Skip to main content

Malware Mitigation Trends: Utilizing the Latest Weapons Against the Modern Malware Threat

September 08, 2010

In the malware mitigation market, there are divisions among the vendors. The perspective of the vendor, detection philosophy and technology approaches are examples of the vendors’ different views.

Most legacy network security devices have developed some semblance of controls to fight malware.  Similar to the approach of traditional AV vendors, it is relatively easy for a network security device such as a content-aware firewall or intrusion prevention system, to stop identified malware once the vendor has developed signatures or detection mechanisms that look for known instances of malware "breeds".  For known malware threats, this signature approach can be effective.

However, known threat detection mechanisms have been rendered less effective with the advent of the "commercial" malware market.  This quickly growing black-market offers a forum for criminal enterprises to market their own malware-creation suites. Some even offer technical support.

These user-friendly, GUI-based software suites enable criminal-entrepreneurs to very easily create their own customized versions of malware.  Each variation created can be encrypted and packed to create a new and unique signature for each malware package.  As a result, each new malware breed requires known threat detection vendors to obtain, deconstruct and develop a new detection signature for the malware package variation in order to detect and block it. Some of the more sophisticated malware creation tools even provide a polymorphic repacking function that is executed in an automated fashion for each new victim host.  Each time a new victim host is exploited, the malware creates a unique variation to transmit to the next targeted system.

Perhaps not surprisingly, this new evolution in malware development has created multiple, unpredictable variations. It also has spawned new technologies and detection philosophies based on the behavior of the new malware and/or compromised host.

One approach to combat malware is to use a virtual environment within a network device or host agent. This can enable the security device to determine the behavior of malware that is plucked off the network once it is allowed to run in this safe environment.  Based on the captured malware’s behavior, the source IP address is then added to a known “bad-actor” database and optional controls can be added to restrict that infected host’s network access.

Other vendors utilize a network sensor to detect malware callback or “command and control” (CnC) traffic behavior.  Once a malware-infected system is identified, steps can be taken to quarantine and decontaminate the host. The CnC traffic detection approach, however, requires accurate and timely intelligence regarding the CnC networks’ methods of communication as well as up-to-date knowledge of the active CnC networks.

Building on this, another approach to countering malware threats is to work with companies that offer malware threat intelligence services. These services can include building and maintaining databases that aggregate malware infected or suspicious IP addresses and identifying active players in malware organizations and botnet networks. Companies that provide malware threat intelligence services typically build their malware intelligence databases by infiltrating malware organizations using human intelligence efforts, performing dedicated malware reverse-engineering research, utilizing “honey-pot” networks (fake hosts and networks) and by forming alliances with Managed Security Service Providers.

It is safe to say that almost every organization has a vested interest in keeping their customers and end-users safe. By working with companies that provide malware threat intelligence services, an enterprise can drastically reduce the risk of an infected user inadvertently exposing sensitive personal information to a bot or malware agent that is active on the customer’s system. It can also integrate malware intelligence into the front-end of an application to limit access to infected hosts, or utilizing the intelligence in their log management life-cycle to notify potential compromised users before the information can be used by the criminals who control the malware agent. Numerous security vendors are beginning to utilize this type of malware specific intelligence in their products or enabling the customer to integrate this information into products.

However, another effective method is a host-based approach that can be divided into pre-incident and post-incident areas of concentration. A pre-incident approach utilizes process and tools to perform regular auditing of machines in the environment, application white listing and process behavior analysis.  A number of vendors provide software solutions that offer value in this pre-incident space.  This approach can present some challenges but overall, it looks promising provided the deploying organization uses an effective method to reduce the potential impact of this type of tool could have on the business during deployment. The post-incident approach utilizes investigative or forensic examination of infected machines to determine the extent and impact of a malware incident.  This can be accomplished through the use of host examination tools that verify the existence of malware through memory analysis among other techniques.  The use of investigative and forensic tools to safely analyze infected systems is necessary to effectively determine the extent of the breach and identify the exact data compromised.  Organizations that are serious about measuring and addressing the impact of malware incidents should acquire a software suite especially tailored for the unique challenges of malware investigation or forensics.

In conclusion, the nature of the continually evolving malware threat and the criminal innovations that are taking place at a record pace require enterprises to adopt a multi-faceted approach to malware if they even hope to have a chance. Attack surface management, active controls at either the host and/or network combined with an effective investigative capability will provide organizations the toolset needed to help mitigate the impact of malware on its’ business. A countermeasure or compensating control used in isolation will likely not provide the breadth needed to cover all the possible attack vectors presented by modern malware threats.

    Steve Richards

By: Steve Richards

Solutions Solutions Architect

See More

Related Blogs

May 17, 2018

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on th...

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

March 17, 2014

AutoIT Scripting in POS Malware

Over the past few years, using AutoIT scripting language to create and install malware has become more prevalent. This trend has made its way into the...

See Details

July 24, 2013

Security Alert - Royal Malware Security | Optiv

If you are following the news, you know that a new heir to the throne of England was born this week. As with any major news story being continuously d...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.