I’ve seen this idea floating around the Internet for some time and I thought I document it for future reference:
A perimeter weakening malware is a program (script, macro, etc) which “lowers the defenses” of a computer (stops AV software, disables the firewall, creates an Administrator account with a certain password, etc) after which it deletes itself. The idea is that this creates an opportunity for the attacker to later come in and take over the system with standard tools (RDP, PSExec, etc).
To be clear: as far as I know this is just a concept, it hasn’t been used in any malware I’ve seen. Many of them do try to do something similar, but it is mostly an attempt to disable security software so that they can remain on the system longer. The difference is that PWM doesn’t needs to be written to the disk necessarily (the moment when on-access scanners verify the files). It can be part of an exploit, which runs from memory, does its thing and disappears.
The danger: black/white-listing solutions most probably won’t pick up on this. After all, the concept of “executable code” is so blurry that most solutions only cover ~95% of it (which doesn’t sound bad, but still leaves a lot of possibilities open). Scanning every memory page on every executed instruction is one possibility, however currently nobody does that (AFAIK) because of the performance impact…
The solutions is – you’ve guessed it – multiple layers of defense (I’m talking about companies here). Have your security suite, but also monitor the traffic, make sure that users don’t run as Administrator (sidenote: I was recently on a computer which used AVG 7.5 and was very pleased to find that they didn’t allow changing the settings from a limited account). Have policies which describe the accepted configuration of the machines and monitor it (Tenable Security seems to have some version of this built into Nessus – disclaimer: I have no relationship with them whatsoever, I never even used Nessus :-)).