Predicting the future of stealth attacks

Aditya Kapoor McAfee
Rachit Mathur McAfee

  download slides (PDF)

Just when we started hoping that stealth malware would be on the decline (since almost all AV vendors have caught up in this space) a reality check for the years 2010 and 2011 proved otherwise. Currently, close to 10% of malware use stealth attacks, and although these numbers might seem a little low in the big picture, it's all about the motivation and goal of an attack as well as the skills required for a successful stealth attack. An ill-crafted stealth attack could actually raise red flags with security applications or administrators.

There is a small percentage of stealth malware which concerns us more than anything else. The authors of these smaller groups of malware are highly skilled and motivated. Some of the recent stealth attacks were created in order to establish the single largest botnet (TDSS), advance persistence (Stuxnet) and stealth frameworks (TDSS, MAX++, whistler).

This paper dives deeper into the attack strategies of recent rootkits and looks at what worked for them (for example, TDSS used DKOM attack on Driver_Object and Device_Objects; Stuxnet used a filter driver; whistler used polymorphic MBR; MAX++ used IRP hooks and BlackEnergy used a DKOM attack on KThread etc.). We will also incorporate the attack strategies of any new rootkits in this discussion. This paper will also describe the most profitable areas in the OS kernel to attack, keeping in mind that the market share of computers is diverging between Windows 7 32/64-bit as well as mobile operating systems. The inference could help us decide what technological improvements are needed in the AV space to better combat the more futuristic stealth attacks which are not going to go away in the near future.