Click here to close now.

Welcome!

Security Authors: Ian Khan, Elizabeth White, Pat Romanski, PagerDuty Blog, Brian Vandegrift

Related Topics: Security

Security: Blog Post

Malware Delivery – Understanding Multiple Stage Malware

How trusted file attachments has opened the vector for continued intrusions.

To some of us, seeing an email with malware embedded in a PDF, Word or Excel attachment is common. In fact, it has become the new norm for malware delivery to use file types that are not obviously malicious (versus something like a .exe). Gone are the days of wide-open acceptance of all file extensions for attachments within an email. In today's network defense-in-depth techniques, one of the layers is naturally email security. This includes the scrutinizing of emails for embedded links or attachments that could be potentially malicious, scanning attachments for possible detectable viruses and even inspecting the mail header for details that could point to the continued use of a particular "sender" address targeting an organization.

With the delivery of the malware always evolving to avoid being detected, why is it so common to see multi-stage malware? What exactly IS multi-stage malware, and why can it be more difficult to detect through common defense-in-depth strategies? I recently sat with a customer who ran these questions by me.  They were concerned that this might be some kind of new and sophisticated attack being used against their organization that their security team was not aware of. Truth is, this type of attack method is more common than you know, and has been going on for a significant period of time.

Let's start by tackling the easiest questions.

Question: What is multi-stage malware?

Answer: It is malware that is delivered in stages.  Seriously, that's it.

Question: So then what are the stages?

Answer: Ah, I was hoping that was your next question...

The typical stages for the delivery are as follows;

Stage 1: The main goal of the first stage is to simply get some kind of execution on a victim computer to retrieve the larger portion of the malware.  Utilizing a legitimate looking file (PDF, DOC, XLS) that is embedded with the stage 1 malware, the attacker can entice the target to open it, and allow execution. After execution, the first stage malware may also find some way to make itself persistent. What do I mean by persistent? Well let's say that as soon as you open an infected PDF, the stage 1 malware begins execution on your computer, but you happen to immediately shut down your computer.  If that malware did not create some kind of way to re-execute after you start your computer, it will not execute again until you open the infected PDF again. Attackers know that it's unlikely you will re-open the attachment, so they like to build in a way for the malware to re-execute after your computer starts up.  That way it is guaranteed to finish its initial job, which is to retrieve the next stage malware.

Stage2: This is where the more robust malware sections of the malware are introduced, potentially causing an unfettered amount of damage to its victim computer. Stage 2 typically gives the attacker an array of capabilities that are not available with stage 1, such as:

  • Victim computer screen capture
  • Start webcam
  • Graphical ability to browse victim computer file system
  • Stealing of files and software
  • Deletion of files
  • Elevation or escalation of privileges
  • Keylogging and potential destruction of the victim file system

Furthermore, Stage 2 malware may also provide the ability for the attacker to migrate to another computer on the same network which provides the ability for even more extensive damage by allowing the attacker to spread out and cause an increase in damage.

Question: Are those the only stages of delivery?

Answer: Not always, but this is the most common.  Sometimes "plugins" or "modules" are available to add to the malware, and they can be delivered or removed on an as needed basis.  The attacker wants to limit the amount of network traffic to a particular domain that is hosting malware as this could lead to detection and blocking, which would stop the potential for successful delivery of any future malware or even stage 2.

Question: Why stage the delivery at all?  Why not just embed all of the malware instead of a portion in the infected document or file?

Answer: There are a few reasons for staging the delivery, one of them being size. Simply put, if the size of the malware is large enough then embedding the whole thing into a PDF would make the file quite large; therefore, more suspicious.  Another reason is to limit the possibility of detection through various scanners and traffic inspectors. The first stage of the malware is quite light in what commands and system calls that it makes which helps to evade detection by signature or even heuristics. It is not uncommon at all to see a PDF reader software open a PDF, then immediately connect to the Internet. Most PDF readers routinely check for updates as soon as they are opened, and attackers know this to be true often enough.  So the stage 1 malware just hides within that behavior, reducing its ability to be detected. Lastly, development of custom malware is expensive and takes time, so losing the entire piece of malware due to detection of any sort can be a huge set back to the attackers. Even if the attackers are using commercial or open source attack tools, rebuilding them to avoid antivirus detection can be time consuming and costly. Losing the stage 1 malware through  detection is easier to address than burning the complete malware package. By staging the delivery it limits the potential loss to the attacker. There many other reasons to break the malware up and retrieve upon infection, but these are some of the most important ones.

Question: This is making more and more sense to me, but just quickly can you go over why it's much harder to detect?

Answer: The smaller and more embedded the malware is, the more difficult to detect, especially inside of a commonly used and trusted file. When the commands for the malware are simplified as well as the needs from a victim computer to execute, again, detection is difficult. When malware is overly complicated, or it has large consumption requirements from the operating system to correctly function, the chances for detection though defense-in-depth techniques is increased. Large, complicated malware is more likely to break and alert the user to its presence, or even get detected by antivirus. It is also most likely to fail Deep Packet Inspection at the IDS/IPS layer due to possible signatures for specific system calls the malware makes. Small, simple malware finds a home inside of the most common files and documents that we not only use and open every day, but also are typically allowable as an attachment in an email. Because the malware is small, it can be easily modified, making signature development almost impossible. Breaking the malware apart also changes which security tools are inspecting the malware. If stage 1 is delivered through an email, than you will have to get through an IDS/IPS, an Email AntiVirus product (if you are dealing with an enterprise), as well as any attachment inspection that occurs on the email gateway. Stage 2 is then delivered after successful infection of victim computer, typically after the victim computer asks a particular web server for the stage 2 malware. If this request is done over SSL/HTTPS, then there is a good chance there will be no inspection of the malware until it reaches the host.  At delivery, the malware has to contend with antivirus on the victim computer, which is trivial for a sophisticated attacker to either bypass or defeat.

Question: If it's so damn hard to detect, how on earth do I stop it?

Answer: Excellent question, this is something we can address in my next blog, "Better Host Based Protection, Logically".

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

@ThingsExpo Stories
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, will discuss how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust I...
After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...
While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all. In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of Cloud and Mobile Strategy at GENBAND, will explore what is needed to take a real time communications ...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.
The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT. This is disruption; of course, we understand that – change is almost always disruptive.
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.