As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies that vendors are developing. By using sophisticated methods to evade current antivirus technologies, hackers are relentless in their pursuit of damaging IT systems and oftentimes gaining access to personal information.
Several years ago, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism the virus would morph itself into different variations and successfully bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Essentially the emulation engine was designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This emulation approach all depended on the researcher’s access to the polymorphic engine, thus, the logic needed to be decoded before one was able to provide protection for specific mutations.
Subsequently, proactive technologies were developed (behavioral, heuristics) when worms began to self-replicate across networks and exploit zero-day vulnerabilities faster than a signature could be created. The idea was to provide protection, but without depending solely on reactive technologies which were slow and clunky, rather the use of innovative methods that attempt to predict dangerous characteristics. Heuristics really was the first stride towards being proactive by using a statistical probability model to calculate a file’s potential of being bad. However; in today’s world, malware is run by organized criminals who have simply adapted to the technologies that vendors have developed over the years.
As the malware landscape has evolved, hackers are shifting their interests from fame to profit and will do anything for financial gain by developing new and innovative ways to slip below the radar. Some of these methods are very innovative and are certainly thinking out of the box when it comes to crime. Such as:
· Custom HTML injection into financial sites to obtain additional information
As we begin to map out the evolution there are several common themes when it comes to stealth and camouflage techniques:
· Custom run-time packers
· Server-side polymorphism
· Virtual machine / sandbox detection
In the lab we have discovered that approximately 90 percent of all malware use some form of packers and the trend indicates they are becoming more customized by the day, therefore making the analyst’s job harder. The reason packers are being used as compressing the code prevents AV analysts from easily decoding the sample, thus, increasing reaction time dramatically. AV vendors are constantly evolving generic unpacking routines (techniques which decompress the file and reveal the malware) in order to combat the rise of packers.
Finally, we have found the emergence of server-side polymorphism or “Crime-Ware as a Service (CaaS)” as described by the industry, in which the polymorphic engine does not reside within the virus code itself, rather remotely on a server. There are two forms of server-side polymorphism that we know of today; the type that distributes mutated variations of malware into the wild in volume and PCs that are part of a bot-net and the specific bot variant can mutate remotely via a command over HTTP. This is called crime-ware as a service because the actual viral code does not actually preside on the host, but in the cloud similar to a software-as-a-service platform. In other words CaaS provides malware on demand to the infected host.
This methodology has proven to be quite effective and difficult to counter-act when it comes down to the traditional anti-malware model. Server-side polymorphism is so hard to detect because the transformation function (the routines used to change the signature of the code) are not visible to the virus analyst. Therefore, the actual algorithms or techniques that are involved in this process can not be studied to the degree necessary to create an effective vaccination. Bot-net communication is often encrypted as a defense mechanism to prevent the easy discovery of the command and control server dishing out the mutated malware. Therefore; these attacks using server side polymorphism often succeed in infected their target while flying under the radar.
The best bet for stopping server-side polymorphism is through the use of host-based intrusion prevention technologies, better known as HIPS. HIPS are designed for security over host-based systems where intrusions and infections are dealt with at each individual workstation. They are widely regarded by security experts as a more effective safeguard against malware. HIPS solutions are only as effective to the degree that they implement multiple layers of inspection ranging from the network stack to the application layer using proactive technologies (heuristics, behavioral analysis, behavioral blocking, etc) to provide a holistic view of the threat at hand.