And what the enterprise can learn from them…
Security specialist FireEye recently published a report called ‘Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes’ report, which revealed a number of techniques used by malware developers in order to sidestep signature-based defenses during attacks.
But why should you care? And, how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for broader attacks in the enterprise?
The circle of anti-virus
The FireEye report revealed several techniques used by advanced polymorphic malware in order to sidestep to sidestep signature-based defenses. Zheng Bu, FireEye Labs senior director of research and co-author of the report, suggests that as a result “traditional sandboxes no longer offer a silver bullet against sophisticated attackers” and goes on to warn that malware is increasingly “able to determine when it is running in a virtual environment and alter its behaviour to avoid detection.” Which all sounds terribly worrying for the enterprise trying to keep on top of data security in an ever-changing threat landscape.
So how does understanding the techniques employed by malware authors to evade detection from file-based sandboxes benefit security professionals when it comes to identifying the potential for Advanced Persistent Threat (APT) attacks in the enterprise? The ever changing threat landscape claim may be a bit of a stretch for Mark Schloesser, security researcher at Rapid7, who told me that “evasion techniques have been around for decades; it ís a continuous arms-race between analysis tools and malware authors” which is true. Indeed, Schloesser says that in his experience they are “as creative today as they were years ago, and every once in a while a few new tricks pop up.”
Such techniques are not widely used in most malware samples, but rather are individually explored and occasionally present in certain families, according to Schloesser.
“Certainly classic sandboxing solutions have problems with different evasion techniques,” Schloesser admits. “But, they still work great on a large percentage of samples we see today.”
When it comes to Advanced Persistent Threat (APT) attacks these are characterized by the determination and resources available to the actor and time + means x commitment = a challenge to defend against.
“These attacks are not characterized by any one specific technological approach” Schloesser explains “in fact APT actors will take the easiest and quickest approach just like any other actor, if it serves their purposes.”
In other words, they will only use more sophisticated, expensive approaches if they are required. The sad reality is that in many cases, attackers do not need this more advanced techniques to be successful; they can get in using more basic approaches. “In these instances” Schloesser confesses “we don’t see evasion techniques being used because they aren’t necessary.”
It’s what Andrew Waite, Security Consultant at Onyx Group, calls the ‘Circle of Anti-Virus’ which he explains as being obfuscation techniques evolving to bypass defences, which in turn have evolved to mitigate the latest threat.
Not everyone agrees, however, take Dana Tamir, director of enterprise security at Trusteer who told me that it’s too little, too late. Tamir is adamant that understanding malware evasion techniques is of no help to security professionals in defending against targeted attacks. “By the time new evasion techniques are discovered and analysed” Tamir warns “many corporate machines are already compromised.
Malware developers study the detection rules used for detecting malware and successively design new evasion techniques to bypass these rules”. Because they are reactive, Tamir concludes, malware detection solutions are and always will be behind. Philip Pieterse, Senior Security Consultant at Trustwave is less pessimistic, and argues that if security professionals are aware of what evasion techniques malware uses then it must make it easier to find the malware.
Whatever conclusions you draw from this industry inconsistency, the fact that malware authors use sophisticated techniques to hide and evade is a given. So what are they?