Invisible Malware - The Evasive Threat Is Now Mainstream

By Special Guest
Jonathan Sander, Adviser at Security Catalyst

Every space adventure has a pivotal spaceship battle. At some critical moment you will hear the captain yell the phrase: “evasive action!” That signals a brilliant sequence when the ship dodges and weaves through enemy fire, emerges unscathed, and completes the mission. In the world of malware, where we are more lost in space every day it seems, there is a huge movement to be just as evasive.

The trouble is that it’s not the plucky hero using evasive maneuvers.

The bad guys are dodging and weaving through our best defenses. While we’ve always been in an arms race with malware makers, these newer evasive capabilities now target our most advanced defenses and hide the bad stuff in plain sight.

Let’s have a look at what it means to be evasive today, and how that’s come from an evolution of the tricks the bad guys have used since the beginning. Then we’ll see how we can adapt our defenses to better combat these new threats.

Evasive malware isn’t obscure security geek stuff - it’s in the headlines

Palo Alto’s (News - Alert) researchers recently dissected a nasty variant of the Sofacy malware that was used to attack US government targets. It’s even suspected of possible connection to the DNC breach that was national news in the US for days. This beast uses a sophisticated mechanism to get its work done. Instead of launching during bootup or login as most malware traditionally has, it only becomes active when users launch Microsoft (News - Alert) Office applications like Word. Then it comes to life as a DLL inside the program itself.

Aside from being clever, this is also extremely evasive. Not only is it hiding out where most anti malware programs aren’t looking, it’s even avoiding many sandboxing techniques - which are considered by many to be the cutting edge of detection today. Since most sandboxes work by automating system level activity to catch malware (e.g. reboots, logins), attaching to user activity like Microsoft Office programs renders this malware practically invisible without some extremely over the top effort by the standards of today’s state of the art detection.

Detection has always been a race against the ingenuity of the bad guys

Viruses, ransomware, trojans, keyloggers, and every other species of malware you’ve heard of are just software - not radically different in form than your browser, office applications, or anything else you use every day. From the very beginning, detection relied on that fact. Antivirus systems, the first anti-malware software, used signature based detection.

“Signature” is just a fancy word for the way to see what pieces of the malware’s software need to be present for it to work. If you’ve ever gone to the “Programs and Features” screen on a Windows laptop to uninstall or reconfigure a program, then you’ve seen the “signatures” that Windows knows about for all the legitimate software on the system.

Viruses are software installed on systems that doesn’t show up there, but have a signature that can be found nonetheless. Antivirus finds those signatures, scans your system for them, and kicks them off.

Evasion is not new

In a sense, evasion was there right from those early days. “Malware at its core is developed to be stealth.” says Omri Moyal, Research VP at Minerva Labs who makes software that uses evasiveness against malware in order to disable it. “For many years malware evaded antivirus by simply changing a few bytes of code, therefore altering their static signature.”

With a different signature, the bad guys could redeploy minutely changed variants of the same viruses again and again. Each time hoping that they could stay on the system long enough to accomplish whatever goals they had to start with. With the rise of sandboxing in the mid 2000’s and the improvement of the antivirus platforms, evasive malware started to get much more sophisticated.

Sandboxing tries to make up for the flaws in signature based detection by catching malware in the act of being bad. The sandbox purposely gets infected with a virus or loads malware so it can figure out how it works so the bad guys can be stopped before hitting a real target. That leads us to beasts like the Sofacy variant in Palo Alto’s report which will adapt to behave specifically to avoid the ways sandboxes catch them.

Automated evasion

Today, the art of being evasive can even be automated with software anyone can download that has cute Mighty Morphin Power Rangers themes. So it’s no surprise that labs tracking how much malware is evasive have seen massive rates of increase.

The largest jump seems to have been in 2014, when the percent of malware that was using evasive tactics doubled from 35% at the start to nearly 80% at the end of the year. Since then it’s been holding steady around 90%, which seems to say it’s the default from now on. We need to expect them to be evasive.

We’re not done yet. Not even close

The good news is that the war between detectors and malware makers is far from over.

Despite their attempts at evasion, sandboxes and even traditional signature based systems are finding cracks in their defenses. Remember, malware is just software. All software has bugs, and most of those bugs show up in the new, flashy features. So malware’s evasiveness is far from perfect. For examples like the Sofacy variant that may have hit the DNC, there are new, innovative solutions appearing every day. Some of these have even used the evasive mechanisms themselves as a weakness and turned it against them.

In a year’s time, it’s likely that we will see a whole new category of “anti-evasion” software in the market, taking its place beside antivirus, anti-malware, and sandboxing in the standard security toolbox. Until then, keep your signatures up to date, sandboxes running full tilt, arm your photon torpedoes, and watch out for evasive actions.

About the Author 

Jonathan Sander is a 20 year IT veteran who has focused on security for more than a decade. He's worked with organizations large and small all around the globe on projects related to security policy, identity access management, business process management, and data continuity. Currently he serves as an adviser at Security Catalyst and as the VP of Product Strategy at Lieberman Software.