Don’t Be Fooled By Undercover Malware: Watch Out For Ghostware, Two-faced Malware and Compressed Files

Don’t Be Fooled By Undercover Malware: Watch Out For Ghostware, Two-faced Malware and Compressed Files

The costs of data breaches can be staggering. Consider the breach at Anthem last year that cost the health insurer $100 million. Target topped that loss a year earlier with a breach that exceeded $162 million. With stakes this high, it’s more cost-effective for companies to prevent intrusions than deal with the consequences; and many are increasing spending on cybersecurity.

But with the expanding number of attack surfaces and growing tenacity and creativity of cyber criminals, it’s become more difficult for organizations to keep the upper hand. This is especially true in the fight against malware. As malware detection tools improve, malware authors find new ways to create malicious code that conceal signs of compromise or avoid detection by security sandboxes and scanning technologies. Among the most dangerous malware threats to beware of in 2016 are ghostware, two-faced malware and malware hidden in compressed files. Here’s what you need to know about each of them.


Security monitoring software is constantly searching for signs of abnormal behavior, and most of today’s intrusions eventually catch a security administrator’s attention. Ghostware tries to get around this by wiping out evidence of malware’s activity, leaving no records behind to alert an organization that it’s been breached. Organizations that do figure out they were breached, often can’t tell which data was compromised or who was behind the attack. Other dangerous software takes an opposite tact—like blastware, which instead of erasing all traces to avoid discovery, wipes out entire servers if it recognizes it was detected. All to often, the consequences for victims include the high costs of data loss and operational downtime.

Two-faced Malware

Some malware—like two-faced malware, for example—plays innocent before revealing its true colors. Written to register as safe when evaluated by threat intelligence programs, two-faced malware recognizes when it’s in a sandbox, and performs its malicious action after the sandbox grants it access to the network. Even worse, once a sandbox rates two-faced malware as benign, future enhanced versions of that malware may not be examined in the sandbox at all.

Compressed Files

File compression is necessary to reduce file sizes for efficient transmission, but malware finds compressed files to be convenient hiding places. Some security software can scan only ZIP files, not other compressed formats. These compression techniques often prevent suspicious files from being recognized by the scan. Compressed archives can also contain multiple files that individually aren’t dangerous; but taken together, are malicious. Fortinet’s “Test Your Metal” tool lets you test your network security software to see how well it handles malware in a compressed file.

So, what can you do?

Get ahead of the threats. Experts think more malware will use these techniques this year, so it’s important to get your defenses in place now. Start with assessing your environment to identify the specific risks you face, and work with experts to deploy effective technologies to protect you against current and upcoming threats. Learn more about how Citon specialists can help.