Predicting the future of stealth attacks
Aditya Kapoor McAfee
Rachit Mathur McAfee
download slides (PDF)
Just when we started hoping that stealth malware would be on the decline (since almost all AV vendors have caught
up in this space) a reality check for the years 2010 and 2011 proved otherwise. Currently, close to 10% of malware use
stealth attacks, and although these numbers might seem a little low in the big picture, it's all about the motivation and
goal of an attack as well as the skills required for a successful stealth attack. An ill-crafted stealth attack could
actually raise red flags with security applications or administrators.
There is a small percentage of stealth malware which concerns us more than anything else. The authors of these smaller groups
of malware are highly skilled and motivated. Some of the recent stealth attacks were created in order to establish the single
largest botnet (TDSS), advance persistence (Stuxnet) and stealth frameworks (TDSS, MAX++, whistler).
This paper dives deeper into the attack strategies of recent rootkits and looks at what worked for them (for example, TDSS used
DKOM attack on Driver_Object and Device_Objects; Stuxnet used a filter driver; whistler used polymorphic MBR; MAX++ used IRP
hooks and BlackEnergy used a DKOM attack on KThread etc.). We will also incorporate the attack strategies of any new
rootkits in this discussion. This paper will also describe the most profitable areas in the OS kernel to attack,
keeping in mind that the market share of computers is diverging between Windows 7 32/64-bit as well as mobile operating
systems. The inference could help us decide what technological improvements are needed in the AV space to better combat
the more futuristic stealth attacks which are not going to go away in the near future.