This article shows how threat actors are using increasingly sophisticated malware designed to evade traditional signature-based protections and even some sandbox technology.In addition, lack of experienced resources and over reliance on technology are exposing weaknesses in network security resulting in failure to detect and/or respond to a major security breach.
Advanced and evasive threats are intentionally designed to evade existing security controls and their usage and impact only continue to grow.
- 45% of respondents report their company had one or more data breaches in the past 24 months*
- 65% of respondents say breaches evaded existing preventive security controls*
- 46% of breaches were discovered by accident*
- 33% of the organizations breached discovered the breach two or more years after the incident*
As some sandboxes become more efficient at detecting advanced and evasive threats so do the techniques used to evade them.
What are these techniques, what do they entail and how do you prepare for them?
Stall. Interaction. Environment Check. Fingerprint. Sleep.
Technique: Malware performs useless CPU cycles disguised to look like non-malicious activity.
In depth: Stalling code exploits two common analysis vulnerabilities:
- Analysis system can only spend limited amount of execution time, therefore time out occurs while stalling code runs
- Authors design code to take longer to execute in analysis environment vs. actual environment, therefore what can take minutes in analysis will take seconds on the host
Technique: Malware determines whether it is on a real-live PC by lying dormant until predetermined human interaction is initiated.
In depth: Some common human interactions the malware looks for:
- Human scrolling: User must scroll to a predetermined place in a file, this circumvents random or pre-programmed mouse movements to activate
- Click count: Waits until a predetermined amount of clicks are taken, this circumvents analysis engines that may initiate a single click to try to activate
- Mouse speed: Looks for suspiciously fast movement, this circumvents an analysis engine that will scroll at speeds faster than is humanly comprehensible
Technique: Malware checks the environment for a virtual machine or well-known registry keys/files that would signify a sandbox.
In depth: Malware analyzes whether certain OS versions, apps, keys, files, directories, etc., are present and waits to run malicious code. Some malware even go to the extent of waiting until an internet connection is present. If malware's predetermined conditions aren't present, it may terminate. In a virtual environment, malware will conduct similar checks and modify its behavior accordingly, making analysis more difficult.
Technique: Malware computes a unique host fingerprint upon arrival in environment. When malware starts execution, a new host fingerprint is computed and compared against original to determine if in a different environment.
In depth: When analysis engines try to analyze in an environment that is even remotely different than where initial contact was made, the malware can detect the change and take a different set of actions to avoid revealing malicious intent.
Technique: Using sleep calls, malware refrains from suspicious behavior during monitoring.
In depth: Even beyond adding extended sleeps calls to the code, sometimes triggers are added to delay malware execution to a later time and date. During the monitoring process the sandbox detects nothing malicious and moves on.
Security teams need to rethink their people-process-technology mixes and strengthen them to defeat these new threats, which are on the upswing.
A new approach - an innovative combination of threat intelligence and next-generation sandboxing - can help businesses enhance their security postures to outsmart and outmaneuver attackers.
*Ponemon Institute, "2014 A Year of Mega Breaches" January 2015, survey of 735 IT and IT security practitioners about the impact of the Target and other mega breaches on their IT budgets and compliance practices as well as data breaches their companies experienced.