Sage Advice - Cybersecurity Blog

Behind the Scenes: Demystifying Malware

demystifying-malware.jpgThe frequency and size of malware attacks and the havoc they wreak are generating a continuous stream of media coverage, attracting eyeballs with often shocking details of breach size. What’s often missing in news stories on data breaches are critical behind-the-scenes “players” – the employee roles and IT systems targeted, the technology infrastructure that supports an attack, the malware tools, and the attackers that create and use the infrastructure.

"Only by understanding this backdrop can cybersecurity professionals get a real handle on threats so they can find ways to combat them," said Christopher Elisan, principal malware scientist at RSA. In his 2016 CyberCrime Symposium session, Elisan, a seasoned malware researcher and reverse engineer, pulled back the curtains on the malware ecosystem by reviewing its essential components.

First, who’s getting victimized? While opportunistic attacks still comprise the majority of successful malware campaigns, targeted attacks on C-suite execs and organizations are on the rise. “If it’s any consolation,” said Elisan, “the elements of targeted and opportunistic attacks are essentially the same.” They leverage the same technologies and target people with the same roles. Cyber-actors, too, tend to fall into the same categories in terms of their attack roles. 

Means of Support

While malware researchers have traditionally reverse-engineered malware with a focus on its specific attributes, they need to understand the threat infrastructure it uses to accomplish its objective. "Specifically," said Elisan, “they should get a handle on the network resources involved in an attack and how they’re used.” The most common attack infrastructure includes the following:

  • Attack vector: This includes any technology – email, drive-by download sites, or USB sticks – that delivers malware to a target.
  • Malware installer: Once deployed, malware is installed using droppers, which have the malware on board, downloads, or hybrids, which combines elements of both methods.
  • Malware serving domain: The MSD stores malware updates and other components needed for a campaign. “Today, attackers take a modular approach to malware to protect against reverse engineering,” said Elisan. "If they see researchers have captured the installer, they cut the connection to the MSD so they can’t access malware samples." Earlier malware took the form of a single file that included everything needed to execute, but today, it comprises different components.
  • Malware components: Previous malware came in the form of a single file that included everything needed to execute, but modern malware comprises as many as 10 different components. The most common: a configuration file, attack component, regeneration component, rootkit component, and a bot agent.
  • Command & Control server: The bot agent communicates to the C&C server so the attackers can control target machines.
  • Drop zone: Malware uses this network resource to drop stolen data. In the early days of malware, the target was often a hard disk, but that required physical access. Realizing the real returns came from remote access, actors turned to new threat vectors. The first they used was email, which was effective but easy to detect. They then started using domains as their drop zone. With domain drop zones, they have their own user interface, and can quickly aggregate, decrypt, and leverage stolen data.

Ask the Right Questions

According to Elisan, when organizations bring in an incident response team to analyze a malware breach, the team usually details the network resources to which the malware connects. But cybersecurity staff also needs to know how those resources are used. Does the malware connect to a C&C server, and if so, is it being used in that capacity? It’s an important distinction, as sometimes a server operates as an MSD, in which case researchers can retrieve all files and analyze any malware the attacker plans to deploy.

It’s also important to know whether the attack malware was packaged as a single file or in multiple components. If it came in different modules, the team should ask whether the vendor captured them all.

Finally, they need to know how the malware was deployed, whether through email, drive-by download, or other means. The more components captured, the easier this question is to answer.

“Once a cybersecurity team has these answers and better understands the nature of the attack, they can take some preventive steps,” Elisan said. They can deploy solutions designed to prevent malware from, for instance, exfiltrating stolen data, communicating with known C&C sites, or downloading files from unknown or unverified sites.

Who’s Behind That Malware?

On the attacker front, several different parties can be involved. The primary actors are often sponsors – nation states or terrorists, for instance, that hire groups of hackers to steal specific data.

Next come technical owners of the attack infrastructure. Malware writers can develop custom build or use off-the-shelf tools. They may sell armoring tools or, to insulate themselves, DIY kits. Botnet masters own the botnet, and provide status on infections to malware developers. Botnet operators get a slice of botnet and offer different services through their segment. And resilience providers offer C&C services, including bulletproof hosting and support for C&C servers.

Then come malware deployment providers. They own the distribution network, and may also manage the threat vectors that deliver malware to the target system. These entities can all operate individually, or they can partner to offer services to a single, well-funded sponsor.

This is the seventh in our series presenting key takeaways from Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check out our series featuring actionable insight from select presentations.  


No one is immune to cyber-attacks

Be confident that threats to your network will be detected consistently and accurately with Tyler Detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.

Learn More

Topics: CyberCrime Symposium, Malware, Cyber Defense


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More