Evasive Malware Requires New Class of Threat Detection Solutions

Evasive Malware Requires New Class of Threat Detection Solutions

In the hide-and-seek world of cybersecurity, malware authors are becoming increasingly adept at creating exploits that avoid detection. Leveraging artificial intelligence (AI) and other advanced techniques, they have learned to mutate and modify their malicious code in order to evade conventional antivirus solutions.

Cybersecurity has always been largely dependent on signature- and rules-based defenses that look for known patterns of bytes, functions, hashes or other traits that have been previously identified and indexed as malware. However, more than half of all malware variants now have none of those identifiable characteristics, according to WatchGuard Technologies’ latest Internet Security report.

Malware authors use a variety of techniques — and combinations of techniques — to create zero-day exploits that dodge antivirus solutions. Here are some of the more effective methods:

Code injection. Hackers exploit input validation flaws to inject malicious code into legitimate software, which serves to camouflage the malware from antivirus products.

Binding. Hackers attach malicious code to a legitimate program, typically a free and open-source application. Because the code isn’t actually injected into the software, the original app remains unmodified and doesn’t raise any red flags.

Timing attacks. Malware authors can use multiple API functions to create sleep operations for their code. This allows the malware to remain dormant to avoid automatic scans, awaiting a trigger before launching its payload.

Code obfuscation / morphing. Using an algorithm to change character strings, hackers can make their code virtually unreadable by antivirus solutions. The characters are then decoded when the code is executed.

Malicious cryptograph. With stolen or forged SSL certificates, cybercriminals can encrypt malware to evade detection by firewalls and intrusion detection systems.

Macro viruses. A macro is a series of commands or instructions embedded in a software in order to automate some tasks. Hackers can replace legitimate macros with viruses that are launched when the file is opened. Macro viruses are often used to disguise downloaders that install malware for harvesting credentials.

Polymorphism. Malware authors use a program known as a polymorphic engine to create code that continually mutates while keeping the original algorithm intact. Essentially, the code changes every time it runs, altering identifiable characteristics such as file names or encryption keys to make itself unrecognizable to antivirus and antimalware programs.

These techniques are in part responsible for the dramatic increase in global malware instances. Total annual malware volumes have increased by an astounding 1,500 percent over the past 10 years, according to figures from the AV-TEST Institute, a German cybersecurity research organization.

The institute says it registers more than 350,000 new malicious programs every day, many of which employ evasive techniques. According to one study, 98 percent of new malware instances use at least one evasive tactic. A third of those are classified as “hyper-evasive,” using six or more techniques for evading detection.

Although conventional, signature-based antivirus solutions remain essential elements of network security, organizations clearly need tools that can accelerate detection of these new, more evasive threats. That need has led to a rapid growth in the market for threat detection and response (TDR) solutions that use powerful analytics to correlate massive amounts of endpoint data to identify evasive threats and take steps to mitigate damage.

WatchGuard’s TDR solution is proving to be a particularly effective solution. Winner of a 2019 CRN Tech Innovation Award, WatchGuard TDR is a cloud-based service that uses heuristics and AI-powered threat analysis to accelerate detection, automate remediation and provide stronger defenses for evasive threats.

We’ll take a closer look at the specific features of WatchGuard TDR in our next post. Meanwhile, contact us if you’d like to evaluate this advanced solution.