New polymorphic malware evades three quarters of AV scanners
Emotet offensive sees malware continually repackaging itself to avoid signature-based detection
A new strain of polymorphic malware has been discovered that is able to evade over 75 percent of antivirus engines tested.
According to security researchers at Bromium, the banking trojan, known as Emotet, can avoid detection by anti-virus scanners as it continually repackages itself.
Typically, malware authors will just change the packaging of the distribution method (eg a PDF or Word document), but the file could already be known to AV. Bromium discovered that authors of recent malware strains are continuously rewrapping their packed executables and the documents used to distribute them, avoiding any-and-all signature-based detection.
Researchers said that this type of approach indicates that malware authors are going to new lengths to avoid detection and could be copied by other hackers.
Matt Rowen, a software engineer at Bromium,said that he is now seeing the secondary executable is changing as well, so the malware is not recognised by AV.
“Worryingly, this shows that malware writers are really improving the standard of their engineering – that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win,” he said.
According to a blog post, the malware presents itself as randomly generated code designed to look like a legitimate application. The malware comes either protected with a new packer, or the packer itself features advanced polymorphic functionality.
“These differences make it nearly impossible to profile a new sample based on the footprint of the packer alone, and presents a huge obstacle for anti-virus that attempts automated unpacking as part of its analysis,” said Joe Darbyshire, malware analyst at Bromium.
He said malware authors are repacking their software into a unique executable for each potential victim, avoiding any-and-all signature-based detection.
“Although we have seen this with polymorphic documents, repacked dropped executables on this scale are unprecedented. This is why detect-to-protect security approaches won't work. It will always be a matter of catch up, as the writers of malicious code are one step ahead. The scale we see on these samples suggests they may be more than just a few steps ahead,” said Darbyshire.
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that having an instrumented environment that provides behavioural analysis on encounters with all types of malware is now a best practise.
“A second layer of protection could be that if a file passes a check for how it is constructed, it then must pass a check for how it behaves,” he added.
Tim Woods, VP technology alliances at FireMon, told SC Media UK that many of even the most sophisticated pieces of malware rely on human complacency and or human error to launch.
“Whether making credentials accessible, opening an unassuming attachment, or poor firewall management it's incumbent on the organisation to continually train personnel on security awareness,” he said.
“Bad actors frequently rely on a poorly educated user community to successfully penetrate and execute a given attack strategy. Good education remains one of the top most valuable investments an organisation can make to protect themselves better. Secondly, leveraging intelligent technology automation to add efficiency gains to woefully understaffed security teams can also be a wise investment. It will always be a game of leapfrog, but there is no replacement for a good security posture that places a strong emphasis on eliminating unnecessary complexity to reduce errors.”