Flattr this!

In their “threat research in Information Security – 2013”, which is published annually by Sophos, they examined the development of the industry of malicious software to identify new trends in its development. Chief among them are the active use of services that allow you to conduct targeted attacks not on large but medium-sized enterprises, the protection of which is poor. Technology allows them to generate malicious code that cannot be detected by any Antivirus.

In particular 75% of the malicious programs are created to exist in the information network of one company – for their time of life. For anti-virus companies that reflect massive attacks, the situation is difficult, because they actually have to create custom signatures for each company that is not economically viable.

To generate such a variety of malicious programs polymorphic code is used that can be modified to the extent of performance. However, the code that modifies the body of malware, as a rule, should remain the same, so it is possible to isolate and identify Antivirus. If the modifier to make a septic system in a single Web service, the antivirus can not detect it.

Server-Side Polymorphism (SSP), which is actually specialized web services for real-time modification of malware. Virus writer has put the child-virus in a storage service which can generate an infinite number of variants of the virus – as long as it pays the owner of SSP-service. Moreover, new samples can be generated so that they are not detected by a specific Antivirus. It is the emergence of such services that allows attackers to generate a unique code for each malicious attack on a company. As a result, the classical signature-based antivirus become useless.

Another web service designed for targeted attacks on computers of Internet users is a platform for penetration, which traditionally also called packet exploits. A typical example of such a platform is a Blackhole, which is designed to guarantee infection into the computer. It first determines the type of browser, operating system, expansion modules and after gathering this information, the visitor is attacked with this exploit which uses this particular vulnerability in browser extension module and the operating system.


According to Sophos Blackhole accounts for 27% of malicious websites.

Defence against such attacks using such technology for penetration is difficult, because such a platform to penetrate effectively exploit vulnerabilities that exist in almost any system. In the case where all the components targeted system updated owners of these packages use unknown vulnerabilities – that for them are given those same guarantees. As a result, the traditional means of protection against penetration, such as firewalls, are not always able to protect against such malicious code, developers simply because they are unaware of the vulnerabilities that attackers use to penetrate.

As a result using SSP as the platform for the attack – an attacker can attack almost any company, using the unique codes and method . Traditional defences are designed for mass attacks, so they probably will not be able to adequately respond to such malicious programs. In fact, the active development of these services means Advanced Persistent Threats (APT) from the level of major companies such as Sony and RSA will be on an average. The main goal of these attacks is to access the e-banking application, and steal money from there. Thus, the business model of such attacks, the technology and the market are formed, and the authors of malicious programs are now increasingly likely to use Web services to carry out their illegal activities.

Today a number of companies, including Sohpos, already offer the technology that allows you to define the activity of malicious programs using genetic algorithms, regardless of the penetration of the worm on the computer and how they repackage as running a program to detect their actions. Genetic algorithms of Sophos allow customers to detect malware not by code fragments, but by their behavior. This method works in the case of SSP, as used on the server component contains the same malicious payload – the so-called “payload”, which just contains a series of dangerous commands. Packer just changes the external representation of the code without changing its essence. The package also provides only exploits to download malware to the victim, an algorithm which can determine the behavior of the analyzer, built-in anti-virus software – because the latest statistics and trends for 2013 is the protection of these features which are becoming more relevant .

Sophos UTM 110 120 Rev 5