With the recent discovery of Stegoloader Malware, we see several of the weaknesses of conventional detection-based malware prevention exposed. Stegoloader is capturing interest because the active malware hides in an image file (PNG) that is delivered to compromised machines. The PNG image is hosted on a "legitimate site", and is cleverly designed to avoid detection by network sandboxes. Let's peel this apart and see how it exposes the weaknesses of conventional, detection-based malware prevention systems.
First, note that the initial phase of the attack starts with the Stegoloader deployment module being installed on the user's machine. How does this happen? So far, the only reported initial infection vector is when users unwittingly download Stegoloader from sites hosting "software piracy tools". Well, we hate to say "it serves you right" but hey, you get what you (don't) pay for.Once installed on the target, the Stegoloader deployment module fetches the PNG image that contains the next phase of the attack. The PNG is hosted on a "legitimate site", i.e. one that wouldn't be blocked by a Web security gateway. But as we've seen in the State of the Web 2015: Vulnerability Report, over 20% of Web sites run software with known vulnerabilities - including "legitimate" sites. These sites are easily compromised and used to host payloads like the malicious Stegoloader PNG image. So it's easy for the Stegoloader PNG payload to pass right through Web security gateways.