'Mystery' Malware Files Often Missed In Cleanup

Some malware infections leave stealthy beachhead files behind after the main malware is detected and removed

Dark Reading logo in a gray background | Dark Reading

The newly disrupted ZeroAccess botnet was previously spotted putting a new spin on infecting a user: injecting itself into the download process of Adobe Flash. It used a new variant of the infamous Trojan that the victim's anti-malware program didn't yet recognize.

"It was pretty clever because it was combining social engineering with technical prowess. Sometimes you see attacks based solely on tricking users, so it's weird to see both together in one attack," says Zulfikar "Zully" Ramzan, principal engineer of the Security Business Group at Cisco's Sourcefire.

Ramzan says the Flash application was legitimate, but ZeroAccess quietly injected itself into the Flash download, thus infecting the user. The malware-laden file was then able to remain under the radar, and the AV program didn't catch it.

ZeroAccess's nifty trick of hiding from anti-malware and other tools is just an example of how many malware cleanup processes today miss some elements of the malware. Leftover infected files that appear legit and don't get detected often remain behind after a malware cleanup, causing the machine to become reinfected over and over, Ramzan says.

"We see that kind of behavior about 20 percent of the time: seeing the thing that got dropped by the original malware, without seeing the original malware right away. ZeroAccess is an example of where the actual initial threat goes undetected, but we see the stuff that gets on after that point," he says. "It happens very frequently that we see the detection taking place, and there's actually a broader infection under that initial detection."

And most malware creates new files, seven-eighths of which are deemed unknown, Ramzan says. "We don't know if the file is good or bad," he adds.

Anti-malware programs in those cases don't have a signature for those files, he says.

Ramzan says three-quarters of the time his group sees new malware on a corporate system, the malware was created by an unknown file. "Often times, these unknowns should have been marked as malicious, but they just weren't. The key is really looking at the unknowns that are created and that created something."

[Microsoft, FBI, and Europol say they have disrupted ZeroAccess, a botnet that infected more than 2 million machines. See Microsoft Teams With Law Enforcement, Disrupts ZeroAccess Botnet.]

These residual malicious files don't get detected, and the machine ends up infected all over again. "If you don't clean up that mystery file, there's a good chance you'll stay in a persistently infected state," Ramzan says. The files may do nothing more than bring in other files, but the bottom line is the machine remains in an infected state, he says.

Anti-malware software typically misses those related files, which are designed to evade AV software. "You have to know what the file did, and all the files around it. Is there a guilt-by-association happening?"

Where does such an undetected file typically reside? "It can be all over the place. Sometimes it's directly on the file system. Some systems of malware will create a hidden system file layer," he says. "It's not completely invisible, but it's invisible to simple checks. Once something is on your system and compromises it, there's a good chance that it's going to embed itself so deeply that it will be hard to find except by really deep inspection."

At the heart of the problem is that malware writers continue to raise the bar in the way their code infects, hides, and spreads, security experts say.

"It's smarter, shadier, and stealthier," says John Shier, senior security adviser for Sophos, which published a new report today that shows how malware is getting better at hiding and persistence. "There's been an evolution of malware techniques."

Shier says the ZeroAccess botnet is a good example of how botnets are also becoming more resilient to takedowns. "Some 500,000 nodes were taken down in a sinkholing [operation] in the summer. Then they responded ... and increased the number of droppers, so within weeks it was back up again," he says.

Meanwhile, technology alone isn't enough to ensure malware is completely eradicated, Cisco's Ramzan says: "You cannot detect it using traditional techniques. "You can look for [related] behaviors to ZeroAccess," for example, in other files.

"It's a paradigm shift because people typically focus on detection, which is really about saying if something is good or bad based on what you're able to see in the content," he says. "But you need to look at the file and the overall context around it, and make sure you have that visibility as your overall foundation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights