of malware-related threats is like a sine wave movement, re-infused by new technology developments,” Christiaan Beek, Lead Scientist and Senior Principal Engineer, McAfee, told Help Net Security.

“Ransomware concepts were already known in the 90s, but the invention of Bitcoin technology in 2009 added a very risky element that the industry is still battling. Worm malware is another fitting example: Conficker was a thing in 2009/2010 but went down rapidly. Now insecure IoT technologies with weak passwords and vulnerabilities have inspired the Mirai-bots and clones, and they roam the Internet and attempt to break into an IoT device nearly every 30 seconds.”

Keeping pace with malware’s evolution

Beek knows what he’s talking about. An infosecurity industry veteran, he’s been with security technology company McAfee (or Intel Security, as it was known for a short while) since 2011, in different threat intelligence/incident response/research roles.

In his current role as lead scientist assigned to McAfee’s Office of the CTO, he coordinates and leads the research in advanced attacks, plays a key-role in cyberattack takedown operations, and participates in the No More Ransom project, a public-private initiative aimed at combating ransomware.

He’s been knee-deep in malware for years. He remembers when it was designed to disrupt systems and test the defenses of endpoints and when, around 2012, it began to change and started being used to gain and maintain access into a system.

During that part of its evolution, malware was designed to have many functionalities and almost all the samples were file-based, he says. But now we’re on the next evolutionary step, which started a few years ago: multi-stage operations with a small and less noisy footprint.

“Take weaponized documents, for example: they contain a few lines of obfuscated code to download a dropper or execute something on the system. The next step will be either a small dropper or tool downloaded, executed and/or directly injected into the process memory of the operating system, not written to disk,” he explained.

Attackers’ tactics are influenced by their motives. While cybercriminals are mostly after cash (via ransomware), groups that have been tied with nation-states mostly want to gain (covert) persistence.

“This is where we see the jump to low profile, stay-below-the-radar, living-off-the land tactics using binaries that are already installed and trusted by the operating system,” he noted. The problem and the challenge now lies in distinguishing between valid interactions and malicious use of these legitimate tools.

Mobile malware is another big, evolving problem.

Traditionally, mobile threats could be sorted in one of three categories: banking trojans, ad clickers, and unwanted app installations. But for a while now criminals have been developing mobile trojan-droppers, to avoid committing ahead of time to a dedicated piece of malware.

For organizations, malware that intercepts/steals company data from executives’ and employees’ devices and authentication factors delivered via SMS is the biggest threat, he pointed out.

Security vendors are constantly working on keeping pace with these evolving threats and they do that, in part, while helping each other.

“Sharing malware data between vendors is very useful, which is why McAfee is one of the founding organizations of the Cyber Threat Alliance,” he explained. “As vendors we all have a different footprint in the world and unique visibility. Two important criteria that helps the industry respond faster to threats are that data is ‘fresh’ and that it is distributed in a timely manner.”

Advice for infosec practitioners and leaders

During his long career, Beek learned many things. One of these is that if you don’t learn each day, you’ve lost an opportunity to change something. Also, that making mistakes is ok – it’s part of the learning curve of success – and that having a diverse team with a serving attitude creates a culture that helps to solve all challenges.

“Among the takeaways I got from the research projects I’ve been involved with over the years is to leave room for adaptation when things are changing,” he added. “For example, one can create the latest and greatest machine learning model on a data set that currently is the ground truth. But what if new insights change the ground truth? Will your model be able to adapt to these changes?”

For CISOs that are aiming to secure their organization’s network against malware infections, he advises not operating under the illusion that they can achieve perfect security, but focusing on what is most critical to the company and secure that.

“Understand what you would define as an endpoint. Make sure that you create visibility into the network and into threats that might be impacting your company. Will the technology you use/aim to use tell you the complete story and give you enough context to determine actions you need to take? Buzzwords will always be there, but understanding the technology and concepts that lie behind them is key to deciding how useful they will be,” he opined and finally advised to, above all, keep things simple.