Welcome!

News Feed Item

McAfee Labs Report Reviews 30-Year Evolution of Evasion Techniques

McAfee Inc. today released its McAfee Labs Threats Report: June 2017, which examines the origins and inner workings of the Fareit password stealer, provides a review of the 30-year history of evasion techniques used by malware authors, explains the nature of steganography as an evasion technique, assesses reported attacks across industries, and reveals growth trends in malware, ransomware, mobile malware, and other threats in Q1 2017.

“There are hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst evasion techniques employed by hackers and malware authors, and many of them can be purchased off the shelf from the Dark Web,” said Vincent Weafer, Vice President of McAfee Labs. “This quarter’s report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine learning based protection.”

30 Years of Malware Evasion Techniques

Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding. McAfee Labs classifies evasion techniques into three broad categories:

  • Anti-security techniques: Used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment.
  • Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
  • Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.

The June 2017 McAfee Labs report examines some of the most powerful evasion techniques, the robust dark market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques, and what to expect in the future, including machine learning evasion and hardware-based evasion.

Hiding in Plain Sight: The Concealed Threat of Steganography

Steganography is the art and science of hiding secret messages. In the digital world, it is the practice of concealing messages in images, audio tracks, video clips, or text files. Often, digital steganography is used by malware authors to avoid detection by security systems. The first known use of steganography in a cyberattack was in the Duqu malware in 2011. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system, and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology.

McAfee Labs sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique.

Fareit: The Most Infamous Password Stealer

Fareit first appeared in 2011 and has since evolved in a variety of ways, including new attack vectors, enhanced architecture and inner workings, and new ways to evade detection. There is a growing consensus that Fareit, now the most infamous password-stealing malware, was likely used in the high-profile Democratic National Committee breach before the 2016 U.S. Presidential election.

Fareit spreads through mechanisms such as phishing emails, DNS poisoning, and exploit kits. A victim could receive a malicious spam email containing a Word document, JavaScript, or archive file as an attachment. Once the user opens the attachment, Fareit infects the system, sends stolen credentials to its control server, and then downloads additional malware based on its current campaign.

The 2016 DNC breach was attributed to a malware campaign known as Grizzly Steppe. McAfee Labs identified Fareit hashes in the indicators of compromise list published in the U.S. government’s Grizzly Steppe report. The Fareit strain is believed to be specific to the DNC attack and dropped by malicious Word documents spread through phishing email campaigns.

The malware references multiple control server addresses that are not commonly observed in Fareit samples found in the wild. It was likely used in conjunction with other techniques in the DNC attack to steal email, FTP, and other important credentials. McAfee Labs suspects that Fareit also downloaded advanced threats such as Onion Duke and Vawtrak onto the victims’ systems to carry out further attacks.

“With people, businesses, and governments increasingly dependent on systems and devices that are protected only by passwords, these credentials are weak or easily stolen, creating an attractive target for cybercriminals,” Weafer continued. “McAfee Labs believes attacks using password-stealing tactics are likely to continue to increase in number until we transition to two-factor authentication for system access. The Grizzly Steppe campaign provides a preview of new and future tactics.”

Q1 2017 Threat Activity

In the first quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyber threat growth and cyberattack incidents across industries:

  • New threats. In Q1 2017, there were 244 new threats every minute, or more than four every second.
  • Security incidents. McAfee Labs counted 301 publicly disclosed security incidents in Q1, an increase of 53% over the Q4 2016 count. The health, public, and education sectors comprised more than 50% of the total.
  • Malware. New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million known samples. New malware counts rebounded to the quarterly average seen during the past four years.
  • Mobile malware. Mobile malware reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples. The largest contributor to this growth was Android/SMSreg, a potentially unwanted program detection from India.
  • Mac OS malware. During the past three quarters, new Mac OS malware has been boosted by a glut of adware. Although still small compared with Windows threats, the total number of Mac OS malware samples grew 53% in Q1.
  • Ransomware. New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million known samples.
  • Spam botnets. In April, the mastermind behind the Kelihos botnet was arrested in Spain. Kelihos was responsible over many years for millions of spam messages that carried banking malware and ransomware. The US Department of Justice acknowledged international cooperation between United States and foreign authorities, the Shadow Server Foundation, and industry vendors.

For more information on these trends, or more threats landscape statistics for Q1 2017, visit www.mcafee.com for the full report.

For guidance on how organizations can better protect their enterprises from the threats detailed in this quarter’s report, visit Enterprise Blog.

About McAfee Labs

McAfee Labs is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, and network—McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks. McAfee Labs also develops core threat detection technologies that are incorporated into the broadest security product portfolio in the industry.

About McAfee

McAfee is one of the world’s leading independent cybersecurity companies. Inspired by the power of working together, McAfee creates business and consumer solutions that make the world a safer place. www.mcafee.com

McAfee and the McAfee logo are trademarks of McAfee LLC in the United States and other countries.
*Other names and brands may be claimed as the property of others.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at Ayehu, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The past few years have brought a sea change in the way applications are architected, developed, and consumed—increasing both the complexity of testing and the business impact of software failures. How can software testing professionals keep pace with modern application delivery, given the trends that impact both architectures (cloud, microservices, and APIs) and processes (DevOps, agile, and continuous delivery)? This is where continuous testing comes in. D
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.