Over the course of the last year, a number of new innovations have occurred in the world of malware. New command-and-controls mechanisms emerged, new attack vectors appeared and platforms beyond Windows have increasingly become targets.
During a Black Hat Webcast event late Thursday, Gerhard Eschelbeck, CTO of security vendor Webroot, explained how some new attacks that were seen in 2009 could be indicators for what we can expect to see in the year ahead.
Among the new malware techniques Eschelbeck identified was one used by the Induc virus. As opposed to the typical routes to infection, through which a user gets an e-mail or clicks on something, Induc infects programs during their development. Induc first appeared in late August as a virus that infected the Delphi Windows development tool.
“Induc has a unique way of getting its infection out,” Eschelbeck said.”In the past, most of the malware is injected via the Web or e-mail. With Induc, it actually injects itself into the development chain.”
The Induc virus inserts itself into any Delphi program and it hides its presence by removing itself from the process list while still running, all the while continuously infecting files. As a result, any developer of an infected Delphi instance could potentially build malware into their application.
Eschelbeck noted that, to date, it’s mostly a proof of concept virus with no real exploit payloads that he has seen. But it could still be indicative of the direction of malware in the coming year.
“Induc is not something I’m super worried about and it’s not high-profile right now,” Eschelbeck said. “It does show what malware writers are thinking and where we think malware might be going.”
Another new item that emerged in 2009 is something called Sninfs. Eschelbeck explained that Sninfs was one of the first pieces of malware to take advantage of a social network as a command-and-control center for a botnet
“Sninfs used Twitter as a command and control center for coordinating bots that were connected to each other,” Eschelbeck said.
The botnet commands came across as Twitter tweets that were not human-readable but included encrypted command codes. Eschelbeck noted that Sninfs is different than the Koobface malware that became popular in 2009, and which used social media sites like Twitter and Facebook as a distribution and trust vehicle.
“Sninfs didn’t last very long because the command-and-control center was shut down quickly,” Eschelbeck said. “But it does show the creativity in how malware writers are thinking about the next generation.”
Another one of the key trends coming out of this year that could be a problem next year is malware’s move to platforms beyond Microsoft Windows. In particular, Eschelbeck cited the OSX.Iservice trojan, which began targeting Mac OX earlier this year.
The OSX.Iservice trojan spread by way of pirated copies of Apple iWork office productivity suite.
“What the OSX.Iservice trojan shows is that no platform is spared,” Eschelbeck said. “While the majority of malware today still targets Windows, it is very clear that other platforms can and will become targets for malware.”
