Malware has evolved again — according to Threat Post, malicious actors have created a way to dynamically spoof “mutex” values using Windows product IDs as a way to hide the presence of multiple, malicious processes. Here’s what you need to know about this new mix-don’t-match technique.
It sounds like something found in mad scientist’s lab — a seething substance just ready to infect (or empower) someone unlucky enough to get splashed or dunked. In fact, mutex values are a way for malware detectors to determine if multiple, identical processes are running at the same time. Not all malicious programs use mutex values, but those that do typically rely on static values, making it possible to discover their presence. As noted by The Register, the BackOff POS malware used a static mutex, allowing researchers to detect system infection. This is the simplest way for malware creators to code their programs; Lenny Zeltser of SANS Institute says that “malware authors who wish to employ mutex objects need a predictable way of naming those objects, so that multiple instances of malicious code running on the infected host can refer to the same mutex.” Now, there’s a new mutex in the mix.
Instead of going static, the TreasureHunter malware uses a kind of dynamic mutex value based on the infected system’s Windows product ID. This makes it much less likely that researchers and malware-detection programs will “see” malicious code before it takes action, since process mutexs don’t seem out of place and vary from system to system. The malware accomplishes this task by first using code to read registry locations such as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId, and then running a deterministic algorithm to generate mutex values which are appropriate for the version of Windows and processing running. Simply put? This new mix makes it more difficult to find unique “flavors” of malware, instead allowing them to blend in with more familiar code ingredients.
The task of detecting malware is big business — security companies across the globe are looking for ways to beat out the competition and find “the next big thing” before anyone else does. In some cases, however, the rush to be first on the street puts these organizations in the firing line: Consider the recent troubles of Panda Labs, which after a March 11th update discovered that the antivirus solution was marking its own files as infected and sending them to quarantine. Other security vendors have encountered similar issues in the past, but they all stem from the same place: The desire to find critical malware markers, such as bits of code or subtle actions, which set them apart from benign programs. That’s the allure of mutex and similar static indicators, and why it’s no surprise that malware creators are now finding ways around. It’s worth noting that the mutex mixer isn’t exactly sophisticated, and that mutex analysis itself should never be the sole measure of malware’s existence.
The new mutex developments align with current market perception — according to CIO Insight, 81 percent of respondents believe that “even with security tools, Web-borne malware can be completely undetectable,” while the same number said that insecure Web browsers are a primary attack vector. Finally, 74 percent think that traditional malware detection technologies — such as hunting for static mutex values — are becoming ineffective. The result? That 77 percent say their organizations have been infected by undetected malware. In other words, malicious code is breaking through corporate barriers, and the new mutex mutation scheme is just more pushback from the bad guys.
So what does all this mean for the companies, developers, and individuals trying to stay out in front of new malware attacks? The same as it did last week. This mutex evolution isn’t particularly brilliant, nor will it fundamentally change the way security companies detect new issues. Instead, it’s a reminder that malware developers are often on the forefront of code evolution since they’ve got the benefit of existing security measures to use as reference material. Staying safe hasn’t changed: Don’t download attachments you don’t trust, don’t surf without the protection of a secure VPN, and regularly check your system for infection. Dynamic mutex values using Windows product IDs might slow the process, but this new mix doesn’t ruin the recipe.