Having spent quite a bit of time at security events over the last few years, it’s not often I hear about a new form of malware or attack. But during a media briefing with Cisco’s VP for managed security services Tom Powledge, we learned about an emerging threat –- delayed detonation malware.
Lifehacker’s Cisco Live 2015 news is presented by our ongoing IT Pro coverage, offering practical advice for deploying tech in the workplace.
Delayed detonation malware (that’s our term, not one that Powledge used), as the name suggests, is a piece of malware that waits some time before becoming active. Powledge says his team has waited in excess of 20 minutes for some malicious payloads to activate.
Why does this matter? Because one the most recent tools in the fight against malware has been sandboxing. Suspected malware is moved to a virtual machine where it is allowed to detonate in a secure environment. Tools like FireEye grab suspicious payloads as they enter a network, spin up a bunch of virtual machines and then see what happens.
Typically, the payload will start doing its thing in a few seconds. But in an effort to evade detection, the bad guys are now building delays in so the payload won’t activate, fooling the sandbox into thinking the payload is safe.
Disclosure: Anthony Caruana travelled to San Diego as a guest of Cisco.
Comments
5 responses to “How Delayed Detonation Malware Works”
you guys taking into account that a lot of malware wont run on VM’s… they’re designed to look for signs of being in a VM and will not drop payload in those environments….
Which is great for a lot of IT environments who now run almost entirely on virtual machines
There is not much reason not to these days for most places. Easier to backup, set up new machines, migrate to new hardware etc.
And you avoid malware that refuses to run on VMs – it’s almost like the malware is designed by Apple: “sorry, we don’t like your hardware – we’re taking our payload somewhere else!”
I remember stuff that was set to go off on a certain date in the past. It would have however long to get onto all the systems, then it would do whatever nasty thing it was meant to when the clock hit a certain date.