Jun 242013


Ramnit started out as a common computer worm when it came on the scene in 2010. After evolving to include additional code, Ramnit developed the capability to steal data given during web sessions. Last April, the U.K. discovered that hackers were using Ramnit to target its financial system.

Ramnit fails to trigger a cyber security alert because it goes into sleep mode after passing into a network. Then, when an intended target logs into his or her U.K. bank account, Ramnit generates a phishing screen both to obtain the user’s password and to connect to a designated mule account. A second screen asks the user for a code to initiate a wire transfer. It sends an SMS of a one-time password to the user, but the password is actually the account number of the mule account. When the targeted user enters the password into the program, the money is wired from the original account into the mule account.

Advanced persistent threats (APT) like Ramnit’s attack on the U.K. banking system can stay dormant for days, weeks and months before executing their function. Experts have dubbed it the “SleepEx” command, and it works by initiating a malware nap within a long timeout so that detection tools don’t notice that the system is compromised.

Modern-Day Malware Protection

Most older antivirus technology works by detecting malware signatures. However, this mode of virus detection doesn’t work on zero-day attacks because the signature is unknown. To fight zero-day infiltration, IT security professionals have developed a protocol called “sandboxing.”

Sandboxing is a type of virtualization. Unfamiliar programs are untested code sent to a staging area, where they are only allowed to run within certain parameters. While they’re running, they are walled off from other running programs. Even if the signature is unknown to the network’s detection system, when the program tries to execute a function that is beyond its intended scope, sandboxing recognizes malware behaviors.

Think of it this way: Imagine that a burglar has been stealing television sets in your neighborhood. A signature-based detection tool would be like having a “Wanted” poster of the burglar on every telephone pole in your neighborhood. People would know what the burglar looks like, and they would recognize the burglar and call the authorities.

In contrast, with sandboxing, you don’t have the “Wanted” poster. However, if a man claiming to be a cable repairman unplugs a TV, picks it up, dashes outside and puts it in a van, then residents can quickly recognize burglar-like behavior even though they haven’t been on the lookout for this particular person.

Sandboxing has created an arms race between hackers and security personnel. To evade sandboxes, hackers have developed tools like stalling code. This code enables the malware to run normal functions until the sandbox times out. Also, hackers build environmental checks into the malware related to the targeted operating system. The malware then manipulates return values so that the sandbox has to be patched in order to detect the malicious code.

Protecting Your Network From Sleeping Malware

Today’s most effective malware has certain characteristics. Knowing these characteristics can help you to more effectively defend your network.

  • It attacks unpatched systems without antivirus software. A system with no antivirus software or out-of-date antivirus protection has a 1-in-80 chance of being infected within a month. On the other hand, a patched system with up-to-date antivirus protection has a 1-in-500 chance of infection.
  • It utilizes real-time mediums. When malware is delivered over e-mail, security providers usually develop a solution within five days. When it’s delivered over a real-time communication, like a download from the Web, solutions take an average of 20 days.
  • It embraces randomness. Today’s malware is designed to rarely repeat any activity twice. By doing this, it avoids detection. In fact, more than half of the code in a piece of malware is usually dedicated to evading defenses.
  • It hibernates. Pieces of malware like Ramnit sleep until they are awoken by a prescribed user-performed action. For example, a click of a mouse by a user can bring malware out of sleep mode.

Sandboxing is a step in the right direction even though it still can’t detect everything. However, cyber security providers continue to work hard to stay ahead in the hacking arms race.

About the Author

JD Sherry is Vice President, Technology and Solutions for Trend Micro.  He is responsible for providing guidance and awareness regarding Trend Micro’s entire security portfolio aimed at protecting both commercial and government cloud ecosystems.  Well-versed in enterprise and data center architecture, Mr. Sherry has successfully implemented large-scale public, private and hybrid clouds leveraging the latest in virtualization technologies. He has established himself as a trusted senior adviser and cloud security specialist for the protection of Payment Card Industry (PCI), Health Information Privacy Act (HIPAA) and Personally Identifiable Information (PII) data.