Get ready for the invasion of armies of armoured malware.
No, that’s not the promotional line for a new science fiction film – it’s the warning coming from the people at the front line of monitoring the latest malevolent threats aimed at your digital information.
Chris Elisan, chief malware scientist at security company RSA, says armoured malware is one of the biggest current threats to computers as well as step change up from the old days of bored hackers creating and sending out solitary viruses.
The big difference between the threats he’s looking at now, and those of the past, is that “malware is just a tool”. Rather than having an end-goal of messing up an individual or company’s computers, malware now sneaks in and then enables hackers to do other things – obtain sensitive data, remotely control a PC, take over the operation of s system.
Hackers now “may be using hundreds of thousands of different types of malware. You used to see ‘lone wolf’ malware – just a single one being used by a hacker – but now we are up against an army of armoured malware.”
The ‘armour’ is an extra sheath of code around the virus that lets it slip in and operate unnoticed. The code grants the virus invisibility by appearing nonsensical to the computer, or it might hide the virus by having it appear to be elsewhere on the system.
Today’s hackers turn out threats using much the same automated techniques and quality check steps as any good software coder.
Professional
Hackers can buy DIY software that acts as a malware factory, churning out one unique malware every second, Elisan says. "Once that malware is generated, they protect it with built-in encryption, and just to make sure [that it's extremely difficult to detect] they add more armour. And then, before they deploy it, they subject it to quality assurance."
Depending on how well funded the hackers are, the process is increasingly professional. “If they’re really well-funded (a serious crime gang, or state-funded hackers), they’ll have security appliances for testing. So, they can actually test if it can get through the security on a system.”
That makes life very difficult for researchers. “It used to take maybe half an hour to reverse engineer (decode the construction of) malware, but now it takes days, weeks, or even months,” says Elisan.
That’s because the encryption and the armour can be thrown around endless amounts of easily found or created malware, including viruses that have been around for years. Many home PCs would be full of them, he says – often harmless because, in their original state, antivirus programs can easily detect them. But that’s no longer the case once they are armoured.
Today’s more sophisticated hackers take a very targeted approach to their job. Thanks to the widespread popularity of social media and job websites, they can determine the hardware and software as well as the security systems in use at a targeted organisation, says Elisan.
“To determine security, they just use job postings, or LinkedIn, for example. In reality they don’t need to do sophisticated hacking because companies will post the kinds of IT and security skills they are looking for in job advertisements which anybody can see. Or people working for a company will list the skills they have on their LinkedIn profile. Or they might talk about those skills on Twitter.”
Hackers might even use Twitter to control malware within the system, because Twitter gives developers a protocol they can use to connect IT systems – via the corporate website – to Twitter.
Other malware “army” attacks can be made using infected USB sticks which more sophisticated hackers might send to employees disguised as a free gift from a partner or client company. Or there’s that good old standby, spamming employees with infected emails.
If 1,000 employees are spammed with emails, chances are that just one of those infected emails might find an unprotected server, Elisan says.
Alternatively, the company’s IT incident response team might look at one of those emails, detect the type of malware, and then protect against just that one type, and feel their job is done, not realising that the hackers can now easily upload many other types as well.
Another challenge is that, where malware used to be a single file which did one thing, now it tends to be modular, Elisan says. A modular virus might contain a main attack component, as well as a memory scraper (which copies information out of the memory of the computer and sends it back to the hacker), a key logger (which tracks keyboard use, to discover login names and passwords), a denial of service attack component (in which the computer is used, alongside many more in a vast network, to bombard a website to try to bring it down), and of course, the armour.
Hackers will then use a control panel to manage the numerous infections they have deployed on different computers and systems all around the world.
What do hackers do with all of these infections? In some cases, the information they glean off a system – typically, customer information for identity theft, or credit card details or account information for financial fraud – can be sold on to others if not used by the hackers themselves. Or, they offer their network of compromised computers for hire, for denial of service attacks, for example. “It’s malware as a service – it’s their cloud computing,” he says.
Social manipulation
How can a company best protect against such an array of malware and attack techniques?
It’s important for companies and individuals to understand that hacking isn’t just about a virus attached to an email, says Elisan. These days, hackers are skilled at using a range of attack tools, harvesting information from social media, and employing good old social manipulation.
They may pretend to be someone that they aren’t to gain access to a building, might target friends or family of a particular high ranking individual, in order to get access to their information and system passwords, or act like they represent a company handing out free USB sticks on the assumption – usually correct – that someone will plug one into a work computer, unknowingly releasing a malware attack.
“So, there’s lots of leakage of information,” says Elisan. “It’s important to paint the whole security picture for people so they can really understand the risks. Too often, they only concentrate on one small area. It’s like the Mona Lisa – if you just are looking at a square inch of the painting, you won’t appreciate it.”