Some of the world's best threat detection platforms are bypassed
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 28, 2014
It's reported in the blogosphere today that some of the world's best threat detection platforms have been bypassed by custom malware in a demonstration of the weaknesses of single defence security systems.
A few weeks ago, five un-named but very complex threat detection products were tested against four custom malware samples written by researchers at Crysys Lab in Hungary.
Overall, the most capable of the malware samples, dubbed BAB0 slipped past each product having infected through image steganography, a feat within the capabilities of savvy cyber criminals.
"It was designed to be as stealthy as possible, and utilises multiple methods to avoid detection," the lab's seven researchers wrote in a paper titled 'An independent test of APT attack detection appliances'.
This test case simulates attackers with moderate resources and some understanding of the state-of-the-art detection tools and how advanced malware works.
"For example, this can simulate organized criminals when attacking high value targets," the report says.
BAB0 was written in C++ with a server side in PHP and never appeared in the clear in internet traffic due to the use of steganography.
A decoy program was presented to the victims while the hobbit scurried off hiding command and control traffic in HTML traffic appearing as user clicks.
Command types sent to BAB0 included directory traversal, file transfer, and command execution.
Another but less sophisticated malware that was recently discovered bypassed three of the unnamed platforms while the basic offerings were caught by all five.
"The main message of this work is that novel anti-APT tools can be bypassed with moderate effort," the report read.
"If we were able to develop some samples that were not detected by these tools without actually having access to any of the tested products during the development phase, then resourceful attackers who may be able to acquire these products will also be able to develop similar samples, or even better ones."
Much lazier attackers could hang out for BAB0 to be published at a later date, a move designed to help bolster internet security technology in interested companies.
The security researchers were now pondering a testing framework for zero-day browser exploits.
Source: Crysys Labs.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!