As the threat-landscape is evolving hackers are constantly changing technique in order to counter-act detection technologies that vendors develop. I remember a few years ago when polymorphism and metamorphism were used as a way to constantly generate new variants of worms.
Essentially the virus morphed itself into different variations and successfully evaded signature based technologies. Eventually the anti-virus industry responded through the creation of emulation technologies to counteract this new breed of virus.
Subsequently proactive technologies were developed (behavioral, heuristics, etc) when worms began to self-replicate across networks and exploit 0-day vulnerabilities faster then a signature could be created. However; in today’s world malware is run by organized crime and has simply adapted to the technologies that vendors have developed over the years.
As we are already familiar with the shift from fame to profit, hackers will do anything to make a buck these days by developing new and innovative ways to slip below the radar. Some of these methods are very innovative and are certainly thinking out of the box when it comes to crime.
As we begin to map out the evolution there are several common themes when it comes to stealth and camouflage techniques:
- Custom run-time packers
- Server-Side polymorphism
- Virtual machine / sandbox detection
According to PandaLabs approximately 90% of all malware use some form of packers and the trend indicates they are becoming more customized by the day, therefore; making the analyst’s job harder.
Furthermore; we have the emergence of server side polymorphism or as described by the industry “Crime-Ware as a Service (CaaS)” which the polymorphic engine does not reside within the virus code itself, rather remotely on a server.
This methodology has proven to be quite effective and difficult to counter-act when it comes down to the traditional anti-malware model. The reason why server-side polymorphism is so hard to detect is the transformation function (the routines used to change the signature of the code) will not be not visible to the virus analyst and therefore; the actual algorithms or techniques that are involved in this process can’t be studied to the degree necessary to create an effective vaccination.
Server-side polymorphism will open the door to all sorts of problems from the increase in targeted attacks to undisclosed data breaches if corporations do not take a holistic approach to end-point security.
Your best bet for stopping server-side polymorphism is through the use of host based intrusion prevention technologies or HIPS as we call it. So what do we define as HIPS? Well according to analyst Neil McDonald from Gartner HIPS is comprised of several different technologies from attack-facing network inspection to behavioral containment.