A few years ago, if you were a good cyber-citizen (which basically means you kept your system and software patched and your antivirus updated), you could’ve rest assured that you were protected against 99 percent of malware and attacks.
That’s no longer the case today, thanks to a new breed of smart malware and malware developers that are constantly finding new ways to evade security solutions.
Even when you take all precautionary measures to protect yourself against known threats, there are so many new threats running loose in the wild that there’s no guarantee you won’t be targeted by an unknown malware.
In this post, I’ll iterate some of the ways malware are circumventing traditional security solutions and tools based on reactive protection, and I’ll describe why we need proactive and preventative approaches to dealing with the threats of the future.
Mocking signature-based protection
Traditional antivirus software rely on signatures to detect and block malware, which means they take sample code from known files with malicious payloads and they compare them with new files being introduced to the system. Any file that has similarities with known malware will be flagged as infected and will be quarantined or blocked.
When a new malware is detected, its signature is retrieved and distributed among endpoint security tools in order to keep them up-to-date with the latest threat information. Any new threat has to go through the same cycle.
Circumventing this mechanism can be as easy as making small alterations to the source code of the malware and recompiling it in order to produce an entirely new threat. Another method that is proving to be effective is encrypting the binary code of the malware, rendering it indecipherable to anti-malware solutions. Some of the more resourceful attackers create empty malware shells that pass through antivirus checks and subsequently download their malicious payload from C&C servers.
Malware developers are producing hundreds of thousands of malware variants on a daily basis. Symantec’s recent Internet Security Threat Report showed that more than 440 million unique malware were found in 2015. That’s a 36 percent increase from 269 million found the previous year. And to give you a taste of the dramatic change that cyberthreat growth has gone through, you might be interested to know that in 2009, there were 2 million known malware, and back then we thought it was a huge number.
But the productiveness of malicious actors is largely based on code reuse and malware recycling. Experts have found that 98 percent of new malware are in fact variants of old ones, and even new malware use components and elements of previous malware to large extent.
While creating new malware is an arduous and complicated task, recycling and reusing old malware is trivial.
Slipping past behavior-based systems
More intelligent security solutions no long rely solely on signatures and samples, and instead use behavioral analysis to detect processes and applications with malware-like behavior. This is achieved by setting up a “sandbox,” a strictly restricted and isolated environment in which new processes are initially launched, where they’re vetted for malicious behavior before being released and given access to system resources. Any processes and executables that manifest malicious or suspicious behavior will be blocked and removed before being able to deal damage.
In order to trick behavior-based security tools, malicious actors have developed a new breed of malware that “sleep through the sandbox,” which means they remain inactive while being scrutinized by the security tool, and will only unpack their payload after they’re through the hostile environment.
Another trick is to use macro scripts embedded in MS Office documents, which do not count as executable binaries. First the malicious script is developed, which uses operating system APIs and services to do its dirty job. The script is then embedded within say a Word document. Since Office disables macros by default, the developers writes a very convincing message in the document which encourages the victim to enable the macros (e.g. the user is presented with a blurred image of an invoice payment and is told to enable macros in order to see the clear image). Once macros are enabled, the virus deals its damage. You’d be surprised to learn how many users fall for the ruse. Some of the most successful ransomware campaigns were staged this way.
The rise of zero-days
One of the most indispensable tools in the arsenal of malicious hackers are zero-days and unpatched vulnerabilities. These are the main attack vectors used by attackers to gain a foothold into the network or the computer of the victim, after which they execute the delivery of their malicious payload and start the more lethal attack. Exploit kits are versatile toolkits that scan a victim’s computer for operating system and software vulnerabilities and allows hackers to send their malicious payload.
The same Symantec report mentioned above found that 54 zero-days were found in 2015 whereas 2014 only accounted for 24. Endpoint and network security is largely contingent on users updating and patching their system and software in a timely manner. A single slip in this regard can spell a firm’s doom.
Many of the very critical and successful attacks in recent years were made possible through the use of unpatched and overlooked vulnerabilities. The Target data breach is a stark example.
What’s the cure?
As long as we’re reacting to threats, we can never guarantee 100 percent security. No matter how much we hone our skills and quicken our reflexes, there will always be a window of opportunity for hackers to exploit newfound vulnerabilities and security holes in our systems before we plug them.
A different approach would be to use proactive tactics, methods that can predict the next move of the attacker and prevent it from striking first and gaining a foothold in the system in the first place.
Some cybersecurity firms are offering ingenious solutions to the malware dilemma and are using the tactics of malware developers against them to thwart their attacks. I’ll be talking about these techniques in one of my future articles.