The malware lifecycle: Knowing when to analyze threats

Case in point: Examples of evolving malware

TeslaCrypt is an attack that has evolved significantly since it was first discovered in February 2015. The attack first gains access into a system when a victim visits a malicious website hosting a toolkit that exploits a vulnerability in the Web browser. TeslaCrypt also uses OpenSSL for its cryptographic algorithms, which removes the decryption functionality that would normally allow the malware to be further analyzed by an organization under attack. The attack also adopted the HTML webpage from Cryptowall 3.0 for the GUI, replacing its old GUI. All of these advancements have been part of the malware evolution to reduce detection rates and increase instances of victims paying to recover their data from an infected system.

Similarly, it was recently reported that ransomware evolved out of a click fraud attack, a threat that is often viewed as a nuisance rather than a worrisome issue.

Security researchers can benefit from studying malware lifecycles to detect and defend against both current and future attacks.

Just like traditional software development and maturity using the capability maturity model, the malware lifecycle starts at a low initial maturity level. For example, malware authors might create successful malware (a large number of infections or high revenue), but did not use repeatable processes or were not able to adapt once their malware was detected by antimalware tools. This type of malware might not have the capability of auto-updating to avoid detection, and enterprises will therefore require less effort to remediate from an infection; these attacks can therefore be classified at a lower priority than higher risk, more mature malware.

In order to elevate their malware to an optimized level of maturity, authors are constantly adding new functionality adapted from other successful malware attacks, or are identifying -- and correcting -- components of attacks that were unsuccessful (for example, figuring out why it was easily detected by antimalware tools). Malware at the highest level of maturity is the most dangerous to an enterprise, as it has the most advanced functionality and therefore is the most difficult to remove and detect. Considering, it should be at a higher priority for remediation.

While the next steps of evolution for the TeslaCrypt and other advancing malware are unknown, most malware adopts successful functions from other advanced attacks or successful malware. It is likely that the group behind TeslaCrypt and the click fraud will continue to evolve to meet their goals.

How to detect and defend against future attacks

The most important part of protecting an enterprise from TeslaCrypt and other evolving malware is good backups -- these will ensure the data is still available should malware encrypt or delete it. Promptly installing browser patches and browser plug-ins also helps prevent malware from infecting a system.

An enterprise could detect changes in a particular piece of malware by monitoring the risk ratings of a centralized antimalware console or network-based antimalware tool.

Additionally, enterprises should increase the priority for responding to infections if a new malware family goes from initial discovery to adding new high-risk functionality.

If a low-risk threat is detected on an endpoint and it starts to behave erratically or in ways that can't be linked to published analysis of the malware, an enterprise might want to investigate the endpoint as if it has been fully compromised, as the malware might have had its maturity moved to higher risk. This can occur when changes in classification have not been implemented in antimalware tools, when this data hasn't been sent to new computers, or the infected computer started scanning the network. For malware that increases in risk or is a "dropper" known to include high-risk malware, the safest option to remediate the endpoint is to ensure all data is backed up and then securely reinstall the operating system and software. This will remove almost all malware. Any user -- including an administrator -- of the system should also change her password to ensure compromised account credentials can't be reused in an attack.

Security researchers can benefit from studying malware lifecycles to detect and defend against both current and future attacks. By gaining better understanding of how malware evolves and how malware authors develop their attacks, an enterprise can improve how it prioritizes and uses security resources and controls that improve detection and/or defend against malware. For example, an enterprise could analyze the root cause of several malware infections using a tool such as Anubis, OllyDbg or Immunity Debugger to learn how the system got infected, how the malware evolved, and what response was necessary to remove the infection. The root cause could be as simple as unpatched software on an endpoint, requiring improved patching processes or a different security control, such as a software sandbox or whitelisting.

Ignoring a low-risk attack is done at the peril of an enterprise, but it may be necessary in order to prioritize enterprise resources for higher-level threats. Enterprises must continue to prioritize their security programs, but know that they may need to rapidly assess the risk from a particular vulnerability or attack at the drop of a hat and determine when action needs to be taken to remediate an endpoint throughout the malware lifecycle.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Lewis received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.