Malware Capability Development Patterns Respond to Defenses: Two Case Studies
• White Paper
Software Engineering Institute
Adversaries are constantly adding functionality to their tools to evade defense measures deployed by network defenders or software developers. Adversaries adding functionality to their tools avoid almost any simple or known detection technique via a variety of mechanisms. Feature additions make the malware more robust and allow adversaries to use the tool for a variety of use cases beyond the original intent.
This paper uses two case studies to outline the relationship between adversaries and network defenders since feature additions and network defense measures are well known. Zeus is a banking trojan that has been active since 2007 and is used primarily to exfiltrate banking credentials or other financial data from unsuspecting victims. BlackEnergy has been active since early in 2007 and was originally designed to perform distributed denial of service (DDoS) attacks. More recently, BlackEnergy can also degrade the integrity of industrial control systems (ICS).
The progression of the abilities available to actors is a good case study for demonstrating the extent to which cybersecurity is a back-and-forth struggle between adversaries and defenders. The cat-and-mouse nature of the interplay is apparent as Zeus and BlackEnergy continue to add just enough features to stay one step ahead of defensive capabilities. Each minor capability has likely gone through the Adversary Capability Chain (ACC), and by the time they are open source they are evidencing signs of the Ubiquity phase.
We point to the resilience of the adversary ecosystem to raise awareness and help defenders anticipate this phenomenon. There is no obvious solution to end the cat-and-mouse game. However, some advice is relevant in light of this state of affairs. When to burn equities is an important decision. That is, when to reveal defensive strategy information to the adversary and permit them to respond, and when to instead hold such information close.