BARCELONA — A researcher says that malicious software such as botnets and browser exploit kits are becoming more and more interdependent, complicating the job of those who seek to detect and remove the malware.
Aditya Sood, a doctoral student in the Department of Computer Science and Engineering at Michigan State University, told attendees at the annual Virus Bulletin Conference in Barcelona that malware infections are, today, often more chain reactions than discrete events: with one type of malware opening the door for subsequent malicious programs. The interplay between the different malware is making it harder for security vendors – which often sell technology designed to combat a single type of security problem – to effectively thwart infections.
Sood, who is also a principal at Secniche.org, was presenting findings from research on the workings of the BlackHole browser exploit pack (BEP), a common toolkit for spreading malware through infected Web pages.
Rather than operating independently, the BlackHole BEP relied heavily on the Zeus malware family to spread – and vice-versa, Sood found. The Zeus malware relies on BlackHole’s anti-malware tracking features, whereas Sood observed BlackHole uses the Zeus database of infected hosts to spread, harvesting specific details about the Zeus-infected target and then launching attacks that would trigger infections on that host, Sood said.
Sood said that BlackHole and other BEPs have added open source components and anti detection features to maximize their infection rates and to make detection and removal of the packs more difficult. In particular, polymorphic shell codes are being used to avoid detection by anti malware and intrusion detection systems.
“There’s really no good client side detection for polymorphic shellcode that don’t generate lots of false positives,” Sood said.
The complexity of the interactions between different types of malware are raising the bar for security software and for security professionals, who increasingly need to use a combination of malware analysis, Web application security and penetration testing, Sood said.