Developing Immunity Against Zero-Day Mutations

Scott Register at Ixia looks at how the latest malware can be mutated to evade detection by conventional defences, and how businesses can counter the threat.

Everything has to change and adapt to its environment in order to survive, whether it’s a plant, animal, or malicious code developed by cybercriminals.  As new attack techniques are developed to breach networks and steal data, or to encrypt critical files and demand ransoms from victims, security researchers strengthen defenses and introduce new features to counter the emerging threats.  For a short while, criminals may have an advantage until a security solution or feature is made widely available:  then the criminals have to evolve their attack methods to get around the security, and the cycle continues.

An example of this cycle of adaptation and change is the emergence of ‘Zero Day Mutations’ – malware capable of changing itself to evade detection by traditional, signature-based antivirus and IPS systems.  As these signature-based products can only block malware that has alreadybeen analysed and indexed, a variant that is able to mutate itself and change its fundamental characteristics can pass undetected to infect the network.

There’s only a small window of time in which the mutated malware can do this – it usually takes just days or hours for security vendors to identify and issue updates for new attacks – but as long as that window is open, networks’ traditional defensive shields are down.  The Zero Day Mutation technique is frequently applied to ransomware, which is already hard enough for organizations to defend against, because of the insidious way in which it is delivered.  And when the ransomware is capable of mutating, blocking the attack becomes even harder.

The what and how of mutated malware

Our Application and Threat Intelligence (ATI) research team recently analyzed a Zero Day Mutation variant of the Locky ransomware family, which used advanced obfuscation and evasion techniques to avoid discovery by conventional signature-based security products.  In fact, when we discovered the new variant, under 10% of antivirus products were capable of detecting it – which explains why Locky has been the highest-ranked malware threat in the second quarter of 2016.  To understand why this malware has been so effective, let’s take a closer look at how its infection process works.

This latest versions of ransomware use a multi-stage process to infect networks, starting with a targeted phishing email which contains an innocuous-looking document.  The document contains a macro programmed by the attackers to mutate, to help the infection evade detection by signature-based security products.  If the user opens the document, the macro is activated and connects to the attackers’ remote server on the Internet to download the ransomware payload to the user’s machine.  The macro actually rewrites the payload as it downloads – so the file sent across the network is harmless until it hits the user’s PC.  It then starts encrypting the files on that PC (and on other drives the PC is connected to), and demands a ransom.

These multi-stage attacks are especially dangerous, as they are able to bypass detection by virtualized sandboxes, which are often deployed by organizations to block brand-new malware for which signatures have not yet been developed.  Most sandboxes do not flag macros as malicious and further, they only inspect email-based traffic.  Once the macro has been activated on the user’s PC, the malicious payload is delivered by a different route, avoiding the sandbox entirely.

Addressing Zero Day Mutations

However, there is an alternative approach to blocking these Zero Day Mutations which involves both what is being delivered to the network, andwhere that delivery originates from.  This works on the principle that ‘bad’ IP addresses – that is, IP addresses that are known to originate malware, spam hosts, command and control botnets and other tools of cybercriminals – are fairly easy to identify, and that a ‘bad’ IP address very, very rarely switches to become ‘good’ and trustworthy.

This is because IP addresses used on the server side of cybercriminals’ connections are relatively scarce; hackers must either find and compromise an individual server (which may be concurrently used in another criminal campaign), or hijack a range of IP addresses via Internet routing manipulation. These are not simple or easy processes, so IP addresses tend to be continually reused for criminal purposes.  Even brand-new malware variants are invariably connected to a relatively small number of known compromised IP addresses, which totals in the tens of millions out of 4.3 billion IPv4 addresses.

As such, once a malicious IP address is identified, it can be safely filtered and blocked outright from connecting to an organization’s network.  This is done using a threat intelligence gateway that constantly monitors, in real time, both the originating and target IP address for all traffic entering and leaving the network.  It then proactively blocks traffic from malicious IPs, powered by real-time, constantly updated intelligence feeds on addresses that are known to be compromised.

This means that even if a user falls victim to a social engineering email and does open a document containing a macro ransomware downloader, the threat intelligence gateway will prevent the macro from communicating to the IP addresses hosting the Locky payload, nullifying the danger to the user and to the wider enterprise network.  The gateway can also block any attempts by pre-existing, dormant network infections from communicating with external command and control servers.

Conventional defences against malware have focused on what type it is, and how it’s delivered.  Criminals know this, and developed sophisticated Zero Day Mutations that are able to evade those defences.  However, by adding a third detection vector and looking at where the malware originates from, it’s possible to block damaging attacks, and  make networks immune to the newest, most advanced threats.