The Pitfalls Behind and Ahead: Part 2
I recently published a blog looking at armoring malicious binaries at a high level. Armoring malware is an effective and widely available means of evasion and obscuring the true intent of a threat. The sample referenced below is an armored Zeus bot binary file, which demonstrates how the art of armoring malware can help an intruder manipulate the detection capabilities of numerous host-based security tools.
Before Armoring After Armoring
Armoring tools are readily available to e-criminals across the Internet. With some simple research over a couple of hours, I found 16 web forums and more than 50 armoring services and tools for sale. To give you a sense for the maturity of the market, all of these tools came with customer ratings, akin to what you might see on consumer websites such as Amazon or eBay, regarding the integrity of the provider/seller.
These tools and services are also accompanied by service level agreements and terms of service (e.g., if you upload one of your tools using a purchased armorer to Virus Total you would be banned from further use and updates offered by the seller). In upcoming blogs, I will dive into this topic, looking at the depths and layers behind the detection gap and the two sides of the sword for both offense and defense and how they continue to define the arms race between e-crime capabilities and security solutions.