Unknown Malware is the Normal, Not the Exception

Ostra’s Cybersecurity 101 Series is a deeper dive for the non-technical reader who wants to better understand cybersecurity mechanics. This 5-part series covers how the cyber-crime world operates, the evolution of threat generations, why traditional defense models fall short, what a modern attack scenario looks like, and the hallmarks of an effective security platform.

Modern Malware

Computer viruses were the stuff of science fiction in 1970, when a computer program called VIRUS randomly dialed phone numbers using a modem until another computer connected to a modem answered. The answering computer became infected and began dialing in search of another computer to infect. The first fictional computer virus accurately depicted the mechanics. But the scope, scale and destructive power of future malware was impossible to imagine. In 2019 an estimated 9.9 billion malware attacks cost businesses an average of $2.3M in information loss, revenue loss and business disruption. In Part 3 of Ostra’s Cybersecurity 101 Series we explore how modern malware design challenges traditional defenses, and the advanced defense models businesses need for protection.

Infiltrate and Damage

Malware, short for malicious software, is any software that acts against the interest of the user. People often use virus and malware interchangeably, but a computer virus is actually a specific type of malware that infects other programs. When an infected computer program runs, the virus code is loaded and runs before any of the legitimate program code. Once running, the virus spreads by infecting other applications on the host computer, inserting its malicious code wherever it can. This can happen to programs as they open, or even if they aren’t running. Some viruses embed themselves in the startup section of a computer system’s disk, so they can execute even before the operating system fully loads.

Two other main types of malware are Trojans, which disguise themselves as harmless applications to trick users into executing them; and worms, which can reproduce and spread independently of another application. 

Once malware has infected a computer, it can start executing its payload — the part of the code that carries out the malicious acts it was built it for. Today’s malware is designed to harvest, erase, eavesdrop, capture, or destroy important data. Some may do any or all of the above, and many are designed to operate undetected by traditional anti-virus protection.

Ones and Zeroes

Computer code is complex set of instructions that a computer breaks down into machine language — strings of ones and zeros —  and then executes. The patterns of ones and zeros are like fingerprints that make the computer code recognizable. The cybersecurity industry built large catalogues of these patterns, called virus signatures or definitions, and designed software to scan for these patterns. If a pattern is recognized, the computer knows the file containing it is some type of viruses or other malware. This type of defense, called “signature-based” anti-virus, is dependent upon definition files which must constantly be updated to catch new strains — or permutations — of computer viruses or malware variants.

Cross referencing virus definitions — sniffing out ones and zeroes — to defend against malware won’t work if a virus definition is not in the database, or if the virus’ signature has been obscured.

Obfuscation

In the arms race against anti-virus software, modern malware creators use obfuscation — or concealment — techniques that mask the presence of malware. These techniques allow malware to avoid detection and spread easier and faster. Malware designers use several popular evasion techniques to make malware look “new again” and evade security controls.

A metamorphic virus self-alters its payload, or the part of its content that carries out the malicious activity. The malware may be designed to add unneeded sequences — garbage code — to the source code, or change the sequence of how the source code is pieced together. When the altered code recompiles itself, a virus is created that looks fundamentally different from the original. Metamorphic viruses effectively change their file signature, reducing the ability of signature-based antivirus to identify and detect them.

Some viruses are designed to self-encrypt so anti-virus scans can’t see their code to compare against the virus definitions database. These viruses may use several layers of encryption and/or random cryptographic keys. This makes each instance of the virus appear to be different, even though the underlying payload is the same. These self-encrypting viruses — called polymorphic viruses — make ongoing mutations to their encryption schemes and decryption codes, sometimes as often as every 15-20 seconds. Polymorphic viruses are durable with a high survival rate, and capable of spreading widely once an initial infection is established. They cannot be detected with signature-based anti-virus solutions.

Stealth viruses conceal the infection they create. One example of stealth obfuscation is when a virus interferes with the operating system so file sizes don’t reflect the increase caused by infectious code. Some viruses are written using armoring techniques that prevent threat detecting software (or human experts) from discovering them with disassembly, tracing, or other means of analysis. Other viruses are designed to tunnel into a low levels of the operating system. Operating at a low level — under the radar  they can manipulate the operating system by intercepting commands that could lead to detection by anti-virus software.

Beyond concealment, there are several other common but sophisticated methods modern malware developers use to evade security solutions. Complex attack chains carry out the installation and execution of malware in several disparate steps, which make them hard to trace and discover. Some of the installation or execution steps use legitimate system processes — living off the land techniques — to hide malicious activity. Malware payloads are often designed to download from multiple sources, in multiple stages, to avoid detection. They are also designed to check for antivirus products and to halt the infection process immediately if one is found running. Payloads often include regularly scheduled malware updates so an established infection will persist.

A small portion of these techniques can be effectively handled by anti-virus software, but many are complex and considerably more difficult or impossible for anti-virus software to overcome.

Robot Networks

Along with stealing data, another key purpose of malware is to allow attackers to control infected devices. Computers infected with botnet malware become part of a robot network — or botnet — under the control of an attacking party known as the BotHerder. Botnet malware can be installed and operate undetected, allowing BotHerders to covertly use their bots to perform malicious activities. Botnets can be used to attack legitimate business networks. They can also deliver phishing emails containing links or documents infected with malware. This malware can harvest and extract data, and also can spread and infect other devices allowing the botnet to grow.

One potent example of this type of malware is Emotet, which evolved from a banking trojan into a robust polymorphic threat tool. Computers infected with Emotet are added to the Emotet botnet to act as a downloader to deliver other variations of malware. This type of malware-chaining can be used to extract passwords from local apps, spread laterally to other computers on the same network, and even steal entire email threads to later re-use in spam campaigns. A particularly nasty end to a chained malware botnet attack is to deliver and deploy ransomware, which encrypts files throughout the affected network and increases the damage to the end user. The Emotet botnet is now consider a go-to tool for the distribution of malware and ransomware, and is also run as a Malware-as-a-Service (MaaS) operation. Other criminal gangs can rent access to the Emotet botnet and drop their own malware strains alongside Emotet.

Heuristics

Signature-based anti-virus relies on algorithms that quickly identify known virus signatures. But this approach is ineffective against viruses that use permutation or other obfuscation techniques to avoid detection. One way the security industry combats malware designed to avoid signature-based detection is through heuristics. Heuristics are at the basis of artificial intelligence and computer simulated thinking.

Static heuristic analysis inspects small chunks of a suspect program’s source code and looks for instructions or commands that are not found in typical programs. While this type of heuristics is similar to signature scanning, heuristics scanning attempts to detect potentially malicious intent.

For example, a heuristics engine can detect code for replication or distribution of a virus or worm, code that contains encryption strings, or code that makes a program capable of removing data. Static heuristic scanning usually follows a weighted rule-based system, meaning the heuristic analyzer extracts rules from a file which are compared against a set of rules for malicious code, and triggers an alarm if there is a match. While static heuristics technologies are capable of detecting metamorphic and polymorphic malware, heuristic engines can cause false positives if their weighted system is not accurately trained or there are bad rules in the rule-base.

Dynamic heuristics relies on testing suspect program code in a contained environment where potentially malicious intent can be identified without causing damage. This technique – called sandboxing — runs the suspicious piece of code inside a specialized virtual machine known as a sandbox. Threat detection software can look for suspicious behaviors — such as self-replication, overwriting files, and other actions that are common to viruses — that would happen if the suspicious file was allowed to run.

Advanced Threat Protection

Signature-based antivirus software can provide some level of protection as a first line of defense against known threats. Some popular signature-based anti-virus products, such as McAfee, Emsisoft, Bitdefender, Webroot, Malwarebytes, Avira, Norton/Symantec, Avast and AVG can effectively block the small portion of older malware in use today. But these products can’t protect against metamorphic or polymorphic concealment techniques that have become the norm in modern malware design.

Anti-virus solutions that use virus signatures to detect known viruses.

Behavior based malware protection that uses heuristic engine and sandboxing technologies demonstrate that a file is malicious before it is released onto the network to carry out potentially damaging behavior. Kaspersky, ESET and FireEye offer this type of behavior-based advanced threat protection.

Beyond evaluating the intent of a suspicious file, successful advanced threat protection also uses artificial intelligence to communicate newly learned threat information among threat protection layers. For example, FireEye’s Central Management System trains its Email Threat Prevention component to recognize new threats detected by its Endpoint Security component.

Advanced threat detection products evaluate an object based on its intended actions before it can actually execute that behavior.

War Games

Cybercriminals leverage evasion techniques and powerful botnets to maintain the upper hand, outsmarting and outpacing legitimate business to carry out their crimes. While modern-day attacks fueled by powerful evasive malware are easily concealed from decades-old signature-based technology, businesses can effectively fight back with prevention-based countermeasures and security tools powered by heuristics and artificial intelligence.

Ostra’s 5-part Cybersecurity 101 series is designed for the non-technical reader who wants to better understand cybersecurity mechanics. Part 4 of the series showcases a Cyber-Attack Scenario for Small and Medium Business.

References

BitDegree. (2019). Antivirus Definition: How Does Antivirus Software Work? Retrieved from https://www.bitdegree.org/tutorials/antivirus-definition/

Catalin Cimpanu. (2018). Emotet malware gang is mass-harvesting millions of emails in mysterious campaign. Retrieved from  https://www.zdnet.com/article/emotet-malware-gang-is-mass-harvesting-millions-of-emails-in-mysterious-campaign/

Catalin Cimpanu. (2019). Emotet, today’s most dangerous botnet, comes back to life. Retrieved from  https://www.zdnet.com/article/emotet-malware-gang-is-mass-harvesting-millions-of-emails-in-mysterious-campaign/

Cloonan, John. (2018). Advanced Malware Detection – Signatures vs. Behavior Analysis

Retrieved from https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/

Corey Nachreiner. (2017). How Hackers Hide Their Malware. The Basics. Retrieved from https://www.darkreading.com/how-hackers-hide-their-malware-the-basics/a/d-id/1329722

Corey Nachreiner. (2017). How Hackers Hide Their Malware. Advanced Obfuscation. Retrieved from https://www.darkreading.com/attacks-breaches/how-hackers-hide-their-malware-advanced-obfuscation/a/d-id/1329723

Cylance. (2019). 2019 Threat Report. Retrieved from https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Cylance-2019-Threat-Report.pdf?_ga=2.194100014.207560192.1557408928-1034628078.1557241850

Fruhlinger, Josh. (2019). What is a computer virus? How they spread and 5 signs you’ve been infected. Retrieved from https://www.csoonline.com/article/3406446/what-is-a-computer-virus-how-they-spread-and-5-signs-youve-been-infected.html

Kane, Paul. (2019) How does Anti-virus Software Work in 2020? Retrieved from https://www.safetydetectives.com/blog/how-does-antivirus-software-work/

Kaspersky. (2019) What is Heuristic Analysis? Retrieved from https://usa.kaspersky.com/resource-center/definitions/heuristic-analysis

Microsoft Defender ATP Research Team. (2019). Retrieved from https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/

Nocturnus, Cybereason. (2019). A One-Two Punch of Emotet, Trickbot, & Ryuk Stealking & Ransoming Data. Retrieved from https://www.cybereason.com/blog/one-two-punch-emotet-trickbot-and-ryuk-steal-then-ransom-data

Nocturnus, Cybereason. (2019). Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk. Retrieved from https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware

O’Conner, Fred. (2017) How New Threats Curb the Effectiveness of Antivirus and Next-Generation Antivirus. Retrieved from https://www.cybereason.com/blog/-how-new-threats-curb-the-effectiveness-of-antivirus-and-next-generation-antivirus

Sonicwall. (2020). 2020 Sonicwall Cyber Threat Report. Retrieved from https://www.sonicwall.com/2020-cyber-threat-report/?elqCampaignid=11772&sfc=7013h000000TuIfAAK&gclid=CjwKCAiA1rPyBRAREiwA1UIy8NCxAwfAAW7_SuuKE0GeNv7du2YHJ5RC1mdbaczuSsIyEJue4KXc4BoCuV4QAvD_BwE

Smith, Daniel. (2019). More Destructive Botnets and Attack Vectors Are on Their Way. Retrieved from https://blog.radware.com/security/botnets/2019/10/scan-exploit-control/

Schedule a Free Consultation

Ostra Enterprise Grade Security

Ostra was founded on the principle of bringing top-of-the-line cyber security tools to small businesses who do not have large IT budgets or an entire division of cyber security experts.  Our founders bring years of experience protecting large organizations to provide digital security to small businesses.

Ostra, LLC

18300 Minnetonka Blvd
Suite 208
Deephaven, MN 55391
866-336-7872
contact@ostra.net

 © 2020 Ostra, LLC

Get Started Now