Malware Wants to Hide But it Has to Run to Wreak Havoc

By   ISBuzz Team
Writer , Information Security Buzz | Mar 24, 2015 05:05 pm PST

It’s hard to find something you don’t even know is there. This is especially true of advanced malware. Because even though traditional antivirus software is widely deployed by most enterprises and its sophistication has improved over its 30-year existence, it can only find malware if it knows exactly what to look for (by, for example, its digital signature).  Malware, though, is sneaky, patient, and routinely modified to evade detection. With advanced malware such as zero-days, rootkits and remote access Trojans (RATs), the task of ferreting it out becomes even trickier. Today’s hackers commonly use methods such as encryption to obfuscate code, and packing to prevent detection by signature-based antivirus software, and these require special techniques to identify.  In order to execute, the code must be unpacked or decrypted in order to run, making the malware detectable in memory but not directly on the disk or other storage media. Further, some malware will create registry keys to render itself persistent after reboots even though volatile memory is erased.  Signature-based methods are not equipped to detect these advanced threats.  However, malware of this type still has to run in memory to wreak its havoc, regardless of how it is delivered and it can only be detected by behavior-based approaches.

While advanced malware has been crafted for many purposes including stealing passwords and personally identifiable information (PII), and even for pranks, there are countless methods of coding each of the features in the malware.  For example, there are tens of thousands of ways to code a key logger in Windows alone. Typical antivirus software has to track not only each of these malicious applications, but it must also keep up with the hundreds of variants creating literally millions of different pieces of malware just for key logging. However, because the number of operations carried out by the various key loggers to execute malicious activities is finite, behavioral detection only needs to track a small number of operations. Therefore, if you can identify malware by its behaviors, you stand a much better chance of detecting each and every malicious key logger. With behavior-based malware detection, millions of signatures are no longer needed to find a given piece of malware. In fact no signature is needed at all to detect brand new malware, which could not be caught at all with signature-based systems.

As we’ve all seen in the last two years, there’s been a deluge of data breaches and cyberattacks, with huge corporations including Home Depot, Target, Sony and Anthem falling victim and exposing tens of millions of individuals’ records to hackers. The Identity Theft Resource Center reported 783 data breaches in 2014, an increase of 28 percent from 2013. And these are just the major breaches that are reported in the media or required notification to government agencies. Today’s valuable digital assets are being targeted regardless of the size of the company or where they are located. Even smaller companies that are connected in today’s complex business ecosystems to larger companies are no longer safe.

Against this backdrop, traditional antivirus software still has value but it can be limited. Antivirus software looks for malware by matching it exactly against a database of known malware signatures by each line of code. An extension of the signature is the Indicator of Compromise (IOC), which is a collection of parameters about the malware. Signatures can include something as simple as an MD5 hash value. IOCs may also include parameters such as filename, path, IP addresses or author/source.  While useful, these indicators will only get you part way toward a secure solution. Although malware writers don’t write brand new software each day, they do often change existing software to avoid detection. It’s not only very easy to change the filename of a piece of malware, it is simple to change one byte of code, effectively making it a new piece of malware undetectable by its previous signature. That’s all it needs to trip up antivirus software. With this many variants, it is difficult for traditional AV software- and IOC-based detection systems to keep up.  Today’s advanced malware requires something stronger.

There are alternative methods to find malware such as whitelisting and network-based solutions but even those can be bypassed by today’s increasingly sophisticated and persistent Cybercriminals. Whitelisting is one way to give the green light for known processes and applications to run, such as a program like Microsoft Word or Internet Explorer.  However, whitelisting cannot detect memory modifications, malware injected into safe applications, or malicious code running in registry.  So those plugins and Word macros that appear to be safe according to your whitelist may in fact be malicious.  Furthermore, perimeter-based detection is also averted by hackers using packed and Encrypted code as well as code fragments.

The only real solution is to search for malware not by matching it precisely against a signature or a whitelist, but rather by the behavior that it carries out when the malware is run, or executed, in memory. How is this done? Take the example of a bank robber: He may be pacing back and forth in front of a bank, in warm weather, wearing a ski mask, and appearing agitated. It could be just any individual, but his behaviors — pacing, agitation, ski mask — are what identify him as a threat. In the same way, advanced malware exhibits behaviors as it executes — opening multiple communication channels, contacting a server by IP address rather than domain name, etc. — and these behaviors can be identified at a very granular level in memory when the malicious code executes. The idea is that one doesn’t need to know every line of code to identify malware; one needs to know how it’s going to behave, and from there it can be identified and successfully eradicated.

At the end of the day, it’s easy to miss malware at rest (on disk) or in motion (on the network) because of hackers’ advanced tools and techniques, which allow it to avoid signature-based scanning techniques on the endpoints and network-based detection methods. It can lie at rest literally for years. The only guaranteed and fool-proof way to ferret out malware is to have it run in memory and simultaneously apply behavior-based malware detection against it. Malware wants to hide to avoid detection but to carry out its bad acts, it must run. It’s only when malware runs and you’re looking for its behavior that you can find it and take the requisite steps to eradiate it.

By Raj Dodhiawala, senior vice president and general manager at ManTech Cyber Solutions International.

About Raj Dodhiawala

Raj Dhodhiawala Raj Dodhiawala is senior vice president and general manager at ManTech Cyber Solutions International, a provider of cyber security solutions specializing in comprehensive, integrated security support, including computer and network design, implementation, and operations. Specializing in enterprise software appliance marketing, product management, technology and services, Raj offers a quarter of a century of enterprise software experience. As the Vice President of Innovation and Engineering at Morse Best Innovation, Raj led the company’s effort in technical marketing services and developed DemoMate, a software-plus-services solution for sales readiness. At Microsoft, he was the Chief Architect of the .Net Center of Excellence as well as the Program Co-Lead for the Net Effect program. Prior to Microsoft, Raj served as Director of Engineering at Blue Coat, leading the Server Accelerator product effort, which remains a core component of the company’s revenue mix. Additional roles include Director of Engineering at NUKO, Technical Scientist for Boeing Computer Services and software consultant at Tata Consultancy Services in Mumbai, India.