Hackers upgrading malware to 64-bit code to evade detection
Detecting 64-bit malware is more difficult than signature scanning for 32-bit malware, and despite a slow start cyber-criminals are starting to update their tools.
In a blog post, Guy Propper, cyber intelligence researcher at Deep Instinct, said that over the past two years many well-known malware families, including ransomware, banking malware and APT campaigns, began using 64-bit variants in addition to 32-bit variants – of which Zeus and Shamoon are just two examples.
“While this transition is ongoing, several studies and reviews have shown that the cyber-security industry faces serious challenges in detecting malicious 64-bit files,” said Propper.
In an accompanying white paper, the firm said that 92.8 percent of new computers sold globally run on 64-bit Windows. Since 2011, the number of 64-bit malware has increased 40-fold, the company said. But this type of malware still makes up less than one percent of the threat landscape.
According to figures released by Deep Instinct, around 60 percent of the threat landscape is dominated by the worm-like Expire spyware. Next comes the Virut family of malware (20 percent) and Nimda (10 percent).
“The high prevalence of these worms in the threat landscape is unsurprising, as all of them infect files which in turn infect more files, and cause this type of malware to spread quickly and widely,” said the report.
“To combat this threat, cyber-security teams must gain a deep understanding of 64-bit systems, and the different mechanisms attackers can leverage to attack them,” said Propper.
Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that for specific attacks, 64-bit malware is required to be compatible with the operating system version targeted. These extremely niched families of malware include rootkit drivers (which must be compiled specifically for the target platform), process injectors (including some banker Trojans) and some file infectors (viruses) even if viruses are close to going extinct these days.
“Most of today's operating systems run in their 64-bit versions to take full advantage of the CPU capabilities and to be able to handle more than 4GB of RAM. The accelerated transition from 32-bit to 64-bit operating systems is strictly related to the massive migration to new hardware,” he said.
Alexander Sevtsov, senior malware analyst at Lastline, told SC that hackers are developing 64-bit malware to evade traditional AV-based detections that are looking for specific x86 instructions.
“Traditional AV products are able to emulate and virtualise code only for x86 architecture and some sandboxes only support x86 OSs. Hackers are becoming smarter and are writing malware that learns to avoid these traditional security systems. Today's malware is often playing a game of deception: they are programmed to display very different behaviours depending on the environment [in which] they are executing,” he said.
Paul Calatayud, chief technology officer at FireMon, told SC that there are two advantages for hackers to deploy 64-bit malware.
“First, they have access to more popular applications. Second, according to recent antivirus benchmarking, 64-bit malware has a higher chance of going undetected with current antivirus signatures that focus on looking in 32-bit neighbours for malware,” he said.
David Kennerley, director of threat research at Webroot, told SC that mitigation is simple.
“Treat 64-bit malware like any other possible threat,” he said. “Invest in a credible threat intelligence platform, understand your organisation's risk tolerance level and plan accordingly. Be smart and be alert. Keep systems up-to-date, understand what devices need an internet connection, review user permissions and privileges, create and execute a backup strategy. But mostly importantly continue to educate your users about cyber dangers, and test your incident response and disaster recovery plans regularly.”