Cybercriminals know how operating systems and software work and how to get around information security tools designed for those systems, according to “The New Reality of Stealth Crimeware” authored by Dave Marcus, director of security research and communications at McAfee Labs, and Thom Sawicki, senior product strategist for endpoint security software and services at Intel.
“We are starting to see stealth in more malware and more attacks than ever before. As malware and attacks get more sophisticated, they include more stealth. They want to stay on the machine for as long a period of time as possible, hence the ‘persistent’ part of the acronym APT”, Marcus told Infosecurity. “We expect to see stealth going forward in ever increasing quantities”, he added.
There has been steady growth in stealthy rootkit malware – such as the Zeus trojan – increasing from 42 samples in 2007 to close to two million today, according to McAfee research. Stealth techniques operate at the “kernel level and below, flying under the radar of traditional operating system, vulnerability, and virus scanning tools. Kernel-mode rootkits have system-level privileges, so they are harder to detect and repair”, the white paper observed.
McAfee and Intel researchers believe that “we need to re-envision how to detect and block stealthy malware. We must apply our knowledge of computers and criminals and step beyond the operating system, using our detective powers and protective tools in new ways. To fend off these rootkit-style threats, enterprise defenses will need to move out of the traditional software operating.”
Marcus observed that the current security methodology is no longer effective. The approach where security solutions are inside the operating system is coming to an end “because the bad guys know how we engage in detection, so they simply write a rootkit that evades detection. We are playing in the same operating system environment.”
The McAfee researcher said that the security industry needs to create solutions and technologies that go beyond the operating system – “getting out of the confines of operating system-based detection, that is where the future of detection technology needs to start going.”
Marcus said that the new methodology will be explained in a follow-up white paper. “The point of this paper is to explain why detecting stealth-based attacks and rootkits is so problematic for today’s operating system-based technology.”
The white paper advised organizations to embed security beyond the operating system. “In every layer of security you deploy – from authentication to encryption to inspection to trust – your most effective protection against stealthy malware will take greater advantage of and extend to the platform components. The next generation of security solutions will initiate from the very first compute cycle and provide protection throughout”, it concluded.