Daily Bulletin


The Conversation

  • Written by The Conversation
imageWhen malware stops looking like malware, we're in for a tough ride.patterns by cepera/shutterstock.com

The FBI and Europol recently brought down a criminal botnet – a network of remotely-controlled PCs – powered by Beebone, an advanced, polymorphic malware capable of shape-shifting up to 19 times a day to prevent detection by antivirus scanners.

By cutting off the command and control (C&C) servers used to issue commands to Beebone, the malware could be more easily located and removed. This particular botnet incorporated around 12,000 infected PCs, but researchers estimate Beebone has infected another 5m computers worldwide.

Widespread use of polymorphic software is a major change in the computer security arms race. In fact it’s Beebone’s polymorphism that has allowed it to remain a continual threat since it appeared way back in 2009.

The first virus

The story of the computer virus or what we now call malware began in 1983, when Fred Cohen wrote a parasitic program that seized control of computers. This was the first computer virus and the first use of the term. Cohen’s test was soon followed by the work of a 15-year-old teenager who wrote Elk Cloner, the first widespread virus which targeted the Apple II computer via the floppy disk.

It’s been a long road since then, with malicious software escalating in capability and complexity resulting in all manner of damage and embarrassing incidents. The infamous Robert Morris Jnr worm in 1988 saw its creator accidentally cripple the early academic internet, for which he received a US$10,000 fine. Fifteen years later in 2003 the Slammer worm crippled the modern internet, practically knocking South Korea off the net. Governments have also got in on the act with Stuxnet and all manner of software used by the NSA and GCHQ as revealed by Edward Snowden’s leaked files.

An arms race escalation

However, one of the most significant changes in the malware landscape was the arrival of one the first polymorphic viruses – the 1260 virus – around 1990. The 1260 virus could change its signature, which hides the appearance of the file to scanners such as antivirus program. It did this by encrypting and decrypting parts of itself while inserting randomly-generated garbage code, which had the effect of padding the size of the file, altering its signature to avoid detection.

The shape-shifting AAEH or Beebone malware arrives as an obfuscated (disguised) piece of Visual Basic code. By faking its identity as an unthreatening file type it tempts the user to run it, using Windows security flaws to gain privileged access (administrator rights) over the machine.

In order to make detection more difficult, its two internal components can each download variants of the other from C&C servers. This makes it harder to detect as each component must be a known version for antivirus scanners to detect the malware correctly. Once the Beebone agent has taken control, those operating it over the internet can send further instructions to the Beebone agent, for example whether to download other malware such as hacking tools, Trojans, keyloggers, or even ransomware such as Cryptolocker.

imageFile signature comparison reveals many different variants of the virus, all widespread.McAfee

Computer exploits such as hacking into systems or writing viruses were in the early days chiefly for gaining notoriety more than anything else. But in the last decade the growth of the net and its reach into most parts of society has brought with it criminals looking to profit. Cybercriminal attacks are now estimated to net US$445 billion each year in illicit revenue. Obviously, where there’s money to be made there will be people who will invest – in this case organised crime prepared to pay for the best tools for the job.

Police and investigators have had some success in countering the threat, shutting down several botnets over the last few years. But ultimately with each botnet shut down another springs up to take its place – constructed from software and other people’s compromised computers, a botnet used for criminal means is inherently expendable.

Defences must evolve too

The solution of deploying antivirus scanners to detect and remove malware is looking more and more out of date, as malware grows more capable of defending itself. Beebone, for example, can prevent efforts to remove it by blocking the internet addresses of known security and anti-virus software firms, and preventing anti-virus software from running.

The speed with which so-called zero-day-exploits – security holes known only to those who discovered them, and not the creator of the software – can spread before patches to provide adequate protection can be written has increased with the internet. This means it’s possible to compromise many, many machines before knowledge of the exploit is even public.

There is more to defence now than antivirus scanners alone, and perimeter defences and other forms of intrusion detection systems are able to detect suspicious network traffic rather than just suspicious files. Nevertheless with imaginative and ingenious criminal and programming minds at work, it’s really only skilled and experienced human talent that provide the awareness required – technology alone cannot offer a total solution.

We’ve come a long way since floppy disk viruses were created for fun not profit, but the angles of attack have changed and our defences must change with them.

John Walker does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

Authors: The Conversation

Read more http://theconversation.com/human-and-technical-ingenuity-will-be-required-to-defeat-shape-shifting-malware-40135

Writers Wanted

Dog Ownership & Mental Health in Children: 3 Ways Canines Develop A Child's Mind

arrow_forward

4 Reasons Why You Should Try Hypnotherapy

arrow_forward

Guide to Shipping Container Hire

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Prime Minister Interview with Kieran Gilbert, Sky News

KIERAN GILBERT: Kieran Gilbert here with you and the Prime Minister joins me. Prime Minister, thanks so much for your time.  PRIME MINISTER: G'day Kieran.  GILBERT: An assumption a vaccine is ...

Daily Bulletin - avatar Daily Bulletin

Did BLM Really Change the US Police Work?

The Black Lives Matter (BLM) movement has proven that the power of the state rests in the hands of the people it governs. Following the death of 46-year-old black American George Floyd in a case of ...

a Guest Writer - avatar a Guest Writer

Scott Morrison: the right man at the right time

Australia is not at war with another nation or ideology in August 2020 but the nation is in conflict. There are serious threats from China and there are many challenges flowing from the pandemic tha...

Greg Rogers - avatar Greg Rogers

Business News

Guide to Shipping Container Hire

If you are thinking of hiring a shipping container rather than purchasing one, there are many great reasons to do so. It is a more affordable option and when you are done using it for what you neede...

News Co - avatar News Co

Top 5 US Logistics Companies

Nothing is more annoying than having to deal with unreliable shipping companies for your fragile and important packages. Other than providing the best customer service, a logistics company also ne...

News Co - avatar News Co

Luke Lazarus Helps Turns Startups into Global Stalwarts

There are many positive aspects to globalization. It is no secret that those who have been impacted by globalization tend to enjoy a higher standard of living in general. One factor that has led to ...

Emma Davidson - avatar Emma Davidson



News Co Media Group

Content & Technology Connecting Global Audiences

More Information - Less Opinion