Advanced Malware Detection Solution

Support

Home > Cyber Threats > Advanced Malware

Advanced Malware

Aurora. Zeus. SpyEye. TDL Gang. Advanced malware has achieved celebrity status among security professionals. Why? At a time when enterprises are obligated to adopt more open, borderless enterprise network practices, criminal operators are using widely available tools to develop and deploy malware capable of evading detection by even the best anti-malware prevention technologies.

Not so well understood are the dynamics of the advanced malware infection lifecycle that makes evasion possible.  The following illustrates a commonly adopted infection approach - just one of many variations.

Advanced Malware
  1. Victim surfs to a website or clicks on email with link (e.g. phishing, drive-by download).
  2. Browser is redirected to a malicious dropper site.
  3. Victim is misled into downloading the dropper - or dropper is automatically downloaded through an exploit.
  4. Dropper unpacks on the Victim machine and runs.
  5. Dropper contacts a new site: UPDATE.
  6. UPDATE sends C&C instructions.
  7. Dropper contacts C&C Site #1 with Victim identity details.
  8. C&C Site #1 sends encrypted malware with new C&C instructions.  Might even be ‘locked' to Victim machine.
  9. Malware is decrypted by Dropper and installed.  Dropper may stay behind as false evidence for investigators, or delete itself so that investigators believe that no infection has occurred.
  10. Malware contacts C&C Site #2. Sends passwords/data/etc. as encrypted payload.

Steps 8, 9 and 10 can repeat indefinitely, with the malware ‘evidence' and C&C connection instructions changing constantly.  The malware can be repurposed or told to lay silent for prolonged periods of time.

Some security solutions attempt to detect and analyze the malware as it enters the organization in an effort to capture C&C details and forensics that could help with malware removal.  Unfortunately, the lifecycle of the infection can happen so quickly, the malware that was analyzed no longer exists on the victim's machine.

Damballa breaks the Advanced Malware Infection Lifecycle by detecting and terminating the malicious communications in every attempt to establish connection outside of the enterprise network.