TMCnet News
McAfee Labs Report Reviews 30-Year Evolution of Evasion TechniquesMcAfee (News - Alert) Inc. today released its McAfee Labs Threats Report: June 2017, which examines the origins and inner workings of the Fareit password stealer, provides a review of the 30-year history of evasion techniques used by malware authors, explains the nature of steganography as an evasion technique, assesses reported attacks across industries, and reveals growth trends in malware, ransomware, mobile malware, and other threats in Q1 2017. "There are hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst evasion techniques employed by hackers and malware authors, and many of them can be purchased off the shelf from the Dark Web," said Vincent Weafer, Vice President of McAfee Labs. "This quarter's report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine learning based protection." 30 Years of Malware Evasion Techniques Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding. McAfee Labs classifies evasion techniques into three broad categories:
The June 2017 McAfee Labs report examines some of the most powerful evasion techniques, the robust dark market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques, and what to expect in the future, including machine learning evasion and hardware-based evasion. Hiding in Plain Sight: The Concealed Threat of Steganography Steganography is the art and science of hiding secret messages. In the digital world, it is the practice of concealing messages in images, audio tracks, video clips, or text files. Often, digital steganography is used by malware authors to avoid detection by security systems. The first known use of steganography in a cyberattack was in the Duqu malware in 2011. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system, and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by ecurity technology. McAfee Labs sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique. Fareit: The Most Infamous Password Stealer Fareit first appeared in 2011 and has since evolved in a variety of ways, including new attack vectors, enhanced architecture and inner workings, and new ways to evade detection. There is a growing consensus that Fareit, now the most infamous password-stealing malware, was likely used in the high-profile Democratic National Committee breach before the 2016 U.S. Presidential election. Fareit spreads through mechanisms such as phishing emails, DNS poisoning, and exploit kits. A victim could receive a malicious spam email containing a Word document, JavaScript, or archive file as an attachment. Once the user opens the attachment, Fareit infects the system, sends stolen credentials to its control server, and then downloads additional malware based on its current campaign. The 2016 DNC breach was attributed to a malware campaign known as Grizzly Steppe. McAfee Labs identified Fareit hashes in the indicators of compromise list published in the U.S. government's Grizzly Steppe report. The Fareit strain is believed to be specific to the DNC attack and dropped by malicious Word documents spread through phishing email campaigns. The malware references multiple control server addresses that are not commonly observed in Fareit samples found in the wild. It was likely used in conjunction with other techniques in the DNC attack to steal email, FTP, and other important credentials. McAfee Labs suspects that Fareit also downloaded advanced threats such as Onion Duke and Vawtrak onto the victims' systems to carry out further attacks. "With people, businesses, and governments increasingly dependent on systems and devices that are protected only by passwords, these credentials are weak or easily stolen, creating an attractive target for cybercriminals," Weafer continued. "McAfee Labs believes attacks using password-stealing tactics are likely to continue to increase in number until we transition to two-factor authentication for system access. The Grizzly Steppe campaign provides a preview of new and future tactics." Q1 2017 Threat Activity In the first quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyber threat growth and cyberattack incidents across industries:
For more information on these trends, or more threats landscape statistics for Q1 2017, visit www.mcafee.com for the full report. For guidance on how organizations can better protect their enterprises from the threats detailed in this quarter's report, visit Enterprise Blog. About McAfee Labs McAfee Labs is one of the world's leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors-file, web, and network-McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks. McAfee Labs also develops core threat detection technologies that are incorporated into the broadest security product portfolio in the industry. About McAfee McAfee is one of the world's leading independent cybersecurity companies. Inspired by the power of working together, McAfee creates business and consumer solutions that make the world a safer place. www.mcafee.com
McAfee and the McAfee logo are trademarks of McAfee LLC in the United
States and other countries.
View source version on businesswire.com: http://www.businesswire.com/news/home/20170619006304/en/ |