Having spent quite a bit of time at security events over the last few years, it’s not often I hear about a new form of malware or attack. But during a media briefing with Cisco’s VP for managed security services Tom Powledge, we learned about an emerging threat –- delayed detonation malware.
Delayed detonation malware (that’s our term, not one that Powledge used), as the name suggests, is a piece of malware that waits some time before becoming active. Powledge says his team has waited in excess of 20 minutes for some malicious payloads to activate.
Why does this matter? Because one the most recent tools in the fight against malware has been sandboxing. Suspected malware is moved to a virtual machine where it is allowed to detonate in a secure environment. Tools like FireEye grab suspicious payloads as they enter a network, spin up a bunch of virtual machines and then see what happens.
Typically, the payload will start doing its thing in a few seconds. But in an effort to evade detection, the bad guys are now building delays in so the payload won’t activate, fooling the sandbox into thinking the payload is safe.
Disclosure: Anthony Caruana travelled to San Diego as a guest of Cisco.