McAfee
Labs Report Reviews 30-Year Evolution of Evasion Techniques
Labs Report Reviews 30-Year Evolution of Evasion Techniques
McAfee
Catalogs 244 New Cyber Threats Every Minute, More Than Four Every Second; Global
Mobile Malware Infection Rate up 57% in Q1 2017; Total Mac OS Malware up 53%
Catalogs 244 New Cyber Threats Every Minute, More Than Four Every Second; Global
Mobile Malware Infection Rate up 57% in Q1 2017; Total Mac OS Malware up 53%
NEWS
HIGHLIGHTS
HIGHLIGHTS
- McAfee Labs sees mobile malware
growth double in Asia, contributing to a 57% increase in global infection rates - Total mobile malware grew 79%
in the past four quarters to 16.7 million samples - Total Mac OS malware samples
grew 53% in Q1 driven by adware glut - New ransomware rebounded in Q1
primarily due to Congur-Android OS attacks - Total ransomware grew 59% in
past four quarters to 9.6 million samples - 301 publicly disclosed security
incidents in Q1, an increase of 53% over Q4 - The health, public, and
education sectors comprised more than 50% of total incidents
Singapore, June 20, 2017 – McAfee
Inc. today released its McAfee
Labs Threats Report: June 2017, which examines
the origins and inner workings of the Fareit password stealer, provides a
review of the 30-year history of evasion techniques used by malware authors, explains
the nature of steganography as an evasion technique, assesses reported attacks
across industries, and reveals growth trends in malware, ransomware, mobile
malware, and other threats in Q1 2017.
Inc. today released its McAfee
Labs Threats Report: June 2017, which examines
the origins and inner workings of the Fareit password stealer, provides a
review of the 30-year history of evasion techniques used by malware authors, explains
the nature of steganography as an evasion technique, assesses reported attacks
across industries, and reveals growth trends in malware, ransomware, mobile
malware, and other threats in Q1 2017.
“There are
hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst
evasion techniques employed by hackers and malware authors, and many of them
can be purchased off the shelf from the Dark Web,” said Vincent Weafer, Vice President
of McAfee Labs. “This quarter’s report reminds us that evasion has evolved from
trying to hide simple threats executing on a single box, to the hiding of
complex threats targeting enterprise environments over an extended period of
time, to entirely new paradigms, such as evasion techniques designed for
machine learning based protection.”
hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst
evasion techniques employed by hackers and malware authors, and many of them
can be purchased off the shelf from the Dark Web,” said Vincent Weafer, Vice President
of McAfee Labs. “This quarter’s report reminds us that evasion has evolved from
trying to hide simple threats executing on a single box, to the hiding of
complex threats targeting enterprise environments over an extended period of
time, to entirely new paradigms, such as evasion techniques designed for
machine learning based protection.”
30 Years of Malware Evasion Techniques
Malware developers began experimenting with
ways to evade security products in the 1980s, when a piece of malware defended
itself by partially encrypting its own code, making the content unreadable by
security analysts. The term evasion technique groups all the methods
used by malware to avoid detection, analysis, and understanding. McAfee Labs
classifies evasion techniques into three broad categories:
ways to evade security products in the 1980s, when a piece of malware defended
itself by partially encrypting its own code, making the content unreadable by
security analysts. The term evasion technique groups all the methods
used by malware to avoid detection, analysis, and understanding. McAfee Labs
classifies evasion techniques into three broad categories:
·
Anti-security techniques: Used to avoid detection by antimalware engines, firewalls,
application containment, or other tools that protect the environment.
Anti-security techniques: Used to avoid detection by antimalware engines, firewalls,
application containment, or other tools that protect the environment.
·
Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on
the behavior of malware. Detecting registry keys, files, or processes related
to virtual environments lets malware know if it is running in a sandbox.
Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on
the behavior of malware. Detecting registry keys, files, or processes related
to virtual environments lets malware know if it is running in a sandbox.
·
Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting
monitoring tools such as Process Explorer or Wireshark, as well as some
process-monitoring tricks, packers, or obfuscation to avoid reverse
engineering.
Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting
monitoring tools such as Process Explorer or Wireshark, as well as some
process-monitoring tricks, packers, or obfuscation to avoid reverse
engineering.
The June 2017
McAfee Labs report examines some of the most powerful evasion techniques, the
robust dark market for off-the-shelf evasion technology, how several
contemporary malware families leverage evasion techniques, and what to expect
in the future, including machine learning evasion and hardware-based evasion.
McAfee Labs report examines some of the most powerful evasion techniques, the
robust dark market for off-the-shelf evasion technology, how several
contemporary malware families leverage evasion techniques, and what to expect
in the future, including machine learning evasion and hardware-based evasion.
Hiding in Plain Sight: The Concealed Threat of
Steganography
Steganography
Steganography is
the art and science of hiding secret messages. In the digital world, it is the
practice of concealing messages in images, audio tracks, video clips, or text
files. Often, digital steganography is used by malware authors to avoid
detection by security systems. The first known use of steganography in a
cyberattack was in the Duqu malware in 2011. When using a digital image, secret
information is inserted by an embedding algorithm, the image is transmitted to
the target system, and there the secret information is extracted for use by
malware. The modified image is often difficult to detect by the human eye or by
security technology.
the art and science of hiding secret messages. In the digital world, it is the
practice of concealing messages in images, audio tracks, video clips, or text
files. Often, digital steganography is used by malware authors to avoid
detection by security systems. The first known use of steganography in a
cyberattack was in the Duqu malware in 2011. When using a digital image, secret
information is inserted by an embedding algorithm, the image is transmitted to
the target system, and there the secret information is extracted for use by
malware. The modified image is often difficult to detect by the human eye or by
security technology.
McAfee Labs sees
network steganography as the newest form of this discipline, as unused fields
within the TCP/IP protocol headers are used to hide data. This method is on the
rise because attackers can send an unlimited amount of information through the
network using this technique.
network steganography as the newest form of this discipline, as unused fields
within the TCP/IP protocol headers are used to hide data. This method is on the
rise because attackers can send an unlimited amount of information through the
network using this technique.
Fareit: The Most Infamous Password
Stealer
Stealer
Fareit first
appeared in 2011 and has since evolved in a variety of ways, including new attack
vectors, enhanced architecture and inner workings, and new ways to evade detection.
There is a growing consensus that Fareit, now the most infamous
password-stealing malware, was likely used in the high-profile Democratic
National Committee breach before the 2016 U.S. Presidential election.
appeared in 2011 and has since evolved in a variety of ways, including new attack
vectors, enhanced architecture and inner workings, and new ways to evade detection.
There is a growing consensus that Fareit, now the most infamous
password-stealing malware, was likely used in the high-profile Democratic
National Committee breach before the 2016 U.S. Presidential election.
Fareit spreads
through mechanisms such as phishing emails, DNS poisoning, and exploit kits. A
victim could receive a malicious spam email containing a Word document,
JavaScript, or archive file as an attachment. Once the user opens the
attachment, Fareit infects the system, sends stolen credentials to its control
server, and then downloads additional malware based on its current campaign.
through mechanisms such as phishing emails, DNS poisoning, and exploit kits. A
victim could receive a malicious spam email containing a Word document,
JavaScript, or archive file as an attachment. Once the user opens the
attachment, Fareit infects the system, sends stolen credentials to its control
server, and then downloads additional malware based on its current campaign.
The 2016 DNC
breach was attributed to a malware campaign known as Grizzly Steppe. McAfee
Labs identified Fareit hashes in the indicators of compromise list published in
the U.S. government’s Grizzly Steppe report. The Fareit strain is believed to
be specific to the DNC attack and dropped by malicious Word documents spread
through phishing email campaigns.
breach was attributed to a malware campaign known as Grizzly Steppe. McAfee
Labs identified Fareit hashes in the indicators of compromise list published in
the U.S. government’s Grizzly Steppe report. The Fareit strain is believed to
be specific to the DNC attack and dropped by malicious Word documents spread
through phishing email campaigns.
The malware
references multiple control server addresses that are not commonly observed in
Fareit samples found in the wild. It was likely used in conjunction with other
techniques in the DNC attack to steal email, FTP, and other important
credentials. McAfee Labs suspects that Fareit also downloaded advanced threats
such as Onion Duke and Vawtrak onto the victims’ systems to carry out further
attacks.
references multiple control server addresses that are not commonly observed in
Fareit samples found in the wild. It was likely used in conjunction with other
techniques in the DNC attack to steal email, FTP, and other important
credentials. McAfee Labs suspects that Fareit also downloaded advanced threats
such as Onion Duke and Vawtrak onto the victims’ systems to carry out further
attacks.
“With people,
businesses, and governments increasingly dependent on systems and devices that
are protected only by passwords, these credentials are weak or easily stolen,
creating an attractive target for cybercriminals,” Weafer continued. “McAfee
Labs believes attacks using password-stealing tactics are likely to continue to
increase in number until we transition to two-factor authentication for system
access. The Grizzly Steppe campaign provides a preview of new and future
tactics.”
businesses, and governments increasingly dependent on systems and devices that
are protected only by passwords, these credentials are weak or easily stolen,
creating an attractive target for cybercriminals,” Weafer continued. “McAfee
Labs believes attacks using password-stealing tactics are likely to continue to
increase in number until we transition to two-factor authentication for system
access. The Grizzly Steppe campaign provides a preview of new and future
tactics.”
Q1 2017 Threat Activity
In the first
quarter of 2017, the McAfee Labs Global Threat Intelligence network registered
notable trends in cyber threat growth and cyberattack incidents across
industries:
quarter of 2017, the McAfee Labs Global Threat Intelligence network registered
notable trends in cyber threat growth and cyberattack incidents across
industries:
·
New threats. In Q1
2017, there were 244 new threats every minute, or more than four every second.
New threats. In Q1
2017, there were 244 new threats every minute, or more than four every second.
·
Security incidents. McAfee
Labs counted 301 publicly disclosed security incidents in Q1, an increase of
53% over the Q4 2016 count. The health, public, and education sectors comprised
more than 50% of the total.
Security incidents. McAfee
Labs counted 301 publicly disclosed security incidents in Q1, an increase of
53% over the Q4 2016 count. The health, public, and education sectors comprised
more than 50% of the total.
·
Malware. New
malware samples rebounded in Q1 to 32 million. The total number of malware
samples increased 22% in the past four quarters to 670 million known samples.
New malware counts rebounded to the quarterly average seen during the past four
years.
Malware. New
malware samples rebounded in Q1 to 32 million. The total number of malware
samples increased 22% in the past four quarters to 670 million known samples.
New malware counts rebounded to the quarterly average seen during the past four
years.
·
Mobile malware. Mobile
malware reports from Asia doubled in Q1, contributing to a 57% increase in
global infection rates. Total mobile malware grew 79% in the past four quarters
to 16.7 million samples. The largest contributor to this growth was Android/SMSreg,
a potentially unwanted program detection from India.
Mobile malware. Mobile
malware reports from Asia doubled in Q1, contributing to a 57% increase in
global infection rates. Total mobile malware grew 79% in the past four quarters
to 16.7 million samples. The largest contributor to this growth was Android/SMSreg,
a potentially unwanted program detection from India.
·
Mac OS malware. During
the past three quarters, new Mac OS malware has been boosted by a glut of
adware. Although still small compared with Windows threats, the total number of
Mac OS malware samples grew 53% in Q1.
Mac OS malware. During
the past three quarters, new Mac OS malware has been boosted by a glut of
adware. Although still small compared with Windows threats, the total number of
Mac OS malware samples grew 53% in Q1.
·
Ransomware. New
ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks
on Android OS devices. The number of total ransomware samples grew 59% in the
past four quarters to 9.6 million known samples.
Ransomware. New
ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks
on Android OS devices. The number of total ransomware samples grew 59% in the
past four quarters to 9.6 million known samples.
·
Spam botnets. In
April, the mastermind behind the Kelihos botnet was arrested in Spain. Kelihos
was responsible over many years for millions of spam messages that carried
banking malware and ransomware. The US Department of Justice acknowledged
international cooperation between United States and foreign authorities, the
Shadow Server Foundation, and industry vendors.
Spam botnets. In
April, the mastermind behind the Kelihos botnet was arrested in Spain. Kelihos
was responsible over many years for millions of spam messages that carried
banking malware and ransomware. The US Department of Justice acknowledged
international cooperation between United States and foreign authorities, the
Shadow Server Foundation, and industry vendors.
For more
information on these trends, or more threats landscape
statistics for Q1 2017, visit www.mcafee.com
for the
full report.
information on these trends, or more threats landscape
statistics for Q1 2017, visit www.mcafee.com
for the
full report.
For guidance on
how organizations can better protect their enterprises from the threats
detailed in this quarter’s report, visit Enterprise Blog.
how organizations can better protect their enterprises from the threats
detailed in this quarter’s report, visit Enterprise Blog.
About McAfee Labs
McAfee Labs is
one of the world’s leading sources for threat research, threat intelligence,
and cybersecurity thought leadership. With data from millions of sensors across
key threats vectors—file, web, and network—McAfee Labs delivers real-time
threat intelligence, critical analysis, and expert thinking to improve protection
and reduce risks. McAfee Labs also develops core threat detection technologies
that are incorporated into the broadest security product portfolio in the
industry.
one of the world’s leading sources for threat research, threat intelligence,
and cybersecurity thought leadership. With data from millions of sensors across
key threats vectors—file, web, and network—McAfee Labs delivers real-time
threat intelligence, critical analysis, and expert thinking to improve protection
and reduce risks. McAfee Labs also develops core threat detection technologies
that are incorporated into the broadest security product portfolio in the
industry.
About McAfee
McAfee
is one of the world’s leading independent cybersecurity companies. Inspired by
the power of working together, McAfee creates business and consumer solutions
that make the world a safer place. www.mcafee.com
is one of the world’s leading independent cybersecurity companies. Inspired by
the power of working together, McAfee creates business and consumer solutions
that make the world a safer place. www.mcafee.com
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!