IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tricks of the malware trade

And what the enterprise can learn from them...

Security specialist FireEye recently published a report called 'Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes' report, which revealed a number of techniques used by malware developers in order to sidestep signature-based defenses during attacks.

But why should you care? And, how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for broader attacks in the enterprise? 

The circle of anti-virus

The FireEye report revealed several techniques used by advanced polymorphic malware in order to sidestep to sidestep signature-based defenses. Zheng Bu, FireEye Labs senior director of research and co-author of the report, suggests that as a result "traditional sandboxes no longer offer a silver bullet against sophisticated attackers" and goes on to warn that malware is increasingly "able to determine when it is running in a virtual environment and alter its behaviour to avoid detection." Which all sounds terribly worrying for the enterprise trying to keep on top of data security in an ever-changing threat landscape.

So how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for Advanced Persistent Threat (APT) attacks in the enterprise? The ever changing threat landscape claim may be a bit of a stretch for Mark Schloesser, security researcher at Rapid7, who told me that "evasion techniques have been around for decades; it s a continuous arms-race between analysis tools and malware authors" which is true. Indeed, Schloesser says that in his experience they are "as creative today as they were years ago, and every once in a while a few new tricks pop up."

Such techniques are not widely used in most malware samples, but rather are individually explored and occasionally present in certain families, according to Schloesser.

"Certainly classic sandboxing solutions have problems with different evasion techniques," Schloesser admits. "But, they still work great on a large percentage of samples we see today."

When it comes to Advanced Persistent Threat (APT) attacks these are characterized by the determination and resources available to the actor and time + means x commitment = a challenge to defend against.

"These attacks are not characterized by any one specific technological approach" Schloesser explains "in fact APT actors will take the easiest and quickest approach just like any other actor, if it serves their purposes."

In other words, they will only use more sophisticated, expensive approaches if they are required. The sad reality is that in many cases, attackers do not need this more advanced techniques to be successful; they can get in using more basic approaches. "In these instances" Schloesser confesses "we don't see evasion techniques being used because they aren't necessary."

It's what Andrew Waite, Security Consultant at Onyx Group, calls the 'Circle of Anti-Virus' which he explains as being obfuscation techniques evolving to bypass defences, which in turn have evolved to mitigate the latest threat.

Not everyone agrees, however, take Dana Tamir, director of enterprise security at Trusteer who told me that it's too little, too late. Tamir is adamant that understanding malware evasion techniques is of no help to security professionals in defending against targeted attacks. "By the time new evasion techniques are discovered and analysed" Tamir warns "many corporate machines are already compromised.

Malware developers study the detection rules used for detecting malware and successively design new evasion techniques to bypass these rules". Because they are reactive, Tamir concludes, malware detection solutions are and always will be behind. Philip Pieterse, Senior Security Consultant at Trustwave is less pessimistic, and argues that if security professionals are aware of what evasion techniques malware uses then it must make it easier to find the malware.

Whatever conclusions you draw from this industry inconsistency, the fact that malware authors use sophisticated techniques to hide and evade is a given. So what are they?

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022