Predicting the future of stealth attacks

Aditya Kapoor McAfee
Rachit Mathur McAfee

Just when we started hoping that stealth malware would be on the decline (since almost all AV vendors have caught up in this space) a reality check for the years 2010 and 2011 proved otherwise. Currently, close to 10% of malware use stealth attacks, and although these numbers might seem a little low in the big picture, it's all about the motivation and goal of an attack as well as the skills required for a successful stealth attack. An ill-crafted stealth attack could actually raise red flags with security applications or administrators.

There is a small percentage of stealth malware which concerns us more than anything else. The authors of these smaller groups of malware are highly skilled and motivated. Some of the recent stealth attacks were created in order to establish the single largest botnet (TDSS), advance persistence (Stuxnet) and stealth frameworks (TDSS, MAX++, whistler).

This paper dives deeper into the attack strategies of recent rootkits and looks at what worked for them (for example, TDSS used DKOM attack on Driver_Object and Device_Objects; Stuxnet used a filter driver; whistler used polymorphic MBR; MAX++ used IRP hooks and BlackEnergy used a DKOM attack on KThread etc.). We will also incorporate the attack strategies of any new rootkits in this discussion. This paper will also describe the most profitable areas in the OS kernel to attack, keeping in mind that the market share of computers is diverging between Windows 7 32/64-bit as well as mobile operating systems. The inference could help us decide what technological improvements are needed in the AV space to better combat the more futuristic stealth attacks which are not going to go away in the near future.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

Jobs Recruit Sidebar

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,340 registered users.