Tricks of the malware trade

And what the enterprise can learn from them...

Security specialist FireEye recently published a report called 'Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes' report, which revealed a number of techniques used by malware developers in order to sidestep signature-based defenses during attacks.

But why should you care? And, how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for broader attacks in the enterprise? 

Advertisement - Article continues below

The circle of anti-virus

The FireEye report revealed several techniques used by advanced polymorphic malware in order to sidestep to sidestep signature-based defenses. Zheng Bu, FireEye Labs senior director of research and co-author of the report, suggests that as a result "traditional sandboxes no longer offer a silver bullet against sophisticated attackers" and goes on to warn that malware is increasingly "able to determine when it is running in a virtual environment and alter its behaviour to avoid detection." Which all sounds terribly worrying for the enterprise trying to keep on top of data security in an ever-changing threat landscape.

So how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for Advanced Persistent Threat (APT) attacks in the enterprise? The ever changing threat landscape claim may be a bit of a stretch for Mark Schloesser, security researcher at Rapid7, who told me that "evasion techniques have been around for decades; it s a continuous arms-race between analysis tools and malware authors" which is true. Indeed, Schloesser says that in his experience they are "as creative today as they were years ago, and every once in a while a few new tricks pop up."

Advertisement - Article continues below
Advertisement - Article continues below

Such techniques are not widely used in most malware samples, but rather are individually explored and occasionally present in certain families, according to Schloesser.

"Certainly classic sandboxing solutions have problems with different evasion techniques," Schloesser admits. "But, they still work great on a large percentage of samples we see today."

When it comes to Advanced Persistent Threat (APT) attacks these are characterized by the determination and resources available to the actor and time + means x commitment = a challenge to defend against.

"These attacks are not characterized by any one specific technological approach" Schloesser explains "in fact APT actors will take the easiest and quickest approach just like any other actor, if it serves their purposes."

In other words, they will only use more sophisticated, expensive approaches if they are required. The sad reality is that in many cases, attackers do not need this more advanced techniques to be successful; they can get in using more basic approaches. "In these instances" Schloesser confesses "we don't see evasion techniques being used because they aren't necessary."

Advertisement - Article continues below

It's what Andrew Waite, Security Consultant at Onyx Group, calls the 'Circle of Anti-Virus' which he explains as being obfuscation techniques evolving to bypass defences, which in turn have evolved to mitigate the latest threat.

Not everyone agrees, however, take Dana Tamir, director of enterprise security at Trusteer who told me that it's too little, too late. Tamir is adamant that understanding malware evasion techniques is of no help to security professionals in defending against targeted attacks. "By the time new evasion techniques are discovered and analysed" Tamir warns "many corporate machines are already compromised.

Malware developers study the detection rules used for detecting malware and successively design new evasion techniques to bypass these rules". Because they are reactive, Tamir concludes, malware detection solutions are and always will be behind. Philip Pieterse, Senior Security Consultant at Trustwave is less pessimistic, and argues that if security professionals are aware of what evasion techniques malware uses then it must make it easier to find the malware.

Whatever conclusions you draw from this industry inconsistency, the fact that malware authors use sophisticated techniques to hide and evade is a given. So what are they?

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

The road to recovery

30 Jun 2020