Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/10/2015
10:30 AM
Alon Nafta
Alon Nafta
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

How Malware Bypasses Our Most Advanced Security Measures

We unpack three common attack vectors and five evasion detection techniques.

Virtually every week a new report surfaces about a large, blue chip company with deep financial resources that has been breached. These companies typically invest in and deploy state-of-the-art security tools, yet attackers are still able to penetrate their lines of defense. To make matters worse, many attacks often go undetected for months. Let’s examine how this can happen.

Attack vectors
Every breach must exploit at least one attack vector in order to install persistent malware on the organization's network. Advanced attackers often use multi-stage malware, which would initially only install a small backdoor. This enables more complex tools to be deployed on the machine and network later on.

The primary malware installation, sometimes referred as an infection, can be achieved using several attack vectors. The goal is always to run malicious code. Some of the most common attack vectors are:

  1. Browser-based social engineering: where a user is tricked into clicking on a legitimate-looking URL which in turn triggers code execution using browser or browser-plugin vulnerabilities in Java and Flash. More advanced attacks can hide in legitimate traffic without requiring any user-interaction. These are commonly referred to as drive-by downloads.
  2. Email-based social engineering and spear phishing: where a user receives an email that contains a hidden or visible binary, which executes when the user clicks on it.
  3. Credential theft: when guessed or stolen credentials are used to access a remote machine and execute (malicious) code, such as installing a backdoor.

Evasion techniques
To evade detection, during and after installation, malware uses five primary techniques.

  1. Wrapping. This process attaches the malicious payload (the installer or the malware itself) to a legitimate file. When the legitimate file is installed, so is the malicious payload (which usually installs before the legitimate file does). Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks. IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines.
  2. Obfuscation. This involves modifying high level or binary code it in a way that does not affect its functionality, but completely changes its binary signature. Obfuscation was originally used to protect legitimate software against reverse-engineering and piracy. Malware authors have adopted the technique to bypass antivirus engines and impair manual security research. Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
  3. Packers. These software tools are used to compress and encode binary files, which is another form of obfuscation. At runtime, the packer, which is typically embedded with the malicious binary, will "unpack" the payload into memory and execute it. There are a handful of common packing mechanisms in use today such as UPX, PECompact, Armadillo and others. These techniques are extremely effective at circumventing static signature engines.
  4. Anti-debugging. Like obfuscation, anti-bugging was originally created by software developers to protect commercial code from reverse-engineering. Anti-debugging can prevent a binary from being analyzed in an emulated environments such as virtual machines, security sandbox, and others. For example, the ZeroAccess malware implemented a self-debugging technique in order to block external debugging attempts. Another example is malware attempting to delay its execution (or sleep) for an extended period of time. This is useful for bypassing sandboxing solutions since these only keep binaries in an emulated environment for a specific period of time before classifying them as benign and releasing them to the network.
  5. Targeting. This technique is implemented when malware is designed to attack a specific type of system (e.g. Windows XP SP 3), application (e.g. Internet Explorer 10) and/or configuration (e.g. detecting a machine not running VMWare tools, which is often a telltale sign for usage of virtualization). Targeting ensures that the malware is only triggered and installed when specific conditions are met, which enables it to evade detection in sandboxes because they do not resemble the host being attacked.

Just as malware's evasion techniques continue to evolve, so must our security measures. There is much work being done in the industry to move beyond traditional static signature-based security to behavior-based profiling, analytics and real-time information sharing between security solutions. One thing we have learned from researching the malware techniques described above is the closer we can place security to the targeted asset, the more likely we will be able to detect and stop it.

Alon Nafta is a senior security engineer at SentinelOne, a provider of a next-generation endpoint protection technology. Prior to SentinelOne, Alon was responsible for security research and software engineering at server security vendor PrivateCore which was acquired by ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/13/2015 | 9:33:38 AM
Re: Thinking like a Hacker
on a special presentation over the BBC on U of M Public Radio the presenters noted that the internet is more than technology: it is an enabler

thus: when technology is used to provide some new service the hacker will examine that service asking "what does this enable?" how can I re-direct this to my own purpose ?

they are patient and they are persistent: if there is a way in: they will find it.
  • MALVERTISING : If I can purchase an ad on a high traffice web page and then update my ad to include malware then perhaps I can exploit a privilege escallation in your computer and get my program running in your computer.   After that when you sign into the credit union I can write myself a check.  Or if you do your taxes online I can steal your ID info
  • PHISHING : maybe I can send out some e/mail that looks legitimate but actually carries a TROJAN that can exploit a privilege escallation in your computer.   maybe I can pwn your box and add it to my BOTNET -- or other mischief
  • SQL INJECTION : if your server is feeding input data directly from the open web into your data base maybe I can send you a script where you are expecting data and get your database to transmit all your files to me
  • XSS ( Cross Site Scripting ) maybe when you are running a popular page I can get an ad or some phish bait to run a maliscious script from some hacker page
  • IDENTITY THEFT : maybe I can buy your identity from some darknet service such as SUPERGET ( See KREBS on this ) and come up with the info I need to do your taxes for you.  no charge for this service
  • AUTORUN on a thumb drive is another vector that often works to get malware into your computer
  • COMPROMISED enployee
  • SHORTCUTS -- bypassing security protocols for convenience
  • DOWNLOADS perhaps I can offer some cool program, often for free, -- and include some unpleasant surprises with the package .   often these come as SCAMWARE where it shows "check this box for ths cool added feature" -- and of course the box is already checked for you
  • SCAREWARE warnings such as "your computer is infected really really bad -- click here and we'll clean it up for you"

ROAD CLOSED

a lot of hacking depends on getting un-authorized programming, aka "malware", aka "virus" into the victim's computer(s).  and hacking also makes use of stolen identification data . reducing hacking depends on closing the opening that are being exploited.   Use a secure O/S where a secure O/S is one which will not permit itself to be modified by the actions of an application program.   A bad web page should not be able to infect your operating software.  AUTHENTICATE transactions.   Transactions include eMail obviously but also software transmittals and other important business such as your Forms 1040.

Technology is great but remember: it acts as an enabler.    Be careful waht you enable.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 10:39:18 AM
Re: we don't use our most advanced security system
But I love free donuts! My main point is that we need to start thinking like the attackers and planning accordingly instead of always being in reaction mode.


To your point, this would very much include preventative measures and user interaction for a comprehensive approach.
macker490
50%
50%
macker490,
User Rank: Ninja
2/12/2015 | 10:35:50 AM
we don't use our most advanced security system
hack attacks are associated with un-authorized programming in many cases -- particularly the BLACKPOS and BACKOFF ram-scrapers used to steal credit card data.   these updates are installed on the victims' systems and this is possible because we fail to authenticate software changes before installing them,-- or we are using vulnerable operating software.   In many cases vulnerable operating software is exploited by malvertising or phishing -- both of which rely on our failure to authenticate.

in the case of tax fraud the hacking takes advantage of our failure to authenticate tax returns.

the authentication software -- originally PGP but now also GnuPG -- has been available for some time.   As I said: the problem is our failure to properly and effectively use or most advanced security measure: public key encryption.

proper authentication procedures require user participation.   it's not something that can be passed out like free donuts.

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:30:33 AM
Re: Preventative measures?
It seems like that is the general template for now. Which is why security needs to promote further innovation instead of increasing the efficiency of dilapidated safeguards we currently use; as the vectors they seek to protect have already been exploited further than they could catch up to effectively.

I would like to see an increase in security firms seeking to construct new types of malware. I feel that with security professionals trying to think like malicious intenders that we would be able to construct strains similar to the ones that are rapidly appearing. Then in the case of an event we might be ready to mitigate it before it even becomes a threat.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:07:29 PM
Re: Evasion Technique Prevention
Hi RyanSepe,

It'll be tricky to cover this in a single article but we'll definitely try. To at least comment on the techniques part of your question -- essentially this is what all AV vendors are doing or trying to do, detect malware regardless of the evasion techniques it uses.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:01:32 PM
Re: Preventative measures?
Hi Whoopty,

Besides keeping your software stack (OS + 3rd party applications) up to date with security patches (and this also includes using the latest versions, especially for OS, since there are major security-related improvements between major OS versions), the practical solution against malware is having strong end point protection.

There is somewhat of an agreement in the security industry that there will always be some exploitable vulnerabilities, and that "something" will always get through. There are some solutions that try and isolate your sensitive data, but the main branch of solutions is about detecting the threat after it got into the system, and being able to mitigate it, before or after malicious code is executed.

In that sense, you're right in a way that it will likely always be infection-scan-cleanup although I would phrase it infection-detection-cleanup. Unless of course everyone writes perfect software :)

 
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
2/11/2015 | 11:56:49 AM
Preventative measures?
It often feels like beyond practicing basic anti-phishing security and steering clear of pirated software, there isn't much to be done to actively protect yourself from malware. Will it always be a case of infection-scan-cleanup? Will new types of malware always slip through the net until they're identified? 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/11/2015 | 8:26:19 AM
Evasion Technique Prevention
Can you do a follow up to this article denoting current techniques and strategies to correspond with the evasions you posted? The other side of the coin would be good to have so that they can be critiqued as to why they may not be up to par. This will be helpful for future security architecting.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.