Sophisticated Malware Worry Security Researchers
James Wyke a security researcher with Sophos has come across malware that by using throw-off tactics can thwart security investigations, published theregister.co.uk dated August 26, 2014.
The malware's tricks comprise an assortment of remarkable techniques VXers alternatively PC-virus developers utilize for determining technical artifacts which can enable them to distinguish PCs belonging to users under target from devices that malware researchers use.
Principally, malware authors' operations involve some noise whilst contaminating victimized users' computers, but they require being quiet whilst targeting white collar experts' computers with their wares.
If security investigators can figure out a malware's tactic, they can thwart the inputs that VXers endow for causing treacherous assaults. Consequently, the majority of malware programs try hard for staying less aggressive alternatively disguising their CnC (command-and-control) systems.
The tactics may involve hiding the IP addresses of the command-and-control server alternatively create bogus ones, whilst a few will blacklist the Internet Protocol addresses at the time the malware realizes it is affecting a researcher's computer.
Security Researcher Wyke is expected to reveal certain malware families' deceptive techniques during the September 2014 Virus Bulletin Conference to be held at Seattle (the United States). These malware groups will include Shylock, Andromeda, Vundo as well as Simda.
Wyke is expected to depict how activity can change with the different malware families such as installing dummy files, bogus HTTP requests or DNS alternatively serving misguided configuration files.
The Trojan namely Shylock, which returned pretty quickly following every shutdown effort by private security companies along with law enforcement, has been seen as dispatching phony configuration files, a tactic it uses for misleading researchers in detecting the malware.
With Simda, Wyke observes another attacking style involving garnering the research computer's Internet Protocol address followed with blacklisting it.
Vundo works yet differently- it uses Decoy CnC servers once it finds out a virtual condition, in order that it can distract attention and possibly create one phony false positive.
The malware installer, Andromeda, on the other hand, conceals the CnC systems as it stays inside the sandbox area so that security investigators can have real problem locating the source of the commands.
» SPAMfighter News - 03-09-2014