This Is Why Antivirus Can’t Detect Second Generation Malware [Infographic]
Discover the tactics that cyber criminals use to make their malware undetectable
As exposed in an article published a short while ago, on the 6 need-to-know attributes of advanced cyber attacks, one of the main ways in which second generation malware is challenging the security industry is its capacity to evade detection.
Malware authors are not only trying to outdo themselves, but also keep one step ahead of the cyber security industry. What makes them successful is that they have the resources (especially the time) to test version after version, and to incrementally enhance their tactics up to the point where malware can infect a system and go undetected for months.
There’s no reason to sugarcoat this: cyber security specialists are struggling and sometimes it makes it complicated for users to build their cyber defenses, because of the multiple fronts they need to cover. But the experts are aware of the challenges and they’re working to come up with new, more effective methods for cyber protection. This is especially important since there is no such thing as a panacea when protecting online assets.
Detection is a significant problem, for both organizations and individuals, although you may not view this as a key issue at the moment. Antivirus products have already fallen behind in terms of effectiveness, because they lack the ability to spot and remove second generation malware.
This specific example can help you get a better idea of where antivirus stands in terms of detection: it takes about two days for an antivirus product to spot the malicious Angler payload. In these two days, plenty of things can happen, from harvesting your financial information (online banking credentials, usernames and passwords, etc.) to encrypting your information via a ransomware infection. Two days it too much and reactive protection is not enough.
But you may ask: why does that happen?
How second generation malware evades detection
You may see cyber criminals like lonely guys that sit behind their computers all day, scheming world domination. It’s partly true, but what you don’t see is that malware creators operate large businesses and employ professional developers to make sure they can find new tactics to maintain their attacks covert, while also building a profitable business.
The Cisco Midyear Security Report 2015 goes to show just how much the cyber crime market has evolved:
Many ransomware operations also have development teams that monitor updates from antivirus providers so that the authors know when a variant has been detected and it’s time to change techniques. Adversaries rely on the cryptocurrency bitcoin for payments, so transactions are more difficult for law enforcement to trace. And to maintain a good reputation in the marketplace—that is, being known to fulfill their promise to give users access to their encrypted files after the payment has been processed—many ransomware operators have established elaborate customer support operations.
But in order to achieve this level of business sophistication, cyber criminals first have to make their malware capable of infiltrating systems without triggering any security alarms.
The longer malware lingers in a system, the more confidential information it can gather and the more damage it can do. That’s why malicious actors make this a priority when developing new forms of malware. And they sure don’t lack creativity!
Here are some of the ways in which present day malware circumvents security systems in both companies and on private users’ PCs:
1. Destroying your hard drive
This example explains how data wiping malware behaves:
After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer.
Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.
MBR is the first sector of a computer’s hard drive that the system looks for before loading the operating system. However, deleting or destroying MBR involves re-installing of operating system, which means valuable data is lost.
In cases where the malware is under the microscope of security experts or any rival malware author, Rombertik will self-destruct itself, taking the contents of a victim’s hard drive along with it.
As you can see, malware creators will stop at nothing while pursuing their malicious objectives. Unless they need your data, they will destroy it. They might even still destroy your data after capturing it and storing it on their servers, so there’s no guarantee as to what will happen once your PC is infected.
2. Keeping itself from being sandboxed
When traditional antivirus programs spot a potentially harmful file on your PC, they will immediately sandbox it. This method allows the AV product to execute the untrusted code or program that comes from unverified third parties, unknown suppliers, untrusted users and potentially harmful websites in a restricted environment, in order not to allow the code or program to infect the PC.
What malware creators do is to find ways to avoid this, for example by blending the malware with millions of sample files to confuse the AV’s methodology. This way, the malware infection will deflect the antivirus’s attempt to spot, block or remove it.
There is also another set of tactics that malware creators use to avoid AV detection. Since the sandbox is a virtual environment, cyber criminals equip malware strains with the ability to detect sandboxing mechanisms by checking registry entries, the PC’s video or mouse capabilities, certain ports or processes and more.
When malware detects that it’s running in a virtual environment (sandbox) it will stop its activity, so antivirus products may conclude that it’s a safe file and just let it pass. It may sound complicated, but this happens all the time.
3. “Domain shadowing”
It’s essential for cyber criminals to be able to hide the exploits and communication between the payload and the servers they control, and for that they need a vast number of URLs they can use and discard.
This is why they use “domain shadowing”, a technique well depicted in the Cisco Midyear Security Report 2015:
Exploit kit authors compromise a domain name registrant’s account, and then register a subdomain under the legitimate domain of the compromised user. Unless users review their account information, they will not know these subdomains exist. The subdomains point at malicious servers. They are very high volume, short-lived, and random, so they’re difficult to block.
Moreover, Angler exploit kit seems to be one of the most actively involved in this particular evasion technique:
Domain shadowing is not new, but the use of this technique has been increasing since December 2014. According to our research, more than 75% of known subdomain activity by exploit kit authors since that time can be attributed to Angler. The exploit kit serves a range of malicious payloads, including the ransomware Trojan Cryptowall, through file exploits.
4. The Fast Flux technique
In order to make detection more difficult, malware creators will often use more than one evasion technique. Fast Flux is a commonly used method by which cyber criminals use a huge amount of IP addresses that are associated with a single, fully qualified domain name.
They then swap the IP addresses constantly and with high frequency by changing DNS records, so that automated analysis mechanisms cannot detect the real source of the infection.
Fast Flux is usually used by botnets (networks of Internet-connected PCs that have been compromised to deliver attacks to other computers, without their owners knowing it) to hide phishing campaigns, malware-loaded websites and other infection sources targeting a large group of users.
While this method is not new either, it still persists among the tools of choice for malicious actors worldwide.
5. Using encrypted payloads
Encryption is a great safeguard for data privacy and even data security, but it can cause serious headaches when used by cyber criminals.
For example, when a malware creator decides to encrypt the payload used to infect victims’ PCs, this will delay detection by antivirus products and buy more time to deploy the malware, which can range from data harvesting to ransomware.
Encrypted payloads are usually identified retrospectively, which makes it easy for malware to take over the victim’s system until reactive protection mechanisms kick in.
6. Polymorphic behavior
Encryption is not the only deceiving technique that makes malware difficult to spot. Cyber criminals rely on their ability to move faster than security vendors, so they rely on other tactics, such as changing file names and file compression.
These changes will not affect the function of the malware, but it will increase its covertness.
7. Using literature to hide exploit kits
What does old literature have to do with cyber crime? This may sound difficult to believe, but, according to Cisco Midyear Security Report 2015:
Some exploit kit authors are looking to early 19th-century literature to help conceal their 21stcentury threats. Specifically, some adversaries are incorporating text from Jane Austen’s Sense and Sensibility into web landing pages that host their exploit kits.
Adding passages of classic text to an exploit kit landing page is a more effective obfuscation technique than the traditional approach of using random text. The use of text from more contemporary works such as magazines and blogs is another effective strategy. Antivirus and other security solutions are more likely to categorize the webpage as legitimate after “reading” such text.
For users, encountering unexpected references to beloved Austen characters such as Elinor Dashwood and Mrs. Jennings on a webpage may be perplexing but not a cause for immediate concern. But their lack of unease gives adversaries more opportunity to launch their exploits.
The use of known works instead of random text is just one example of how threat actors are evolving their schemes to avoid detection.
8. Using Tor and the Invisible Internet Project (I2P)
Tor is well known for its use by Internet users who want to hide their traffic for various reasons, both good (cyber security research) and bad (cyber crime). So it’s no wonder that malware creators employ this anonymity network to conceal their communication, for example the information exchange between a payload and a malicious server.
According to Cisco’s Midyear Security Report 2015, these are the malware families that most often use Tor in their distribution and multiplication:
Moreover, I2P or the Invisible Internet Project, is used for the same purposes, but also includes functions such as chat, blogging and file transfers that are pseudonymous and secure. This is an example of a darknet, “an overlay network that can only be accessed with specific software, configurations, or authorization, often using non-standard communications protocols and ports.” (Source.)
9. Using Microsoft Macros
Microsoft macros is a notorious infection vector that cyber criminals have been using for years and years, but it’s still not out of fashion. Microsoft may have blocked macros from running automatically, but it can’t protect users from social engineering.
Persuading users to run macros themselves required skill and more time than automated attacks, but it can bring in more effective results and worse consequences for the victim. In order to make sure that they stay below the radar, malicious actors will change the threats very fast and very often, forcing detection mechanisms to start over and over again.
Dridex, one of the most dangerous types of banking malware, leverages Microsoft macros to infect users’ systems. Here are some relevant details about how it does the job, extracted from Cisco’s aforementioned report:
Our researchers noticed that the spam campaigns carrying the Dridex payload tended to be very short-lived—perhaps just a few hours long—and that they also mutated frequently, as an evasion tactic. While antivirus solutions perform useful security functions, they are not well suited to detecting these short-lived spam campaigns. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, and refers. They then launch the campaign again, forcing antivirus systems to detect them anew.
10. Remaining dormant
This type of evasion is timing-based, meaning that the malware strain will only run or monitor the user’s actions when the system if most vulnerable. This can happen, for example, during the boot process. In the rest of the time, the malware can remain dormant, thus going undetected by traditional security solutions.
How to protect yourself form undetectable malware
You may not see it, but it’s there. Malware threats are pervasive and difficult to spot, some even to the keenest and well trained eye. All the evasion tactics described above trigger very low detection scores in antivirus products, so you have to do just a bit more to stay safe online.
First of all, try to change your mindset from a reactive-based model to a prevention-oriented one.
Second, keep in mind that prevention means a couple of basic things:
- keeping your software up to date, including your operating system
- using the right cyber security tools to filter web traffic and block potential threats, thus considerably lowering the chances for infection
- avoiding dangerous web locations, such as torrent websites, shady banners or other types of websites that don’t look trustworthy. If you wouldn’t walk on dangerous streets at night, you shouldn’t browse these websites either.
- educating yourself to detect potential cyber attacks delivered via phishing emails, infected banners, spam emails, social engineering attempts and more. If you taught your kids not to talk to strangers, why would you reply to an email from someone you don’t know or click on an email attachment just because someone instructed you to?
Cyber criminals already have a head start. Don’t let them get to you before you know how to protect yourself.
Malware creators are aware that most users rely on antivirus to protect themselves and they are also very knowledgeable when it comes to how they can evade detection. They move fast and have the necessary resources to not only reach their objectives, but also challenge traditional security products to start from scratch with each new malicious campaign they launch.
Reactive security is no longer enough. We don’t recommend you give up using antivirus, we just urge you to consider adding other security layers if you want to fend off cyber attacks. Proactive protection is essential and will become crucial in the coming years, for organizations and home users alike. If you get into the right mindset now, you’ll be able to cope with change much better than those who believe that cyber security doesn’t concern them.
The first step can be to try to visualize the tactics that cyber criminals use in order to keep their cyber attacks covert for as long as possible, exposing your system to a huge array of threats and potential negative consequences. The second step – you already know what it is!