I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me. There’s always the latest malware inventiveness – “fileless” malware and cryptocurrency mining bots leap to mind at the moment – but more on my mind this week is the rise of the malware marketplace and the continued increase in “hyper-evasive” malware across the board.
Total annual malware volumes are up 7x globally over the last five years according to data from AV-Test.org, which means internet users and businesses are witnessing a rising flood of maliciousness in their email and web interactions. My principle observation today is that this is being matched by an increase in the number of techniques, on average, being incorporated into malware today in order to evade detection by traditional detection systems by hiding the distribution source and the malicious intent of the code.
One-third of Malware is “Hyper-Evasive”
Just how evasive is malware today? To get at this systematically, my team just concluded a study of malware sent to our cloud sandbox array during the first quarter of this year. Such malware has passed through several prior stages of automated analysis, and has still not been definitively categorized as benign or malicious. We discovered that over 98 percent of malware making it to the sandbox array uses at least one evasive tactic, and that 32 percent of malware samples making it to this stage were what we could classify as “hyper-evasive,” layering on six or more detection evasion techniques.
Historically, some malware uses multiples of that number, like Cerber ransomware, which is extremely “sandbox aware” and runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors.
Malware That Fools a Single Sandbox
Another key statistic that came out of our research is that 27% of the malware caught in our sandbox array evades detection when subjected to analysis by a single sandbox. Such malware’s true nature is only discovered after executing it in two or more different sandboxing environments, changing variables such as the OS or the browser, or even switching to a “sandbox-less” physical machine. Besides the use of multiple evasive tactics, other defining characteristics for such hyper-evasive malware include the fact that it originates from “unknown” sources or from code lodged in compromised, trusted sites, and the fact that it rarely contains obviously suspicious code.
Malware Service Industry Will Drive Growth
The rise of the malware service industry (I’ll resist calling it the more fashionable “MaaS”) is a factor in this increasing average level of sophistication and contributes to increasing volumes as well. It has dropped the barriers-to-entry for would-be hackers over the past couple of years, a trend I see accelerating in the future.
We are witnessing the growth of a malware marketplace where any person with bad intentions and a few cryptonickels to rub together can click through user-friendly, do-it-yourself sites on the dark web and quickly build and download a customized ransomware package, as one example. Other sites specialize in incorporating obfuscation techniques for any software you may have developed or acquired elsewhere. One I’m looking at right now has boxes I can check to include up to 27 different evasion techniques, providing options such as delayed execution, extension spoofers, fake junk code, and the choice of nine different encryption algorithms.
There was a time when sophisticated evasion required you to be a talented (albeit misguided) programmer with networking chops – now you can pull together everything needed in an afternoon without any specialized technical knowledge. I believe this easing of entry into the “business” will also contribute to more micro-targeting in the distribution of attacks, as the low cost and ease of development of malware means an adequate return might be had by attacking smaller and smaller groups.
Application sandboxing began to develop during the 1990s as a key response to polymorphic malware. Twenty years later, the mouse has evolved, and we need to leap ahead to a better mousetrap, out-automating the malware marketplace.