Beating 'defeat devices' in advanced malware
Criminals are developing malware that knows when it's being investigated and actively evades detection. Aatish Pattni describes a new way to protect networks.
Aatish Pattni, head of threat prevention, Northern Europe, Check Point
The past few months have seen the term ‘defeat device' featured in global headlines, following the scandal over excessive emissions from tens of millions of diesel cars. Put simply, the defeat device is built into the car's engine control software and detects when it is being tested in controlled lab conditions. It changes the engine's behaviour to a safe mode so it passes the test, and switches back when the car is used normally.
Cyber-criminals have been using similar approaches for years to help their malware evade detection by conventional security solutions and infect networks. This arms race started with the introduction of increasingly sophisticated off-the-shelf malware toolkits, which enabled criminals to easily tweak and disguise existing malware code to make a ‘new' infection that could pass undetected through organisations' traditional antivirus defences.
Check Point's 2015 Security Report showed that enterprise networks are hit by 106 unknown malware variants every hour – that's 48 times higher than during the previous 12 months. What's more, research by Enterprise Strategy Group (ESG) found that 55 percent of security experts in enterprises feel that malware has become much more sophisticated over the past two years.
But hackers are now creating malware with real defeat devices that can identify when they are being investigated by security solutions, and actively evade detection. Let's look at how this evolutionary step happened, and what can be done to detect and block these new, advanced evasion techniques.
Safe in the sandbox?
To counter the fast growing threat of unknown malware being created in bulk using off-the-shelf toolkits, security vendors developed a solution for detecting and trapping new types of attack, and new variants of existing malware. Called threat emulation or ‘sandboxing', it uses a virtualised, quarantined area that runs on a network security gateway, or in the cloud, and replicates the running of the malware in various conventional PC operating systems.
In effect, sandboxing makes it possible to examine the contents of suspect files (such as email attachments or downloads) in a safe environment that's separated from production corporate networks and data. Files are opened in various virtual programmes to simulate a user's actions and if any abnormal or malicious behaviour is found, such as attempted registry changes or network connections, the file is blocked and quarantined to prevent infection before it reaches the network.
Sandboxing proved to be a highly effective technique for detecting new, unknown malware – for a time. But criminals have in turn updated their own obfuscation and cloaking techniques, developing malware code, which can actively identify when it is in a virtualised sandbox environment, and respond by shutting down and concealing its malicious actions while it is being examined. This enables the malware to avoid detection by the sandbox and bypass all other defences, posing a real risk to enterprise networks.
So how do we beat these advanced defeat devices in malware, and develop a more effective sandbox that's capable of detecting even the stealthiest threats? The answer is to go deeper and extend the sandbox's detection capabilities below the level of operating systems, software executables, and data files.
Building a better sandtrap
No matter how sophisticated the actions of a type of malware, there is only a small handful of exploitation methods and instructions that it can use in order to download itself onto and start infecting a computer. If the sandbox is able to examine activity below the operating system level, and inspect what's happening in the CPU on which it is running, any malware exploits can be spotted as anomalies in the execution flow of instructions as they run on the processor.
This means malware hidden in files and data can be identified before it has a chance to fully activate, and even try to evade detection in the sandbox. This nullifies the defeat devices planted in the malware code, and eliminates the risk of infection from even unknown attacks. The threat can then be blocked and quarantined in the sandbox, so that it never reaches the corporate network.
This entire process takes place transparently for the majority of files. If a suspect file is inspected and proven ‘clean', the intended recipient of the file will not notice any significant pause in delivery of the file by email. Information about all detected activity is then available to the organisation's IT team in a detailed threat report.
Share and protect
This advanced sandboxing approach also delivers another key benefit. Once a new, unknown threat has been caught, it becomes a known and documented malware variant, with a fingerprint and signature that can be detected in the event of future attacks. This can be shared so that other organisations can use it to update their own defences, vaccinating their networks against the malware to prevent an infection becoming an epidemic.
Even the most responsive conventional anti-malware weapons cannot protect against unknown malware, leaving a critical gap that could enable attackers to get a foothold in your organisation. That gap is closed through advanced sandboxing that combines both operating system level and CPU-level detection, proactively shielding your networks and data from zero-day and advanced unknown threats that would otherwise evade detection. In the battle to defeat malware, it's a deep and wide line in the sand.
Contributed by Aatish Pattni, head of threat prevention, Northern Europe, Check Point