How Hackers Hide Their Malware
When it comes to security, it’s always helpful to go back to revisit commonly assumed knowledge. In this case how hackers are continue to hide their malware and evade detection. News comes out almost daily about new cyber breaches almost daily and how the malware involved got past the antivirus systems. Malware, those dreadful programs that wreck havoc on devices and networks, are able to hide almost in plain side and at other times well out of view of the average person. How exactly are they getting past antivirus programs though? Well the answer is complicated as the strategies are evolving everyday. Cyber security programs and malware are locked in an evolutionary arms race, each reacts to the other’s improvements. Below we have captured some of the basic categories that malware obscures itself under.
Compression & Runtime Packers
If you’ve spent any significant amount of time on a computer you’re very familiar already with a popular technique for hiding malware. Yes, we’re talking about compression and those ever so popular ZIP and RAR extensions you’re familiar with. This type of obscuration is a very basic approach that hides the malicious code and dresses the file in a safer appearance. Any files packed under the compressed folder is hidden from some antivirus software. However many top tier antivirus softwares are able to detect these, so hackers generally use something more advanced. Typically these are runtime packers, which is where an executable program unpacks the packed code which may hold malware in it.
Above packers were described however that approach is considered static, and antivirus can pick them up. So to avoid this some hackers use polymorphic code to automatically morph the code into a new variant each time it is copied or a new victim’s device is infected. These constant changes in variation make the malware much harder to identify and detect. Often polymorphic malware is server-side making them a significant threat to organizations.
Staging & Dropper
More recently hackers have been using droppers and downloaders before installing malware on a system. This translates to a program that first assesses the security of the system and looks for vulnerabilities while avoiding alarming the system. Once a vulnerabilities is detected the program downloads and installs the actual malware. These are extremely dangerous and have been associated with many ransomware cases. The initial file that may be on the system will not appear malicious at all and may be associated with common processes. Although antivirus software has often been good about detecting these types of attacks, the newest and latest variations can go undetected by antivirus programs. This is due to antivirus definitions only being developed after an initial attack.
Also referred to as process injections, these types of malware attacks are often run alongside another larger legitimate process to avoid detection. The now infamous NotPetya ransomware attack was spread like this. In a real life example an accounting company was sending an update out to clients through an update process they often use, except this time there was malicious code attached to the update which executed immediately after the update. These types of malware attacks are very hard to identify and detect and may impact a number of organizations before definitions are developed to stop it.
All of these malware types depend on someone downloading them. This could be by an email attachment, update, or even the cache that is downloaded automatically when you visit a webpage. Recently even DNA was able to be loaded with malware that could target forensic labs. The best way to prevent malware is to address the insider threats in your organization. All it takes is one employee to open the wrong email attachment or take it upon themselves to update some software for your whole network to become compromised.
Besides antivirus it helps to have user behavioral analytics technology and user monitoring technology at your disposal. These are preventative tools that can make the difference between continued operations and a severe data breach.