One of the trends I see in malware going forward is more of a focus on obfuscation. If we take Conficker as an example of things to come, the future will be interesting indeed.
What exactly does this mean to you?  Well, it means that traditional detection techniques are going to be more and more limited. Even the major AV vendors are starting to see the end of traditional black-list approaches.  Also, here at PaulDotCom we have had quite a few post and discussions on how blacklist AV is broken.  We will start seeing more and more malware that uses contextual payloads to generate a “unique” executable for every segment in the infection group.  We also will start seeing more and more malware that is targeted to a specific goal.
Please, take a few moments and take a look at
clampi
. This interesting piece of malware does a pretty good job of obfuscation and is targeted towards capturing financial information.
We will also see more and more malware that is utilizing encrypted channels for communication.  This is something that has been predicted for years, but never materialized as much as it could have.   And why would the attackers go through the extra effort?  What they are doing works perfectly well…for now.
This is where we as the security community need to start preparing for the next generation of Malware today.  Ask yourself, if you encountered a strange executable that was not flagged by AV how would you approach it?  We have covered tools like Volatility to look at the memory on a system.  But what about data on the network?  If an attacker is encrypting their traffic it may make it difficult to ascertain what they are doing, what they have done, and what their goals are.
To help this I would like to introduce you to a tool called Echo Mirage.
This is just another excellent tool from the folks at Bindshell.net.


The reason tools like this are critical is we need to have the ability to see inside encrypted channels. This tool allows you to see (and edit!!) the data being set and received within an SSL session.  It also does a great job of looking at unencrypted traffic as well…. But you could just use Wireshark for that.
- strandjs

John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.

About the author

Leave a Reply