Buffalo buffalo buffalo: malware that attacks malware

Buffalo buffalo
Buffalo buffalo

Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo is a grammatically correct sentence based upon the use of homonyms and homophones, this link explains how it works. Basically, bison from the town of Buffalo who get bullied by other buffalo bison will they themselves also bully back.

In the same vein then, reflexive pronouns and restrictive clauses notwithstanding, we can also imagine a world where malware bullies other malware. Specifically, what if malware is dispatched to attack inside a network where other malware already exists -- does it first kill off the other malware?

Crimeware undergrounds

Available at your nearest ‘crimeware underground' system, Thanatos is a new strain of malware tooling that sports the ability to scan a target network for other malware. Reports suggest that Thanatos is offered at a price of $1,000 per month or $12,000 for a lifetime subscription. Named after the Greek god of death, Thanatos gets its ability to target other malware through the use of intelligent plugins.

Thanatos effectively exhibits the characteristics of multi-staged malware tooling commonly found in Advanced Persistent Threat (APT) technology. Where this malicious software has power is in its ability to obliterate what we typically call ‘low-level' attacks.

Head of threat intelligence research at Cymmetria Nitsan Saddan writes on VentureBeat to explain that, “Thanatos uses 3-8 hardcoded flags to find malware by searching the host's task scheduler, services and registry. Once a suspicious signature is detected, Thanatos selectively uploads it to virustotal.com to make sure it's malicious and then erases it from the host. Another interesting feature is its ability to remove hooks placed by competing malware, in order to avoid data theft by other criminals.”

How dangerous is Thanatos?

Saddan goes on to explain that Thanatos was written in the C++ and Delphi languages as well as Microsoft Macro Assembler (MASM), an x86 assembler that uses the Intel syntax for MS-DOS and Microsoft Windows. As such, Thanatos can hack “every version of Windows (from XP onward)” and also has the ability to inject malicious code into Internet Explorer, Microsoft's new Edge browser, Google Chrome and Firefox.

Lee Munson, Researcher at Comparitech.com told SCMagazineUK.com that when a cyber criminal gang invests time, money and technical expertise into developing a new strain of malware with which to penetrate a network, it has one aim in mind: a return on that investment. 

“That means avoiding detection for as long as possible in order to acquire as much valuable data as possible but, more than that, it also needs to be first to market with that data; after all, who will pay top dollar for information already stolen by the competition, using a different type of malware? That's where Thanatos comes in,” he asserts.

 “Just like the early ‘suicide gene therapy' developed by HIV pioneers, it surgically removes competing infections proving, yet again, that the promise of high returns acts a strong motivation for technical evolution,” added Munson.

Ben Zilberman, a security product manager at Radware also spoke to SC Magazine UK directly on the Thanatos issue. Zilberman reminds us that businesses are dealing with different types and variations of malware daily and on average the attempt rate is 3-4 a week for ransomware, a significant jump from last year.

“The major reason for this is that you can now find a menu of attack methods, including 'Ransomware for hire' on the dark web. The skill set for hackers immediately shifts when this starts to occur. No longer do you need the desire AND the know-how,” said Zilberman.

“Instead you need to be able to set up the social engineering end of the attack and find a victim to run your programme on. It is provoking real concern in the security community because it will only become more sophisticated, more automated…  and will move to mobile in no time,” he added.

APT home truths

Richard Cassidy, technical director EMEA, Alert Logic also spoke to SC Magazine UK to say that we've long known that advanced malware groups, writing what we have now become to call APT's, will make every effort to assure the fidelity of their own operations on target networks.

“It's a mercenary world in the cyber-criminal domain; it is no wonder, therefore, that we are now seeing a strain of ‘super malware' that works to ensure it's own foothold is not compromised even when another bad actor group may already have compromised the target. There are key attributes that this new strain of ‘super malware' exhibits, that with the right visibility capabilities, continuous monitoring and review process, will place organisations in a much better position to detect indicators of compromise and as such be able to enact a well defined incident response plan to mitigate the threat,” said Cassidy.

Cassidy went on to say that the unfortunate reality is that APT's are written to bypass modern security toolsets, with a great deal of research and development efforts put into the malware creation by the authors, all working to target weaknesses in specific security layers and applications.

“That said however, in the age of big-data analytics, we are now placed, better than ever before, to have complete visibility of every transaction to and from our key assets in cloud, hybrid or on-premise environments,” Cassidy concluded.

The last word, training

Originator of this story Nitsan Saddan also spoke to SC Magazine UK personally to underline the issue and contribute the last word.

“While this malware certainly pose a threat, it can be dealt with by proper employee training that might prevent infection – and by adding a layered deception elements to the company's defense grid; by targeting the attacker and not just his attack, you can defend against dynamic threats such as this,” said Saddan.