Tricks of the malware trade

And what the enterprise can learn from them...

Security specialist FireEye recently published a report called 'Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes' report, which revealed a number of techniques used by malware developers in order to sidestep signature-based defenses during attacks.

But why should you care? And, how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for broader attacks in the enterprise? 

Advertisement - Article continues below

The circle of anti-virus

The FireEye report revealed several techniques used by advanced polymorphic malware in order to sidestep to sidestep signature-based defenses. Zheng Bu, FireEye Labs senior director of research and co-author of the report, suggests that as a result "traditional sandboxes no longer offer a silver bullet against sophisticated attackers" and goes on to warn that malware is increasingly "able to determine when it is running in a virtual environment and alter its behaviour to avoid detection." Which all sounds terribly worrying for the enterprise trying to keep on top of data security in an ever-changing threat landscape.

So how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for Advanced Persistent Threat (APT) attacks in the enterprise? The ever changing threat landscape claim may be a bit of a stretch for Mark Schloesser, security researcher at Rapid7, who told me that "evasion techniques have been around for decades; it s a continuous arms-race between analysis tools and malware authors" which is true. Indeed, Schloesser says that in his experience they are "as creative today as they were years ago, and every once in a while a few new tricks pop up."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Such techniques are not widely used in most malware samples, but rather are individually explored and occasionally present in certain families, according to Schloesser.

"Certainly classic sandboxing solutions have problems with different evasion techniques," Schloesser admits. "But, they still work great on a large percentage of samples we see today."

When it comes to Advanced Persistent Threat (APT) attacks these are characterized by the determination and resources available to the actor and time + means x commitment = a challenge to defend against.

"These attacks are not characterized by any one specific technological approach" Schloesser explains "in fact APT actors will take the easiest and quickest approach just like any other actor, if it serves their purposes."

In other words, they will only use more sophisticated, expensive approaches if they are required. The sad reality is that in many cases, attackers do not need this more advanced techniques to be successful; they can get in using more basic approaches. "In these instances" Schloesser confesses "we don't see evasion techniques being used because they aren't necessary."

Advertisement - Article continues below

It's what Andrew Waite, Security Consultant at Onyx Group, calls the 'Circle of Anti-Virus' which he explains as being obfuscation techniques evolving to bypass defences, which in turn have evolved to mitigate the latest threat.

Not everyone agrees, however, take Dana Tamir, director of enterprise security at Trusteer who told me that it's too little, too late. Tamir is adamant that understanding malware evasion techniques is of no help to security professionals in defending against targeted attacks. "By the time new evasion techniques are discovered and analysed" Tamir warns "many corporate machines are already compromised.

Malware developers study the detection rules used for detecting malware and successively design new evasion techniques to bypass these rules". Because they are reactive, Tamir concludes, malware detection solutions are and always will be behind. Philip Pieterse, Senior Security Consultant at Trustwave is less pessimistic, and argues that if security professionals are aware of what evasion techniques malware uses then it must make it easier to find the malware.

Whatever conclusions you draw from this industry inconsistency, the fact that malware authors use sophisticated techniques to hide and evade is a given. So what are they?

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020