Threats have evolved to try and circumvent advances in analysis and detection. Every improvement by security vendors is met with a response from cybercriminals. Stuxnet, for example, paved the way for the other threat families to use the LNK vulnerability. Using Conficker/DOWNAD popularized the use of a domain generation algorithm (DGA). This is now used by other malware families as well, including ZeroAccess and TDSS.

The goal of these evasion techniques is simple: to avoid early detection and allow an attacker to establish a foothold on target machines.

In our paper Network Detection Evasion Methods, we discuss how some threats attempt to thwart detection by blending in with normal network traffic. This includes connections to Google and Microsoft Update, as well as traffic produced by popular instant messengers such as Yahoo! Messenger. Below are some of the remote access Trojans (RATs) we found to have used this method in an attempt to remain under the radar:

• FAKEM. This RAT is typically spread via spear-phishing emails and was found to disguise its network communication to mimic Windows Live Messenger, Yahoo! Messenger, and HTML traffic among others.
• Mutator. Also known as Rodecap, which is reportedly associated with Stealrat botnet. It downloads Stealrat modules or components, and in some instances, may spoof its HTTP header by using “google.com” to blend with normal traffic.

While the list is not particularly long and the methods are simple, the paper shows the cybercriminals’ ability to adapt and upgrade their techniques. This stresses how they are continuously improving their methods and strategies to bypass network security in an attempt to take over systems and remain hidden from security researchers. For more information about these threats and tips on how to effectively detect malicious network traffic, you may read the full paper, Network Detection Evasion Methods: Blending with Legitimate Traffic.

Additional insights by Jessa De La Torre

We’ve been continuously receiving infection reports, specifically from the APAC and NABU regions, related to a certain malware that uses Remote Desktop Protocol to propagate.

Detected as WORM_MORTO.SMA, this malware drops its component files, including a .DLL file, which is dropped onto the Windows folder. The said .DLL file, which bears the file name clb.dll, is detected as WORM_MORTO.SM. WORM_MORTO.SM acts as a loader for the malware and places its own clb.dll in the %Windows% folder to exploit the way by which Windows finds files. Windows typically loads the %Windows% folder before the %System% folder where the legitimate clb.dll file is located. By doing so, the malware’s .DLL file is loaded before the legitimate one whenever regedit.exe is executed.

When WORM_MORTO.SM loads, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system.

Read the rest of this entry »