As our business and personal lives continue to be inundated with images and videos across mediums, McAfee has observed an increase in attackers leveraging these forms of content to pass malicious information by security protection systems without detection.
This is known as malicious steganography, the practice of concealing messages in images, audio tracks, video clips or text files to avoid detection by security systems. According to the McAfee Labs Threats Report: June 2017, this leaves consumers and enterprises exposed to viruses and malware that can either download software that steals information off of the infected system, or download ransomware that encrypts the PC’s information and holds it for ransomware until a user pays.
The first known use of steganography in a cyberattack was in the Duqu malware in 2011, McAfee said. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system, and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology.
“There are hundreds, if not thousands, of anti-security, anti-sandbox and anti-analyst evasion techniques employed by hackers and malware authors, and many of them can be purchased off the shelf from the Dark Web,” said Vincent Weafer, vice president of McAfee. “This quarter’s report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine-learning-based protection.”
Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis and understanding. McAfee classifies these evasion techniques into three broad categories:
Anti-security techniques: Used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment.
Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.
McAfee sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique.
Aside from the steganography analysis, the report also found that in the first quarter of 2017, there were 244 new threats every minute, or more than four every second. McAfee also counted 301 publicly disclosed security incidents in Q1, an increase of 53% over the Q4 2016 count. The health, public and education sectors comprised more than 50% of the total.
New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million known samples. New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million known samples.
Mobile malware reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples. The largest contributor to this growth was Android/SMSreg, a potentially unwanted program detection from India.
Also, during the past three quarters, new Mac OS malware has been boosted by a glut of adware. Although still small compared with Windows threats, the total number of Mac OS malware samples in the fourth quarter of 2016 was 460,000.