Security Evasion and Customized Malware Has Become Mainstream for Attackers of all Skill Levels…
Targeted, custom and polymorphic malware is obviously a top concern for security teams. A steady drumbeat of high profile breaches and revelations of highly sophisticated attacks driven by nation-states has burned this risk into the minds of everyone from the wiring closet to the boardroom. This has led many organizations to aggressively pursue new technologies and solutions that can help identify malicious files even in the absence of a known signature. This is great progress, but it has uncovered a challenge that many security practitioners didn’t expect – unknown malware isn’t all that rare.
While truly targeted attacks are certainly very real, it’s also true that more traditional botnets and crimeware have also adopted new techniques to re-encode or otherwise slightly modify their malware such that it isn’t detected by traditional antivirus or web gateways. As is the case with most criminally-motivated malware, these techniques are performed on a large scale and generate massive amounts of malware that, to an IT manager, can look like completely new and custom malware. Certainly, both types of malware present a real risk to any organization, and both need to be addressed.
The problem shows up in terms of security process. Even forwarding-leaning organizations that have adopted new technologies to detect unknown malware still rely largely on manual investigation and remediation once the malware is detected. Given the scale at which large malware operations are run, a security team can quickly be consumed responding to wave after wave of malware variants to the point that they miss the truly targeted attack hitting their network. Ultimately, we need to realize that these are different threats that require different process and response. Where possible, we must automate our defenses against automated threats, including those that are unknown, so that our manual response can be focused on the true targeted and highest risk threats.
The good news is that large-scale mass-produced threats create distinctive patterns and there are things that we can do today to begin proactively blocking these more common types of unknown and polymorphic malware.
The Death of Signatures Has Been Greatly Exaggerated
I recently had the opportunity to analyze more that 26,000 seemingly unique samples of malware collected in real enterprise networks. All of these samples were tested against multiple antivirus solutions and there was no coverage at the time they were detected. However, on closer inspection, some of these samples were not so unique after all. If we looked beyond the superficial characteristics of file name and hash value, and dug into the payload of the malware itself, we quickly saw that over 40% of these samples were related. In short, the variants of malware were revealing themselves in the form of specific indicators in the header and body of the malware, and these indicators could be used for real-time blocking. This means that some pieces of modern malware can be addressed by real-time threat signatures, provided we look deeply enough into the payload and that those signatures can be delivered in a timely manner. This certainly doesn’t solve the entire malware problem, but it’s a start that can help us drain the swamp and reducing the scope of events that need a manual response.
Payloads Are Easy to Change, Behaviors Require More Work
In addition to looking at the payload of malware, we can also see patterns in the behaviors of malware. This was especially apparent when observing malware communication tactics. Malware traffic is typically quite anomalous when compared to regular network traffic. Thirty percent of malware samples were observed to generate custom or otherwise unknown traffic as part of their command-and-control traffic. Similarly, large-scale malware operations relied heavily on newly registered domains and fast-flux domains for their communications. While these indicators may or may not be ground for automatic blocking depending on the security posture of the organization, they are certainly factors that can be used for correlation or in conjunction with other policies.
For example, an organization would likely never need to allow executable files to be delivered via an unknown domain or via unknown application traffic. Likewise, looking for HTTP-POSTS and other commonly used malware methods going to unknown sources can easily reveal the presence of malware in the network. The important thing is that these behaviors remain even as the malware file changes. It doesn’t mean that malware authors won’t continue to evolve and change, but it is inherently a much slower process to change fundamental malware behavior as opposed to simply covering the malware in a new coat of paint. This again, can give us an important lever to continue to proactively respond to the more common types of malware so that we can focus on the more exceptional samples.
These are obviously just starting points, but the concept is certainly one that is extensible, and ultimately necessary in my opinion. Security evasion and customized malware has become mainstream for attackers of all skill levels, and we will always lose if we attempt to fight an automated threat with a manual response. The truly targeted threats will likely continue to require hands-on focus and action from our security professionals, but we need to make sure we put them in a relatively fair fight. Fighting nation-state attackers is a challenge enough without trying to fight an army of clones at the same time.
