In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.Much of this multi-stage malware starts off with a small dropper that only represents the initial stage of an exploit. We’ve seen small droppers come bundled in Microsoft Word documents, PDF files and spreadsheets attached to emails or be retrieved when browsers access URLs – whether the user clicks on a link embedded in an email or visits a compromised web site. With multi-stage droppers, what arrives initially has little to do with what malware actually gets installed. Said another way, reverse-engineering the dropper tells you very little about the intent of the person or organization that may ultimately use it to attack you.
When a customer sends us a sample of malware retrieved from a perimeter sandbox system, we can reverse engineer the sample and can run it on one of our test systems, but there's little guarantee that the dropper evolves the same way on our test system as it does on their infected host. The evolution of the attack often is dependent on the geography in which the infected system is located, the target OS, the timing of when the dropper infects the system and a number of other seemingly random details which are due to botnet suppliers effectively leasing capacity on their botnets. Our test systems are not traceable back to our company or geographic location, may not involve the exact same OS as the original infected system and the infection obviously occurs at a later time.
What this tells me is that we cannot divine an attacker’s intent by looking at the first stage of any form of an attack – whether the attack is part of an opportunistic botnet or the first step in a targeted campaign. While I am not suggesting we let attackers inside our networks just to watch them and guess their intent, looking at the behavior of hosts that have already been infected is a great way to divine the attackers’ actual intent. And it helps you prioritize where to send your incident response teams first.