The Malware Factory

The days of malware being the pastime of bored teenagers are well behind us. Not only has the malware business become a lucrative revenue stream for some of society's seedier elements but it's entered the age of automation in a big way.

Chris Elisan is a member of RSA's FirstWatch team, focussing on emerging and sophisticated threats. With a speciality in reverse engineering malware, he has first hand experience of how online criminals perpetrate their crimes. It's through those insights that he's come to understand how organised the malware business has become and how they have adopted mass-production techniques to create malware factories.

"When it comes to malware freshness, there are only few malware that are really new", Elisan said. "But most of the malware out there is really old. I call it 'green malware' – made from 100% recycled malware".

Developers of malicious software are only interested in the functionality of a piece of malware. So, rather than reinventing the wheel, they simply take an existing application and repackage it. Elisan's observation is that most of the attacks come from recycled malware.

"All they need to do is subject it to different armouring tools like packers or encrypters – any tool that obfuscates the malware," he said.

This makes it possible for the same attack tool to bypass discovery by traditional security and detection tools.

This leads to what Elisan calls the 'malware factory' – an automated approach to creating and delivering malware. Elisan has been able to create and distribute new malware, as part of live demonstrations, in just seconds using tools that are readily available.

"You can create hundreds of thousands of unique pieces of malware every day using these tools" he said.

It's also why security reports released each year need to be read with some perspective. While many millions of new pieces of malware are detected each year, most are simply repackaged versions of existing software created in the 'malware factory'.

This makes detection, using traditional methods problematic said Elisan. Sophisticated phishing attacks will send thousands of emails to individuals within an organisation, each with an individually crafted malicious payload. So, even if the IT department is able to detect and stop one email, hundreds, or thousands, of other messages will get to their intended recipients. From there, it only takes one user to open the attachment – from what seems to be a clean email.

"Once the malware has compromised the system, it's very easy for the attackers to update the malware that's already in the system. They could update the malware in the system in minutes, even seconds." he adds.

Even if the malware that has bypassed the initial protection is detected by infrastructure or network teams that detect irregular network traffic or other behaviours, the malicious software can be changed and avoid future detection. This is happening in the wild according to Elisan.

All of this paints a very grim picture. Malware can be engineered in seconds, it can be modified once it's in a compromised system remotely to avoid detection and the bad guys are well resourced and motivated. Is there some light at the end of what looks to be a long, dark tunnel?

"We need a more intelligent way of stopping this," said Elisan. "How do you stop an army of malware?"
The key is big data said Elisan.

"Malware, and how it behaves is just data. Making something out of that data to stop future generations from generating malware is the right way to approach it."

Elisan points to machine learning as a valuable tool. Instead of creating signatures, patterns or a blacklist for malware, Elisan says it's really about creating an intelligent system that uses algorithms that can identify future generations of that malware. This approach means that the obfuscation methods used by attackers become less relevant.

Underlying many of the attacks that Elisan sees is a social engineering element – something that many companies fail to comprehend. For example, job postings are used to find out what systems are used in a company so that threats can be targeted at organsations running particular platforms. Information from social forums such as LinkedIn and expert information exchange forums are used to target companies and individuals through social engineering attacks.

Anthony Caruana travelled to RSA Conference as a guest of RSA

Join the CSO newsletter!

Error: Please check your email address.

Tags #rsa2014Chris Elisnarsa conference 2014security#RSACRSA Firstwatch teammalware

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts