25
Malware could utilize honeypot technology in its fight against us.
The use of honeypots in malware could let to the malware escape our detections
and could bring to the malware “decision making” ability. Especially, using
honeytokens [14], malware could enumerate previously unknown scanners and
other security tools like:
-
antivirus
-
integrity checkers
-
network scanners
-
custom scripts and tools
Then malware could use this information for self-defense.
Speaking generally, we need to prepare for the case, where malware could use a
range of deception techniques to “outsmart” us and survive in our networks.
2.7.3 The Black Intrusion Detection System
I assume that you know about IDS\IPS technologies and doesn’t need the
introduction.
First, let’s define a problem in the communication of our security related software:
the communication is “visible”. Various security related systems in a network
defends our computers, stops malware’s traffic and updates software with
patches. My impression, that these security software systems “feels like they are
an invincible”. However, those systems have easily distinguished network
patterns or intercommunication. As a result, there is possibility for a new threat:
Malware can use IDS system to “shut down” security systems at the
network level.
Such malware will primary target internal corporate LAN and could carry itself an
IDS engine or change the existing one with new rules (if possible). It is not trivial,
but there is a possibility for that threat to take place if malware carry engine itself
and use MAC and ARP poisoning to sniff in a switched network.
It is relatively an easy task to create Snort rules [15] for many security products,
therefore preventing them to functional properly.
The list of affected security and other technologies may include:
-
Corporate antivirus systems.
-
Patch management.
-
Software distribution systems.
 |
 |
 |