AUGUST 2012

There’s a dangerous new trend in malware: stealthy threats. While many people have heard of rootkits, few understand how they are designed to avoid detection using stealth techniques that evade traditional security measures. Today’s cybercriminals are using these techniques to hide data-stealing malware—with 1,200 new rootkits detected each day. In fact, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth techniques to hide and spread malicious threats that can cause significant damage.1

Rootkits are pervasive and they can target any system, from database servers, point-of-sale terminals, or users’ PCs to mobile phones, automobile electronics, and beyond. Because rootkits can operate within and below the operating system, they can conceal files, processes, and registry keys touched by other malware, making them a vital component of multistage threat operations.

Once malware finds a point of compromise and takes root inside a system, attackers can move through the network looking for vulnerabilities and data assets. By using rootkits that operate at the user, kernel, and firmware levels, malware can hide, replicate, protect itself against being overwritten, and deactivate antivirus protection

and other defenses.2 And there’s the catch: Because the attacker controls the system, he can deploy additional stealth techniques to remain undetected. Crimeware can mask data movement on a LAN, remove and reinstall itself, update itself via the Web, or move from machine to machine.

From Wall Street to Main Street, these successful malware techniques do not discriminate between large and small companies. A determined hacker can build tools designed to gain access to:

• Credit card data

• Employee health records

• Geographic information system (GIS) mapping for energy exploration

• Source code from software development companies

• Market launch data or product designs

The stealth and creativity of Stuxnet together with the easy-to-use and widely distributed toolkits of Zeus represent the new reality of today’s crimeware. With next-generation security from Intel and McAfee, you can implement embedded security beyond the operating system in a preventive, layered approach—from authentication and encryption to inspection and trust.

How It Works

No Organization Is Safe

Stealthy Threats Driving a New Approach to Security

There’s no question that stealth methods for malware have evolved, but two in particular represent the need for anti-crimeware to move beyond the operating system: Stuxnet and Zeus. The Stuxnet attack—designed to disrupt industrial control systems within Iranian nuclear programs—combined zero-day vulnerabilities, rootkits, and stolen digital certificates, essentially creating a new blueprint for targeting computing systems and stealing data.

Zeus changed the face of cybercrime by bringing a sophisticated malware toolkit to the average hacker. The Zeus Crimeware Toolkit is a commercial operation that functions much like a software development toolkit, giving hackers the ability to create custom kernel-mode rootkits to build a botnet of compromised hosts. It also offers the option to rent or purchase working Zeus botnets to run spam campaigns, execute distributed denial-of-service (DDoS) attacks, or scout for specific data types. Zeus usually spreads through compromised web sites, where a drive-by download will install the Trojan without user action.

If and when the innovative techniques of Stuxnet combine with easy-to-use programming toolkits like Zeus, there will be a far greater threat to the enterprise—and a sign of what’s to come. Because these stealth techniques operate at the kernel level and below to evade traditional antivirus efforts, they require a new approach to IT security.

To stay ahead of these rootkit-style attacks, enterprise security must shift its focus from the traditional software operating stack to monitor operations from a new vantage point, closer to the hardware. As rootkit methods shift below the user and kernel levels to the boot, hypervisor, and firmware levels, having security prevention in place lower in the platform becomes critical.

The New Face of Cybercrime: Stuxnet and Zeus

A Shift in IT Security

Stuxnet: Redefining Stealth Technique Possibly the most complex threat security researchers have been able to dissect publicly, Stuxnet’s innovation included:

• Using user-mode and kernel-mode rootkits that hid files and then decrypted and injected code into running processes

• Combining with four Microsoft* Windows* vulnerabilities to hide, and then using a rootkit specific to programmable logic controllers (PLCs), not previously seen in the wild

• Insulating the PLC with a wrapper to intercept calls and report to control systems that systems were functioning correctly, when, in fact, they’d been hacked

Zeus: Point-and-Click MalwareMimicking a software development kit (SDK), the Zeus crimeware toolkit includes a formal release, beta testing, and an easy-to-use graphical toolkit, which any hacker can use to:

• Embed Zeus Trojans in e-mail attachments, such as corrupt PDF files

• Send spear-phishing e-mails, which are personalized through social engineering or social media, to extract specific information or take over vulnerable systems inside certain organizations

• Target specific user communities by planting customized Trojans on genuine, legitimate sites

Although a best-practice remediation for any infection of stealthware is to revert to a known good image, it’s possible for stealth attack code to penetrate backup images. The safest remediation may be a complete reinstall of the operating environment and applications, but that may require replacing all infected PCs. The bottom line? Preventing these stealthy threats from gaining entry into your systems is the most effective solution.

With the industry’s first preventive security approach, Intel and McAfee are delivering next-generation security that is uniquely designed to help you stay one step ahead of today’s threats. Intel and McAfee researchers, with more than two decades of experience in cybercrime, are helping the industry reenvision how to detect and block stealthy malware. The two companies are working together

to combine world-class processor technology and leading security software to stay in front of crimeware innovation—even as it moves from PCs and mobile devices to industrial controls and other intelligent clients.

To learn more, read the joint McAfee and Intel report The New Reality of Stealth Crimeware or visit mcafee.com.

To find out more about McAfee and Intel security solutions designed to block attacks beyond the operating system, visit mcafee.com/us/products/endpoint-protection/mcafee-and-intel-security.aspx.

For more information about embedded security in the Intel® Core™ vPro™ processors, visit intel.com/pcsecurity.

Next-Generation Security from Intel and McAfee

1 McAfee Labs.

2 http://blogs.mcafee.com/mcafee-labs/exploring-stealthmbr-defenses.

This paper is for informational purposes only. THIS DOCUMENT IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY

WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT

OF ANY PROPOSAL, SPECIFICATION, OR SAMPLE. Intel disclaims all liability, including liability for infringement of any property rights, relating to use of

this information. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted herein.

Copyright © 2012 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Core, Intel Sponsors of Tomorrow., the Intel Sponsors of Tomorrow.

logo, and Intel vPro are trademarks of Intel Corporation in the U.S. and other countries.

*Other names and brands may be claimed as the property of others.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc., in the United States and other countries.

Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.

0812/BC/ME/PDF-USA 327595-001

Share with Colleagues