Hey, Hey, Malware… ‘Sup?

Hey, Hey, Malware… ‘Sup?

(Major thanks to Lastline’s Co-Founder and Chief Scientist Dr. Christopher Kruegel for the “heavy lifting” including the detailed Research Note and the data analysis that supports it.)

That title may seem a bit, or even a lot, too friendly, considering that malware is certainly no friend of ours, or of you and your organization, for that matter. But we definitely do spend a lot of time with it.

We detonate and analyze a ton of malware samples daily in our cloud and on-premise at our customers in our Deep Content Inspection™ sandboxes. And periodically, we take a step back and look at the body of data, to see if we can spot any trends in how malware behavior is changing. We did this recently for the data that we collected in 2015, and observed three types of malicious behavior that increased significantly, as well as an ongoing pattern in evasive behavior.These trending behaviors include:

  • The use of code signing (Authenticode signatures), especially in the “grayware” space. While blatantly malicious code is rarely signed, the middle ground of Potentially Unwanted Programs, such as adware, has shown a significant upswing in signing with legitimate certificates.
  • Brute-force password guessing, in order to perform local privilege escalation and to break into remote sites.
  • More aggressive changes to browser settings to launch powerful man-in-the-middle attacks against encrypted connections.

Looking at evasive behavior, we found that, unsurprisingly, sandbox evasion has entered the mainstream, and the age of “Heisenmalware” — malware that changes its behavior under observation — is here to stay. The number of samples exhibiting evasive behaviors designed to detect sandbox attributes and avoid analysis grew significantly over the previous year, and the extremely high level has been maintained, with some ebbs and flows due to malware “flavors of the month,” throughout 2015.

You can see more detail about our findings, as well as graphs of the data, in the complete research note.