Traditional malware detection methods, such as signature matching, have long been supplanted by more advanced techniques -- but even these modern approaches can be fooled by custom obfuscation.
Experts from Kaspersky, Bitdefender and Malwarebytes Labs discussed the increasing complexity of malware detection methods when dealing with threat actors of varying skill levels, and where detection needs to go in the future. There was agreement among experts that hash-based or signature-based malware detection methods should -- mostly -- be a thing of the past.
Fedor Sinitsyn, security researcher at Kaspersky, told SearchSecurity that "hash-based detection might be the most primitive technology available to security solutions."
"It doesn't mean it shouldn't be used, as it has its advantages: speed and simplicity. But it is certainly not enough to combat modern malware," Sinitsyn wrote via email. "Other technologies essential for reliable protection: proactive (behavior-based) detection, exploit prevention, heuristic detection, host-based intrusion prevention, and so on."
Adam Kujawa, director of Malwarebytes Labs, said relying on hash detection is "not a great idea, considering how quickly the bad guys can run their stuff through a crypting service or software and push out versions of the malware that evade those signatures."
"It's almost standard operating procedures these days for malware authors to feed their malware through 'cryptors,' or basically software used to obfuscate a particular binary to make it difficult to identify from its original version," Kujawa told SearchSecurity. "If you took one malware executable and fed it into a cryptor five times, each with a different encryption seed, it would produce five different files that don't match on the surface but will all decrypt into the original malware when its infecting the system."
While Kujawa referred to this encryption software as a cryptor, experts from Kaspersky and Bitdefender used the term packer.
Bogdan Botezatu, senior e-threat analyst at Bitdefender, agreed that encryption has an impact on signature-based malware detection methods.
"This is one of the major reasons the most prominent hacking groups are developing custom packers," Botezatu told SearchSecurity. "The more scrambled the sample or traffic buffer, the fewer the chances that the antimalware solution has a way to statically fingerprint what's inside."
Detection and evasion: Cat and mouse
Because the use of cryptors changes the signature of a malware sample so much, Kujawa said malware detection methods evolved "to look for shared chunks of code, libraries, file sections and hash those as a method of identification."
"A growing trend, which we see more and more from analysis tools, is the ability to hash particular functions found in certain malware families. Using tools that can open up a malware file and hash code chunks makes it more likely that a vendor would be able to identify something at least related to malicious activities," Kujawa said. "This idea is even better once you realize how often bad guys share and steal code from one another, often times without bothering to modify it."
The use of cryptors or packers is nothing new and comes with its own caveats for threat actors, according to Kujawa, especially considering the reuse of tools by threat actors.
"APT malware has used cryptors and custom packers for as long as I have been working in malware, so over 14 to 15 years," Kujawa said. "The thing about APT in particular, though, is while your commercially available malware is likely to use a cryptor or algorithm -- that we've seen before by other malware authors -- to hide itself, that makes it possible to identify the file as being crypted with a tool known to be used almost exclusively by bad guys. So, it is almost like a double-edged sword for the bad guys."
Kaspersky researchers told SearchSecurity the use of custom cryptors has both advantages and disadvantages for APT groups. Some groups will avoid using custom packers because the changes created are an indicator of something suspicious happening and APT groups want to stay hidden. On the other hand, custom packers can be useful for containing and hiding exfiltrated data. The value of custom encryption in evading malware detection methods can be low for advanced persistent threat (APT) groups reusing those cryptors, but Kujawa said there is still value in custom obfuscation tools for more advanced threat actors and nation-state actors, who will limit the use of the tools.
"Because these tools are built in-house and because they only show up in certain attacks, the likelihood that the antimalware industry will be able to identify them based on appearance drops significantly," Kujawa said. "From there, you've got to hope that the behavioral operations of this threat are able to identify it to a threat monitor looking for malicious or anomalous behavior, but many times APT attacks are paired with additional tools or a manual operator that make it possible to disable security tools before using the most important and move valuable weapons."
Botezatu said most threat actors "use industry-standard packers like UPX to protect their payloads."
"Some others are developing in-house packers to encrypt executables," Botezatu said. "Cybercriminals are always looking for new ways to circumvent antimalware defenses and they are sparing no effort to manipulate malware until it cannot be detected anymore. This is why the future of cybersecurity solutions resides in behavioral detection and tailor-made security -- artificial intelligence algorithms that train against the normal behavior of the user and identify anomalies that might be telltale signs of infection."
Kujawa added that these bespoke tools created by nation-state actors include "exploits we haven't seen or have new methods of infection we didn't know was possible.
"They have the ability to test every single one of their weapons against our scanners and ensure they won't be detected, and they have a lot of resources for gathering data on the target before the attack. So, when the operation launches, they either park their malware to collect information passively or they get in and out quickly," Kujawa said. "A lot of state-sponsored malware falls into the category of 'modular' because oftentimes, it comes in the form of a single executable with limited functionality; however, the person controlling that malware can send modules to it, as DLLs or something similar, which mod the capability of the threat, depending on the goal. These modules could be anything from USB infection capability, to stealing Outlook contacts, to new exploits and methods of lateral movement."
Modern malware detection methods
As obfuscation methods evolved, so too have detection methods. Sinitsyn said no modern security solution should be limited exclusively to signatures.
"That is one of the most basic and simple detection techniques and is used only in conjunction with more advanced modern approaches," Sinitsyn told SearchSecurity. "One such reliable method is proactive detection. It analyzes a running process and determines, on the fly, whether its actions are harmful or not. Proactive detection doesn't rely on signatures and is in no way affected by the change of the encryption used by the malware packer."
The move toward proactive behavior-based malware detection quickly opened the door for machine learning, Kujawa said, because it has helped antimalware vendors "develop detection tools which can identify someone as being totally bizarre in its operations, but it has never been seen or encountered before."
Even so, the idea of a battle between detection technology and advanced malware tools is only part of the reality, according to Kujawa. As technology advances on both sides, one weak link still remains -- humans. Social engineering and phishing attacks remain the most effective method of infection today, according to Kujawa, who added, "it always seems to work at least enough of the time to make it worth the investment by criminals."
"APT actors can do things like trick a third-party contractor into plugging an infected USB into a network not connected to the internet, and infecting it with state-sponsored, highly sophisticated malware," he said. "Launching a complete human espionage operation can set the stage for a totally under-the-radar attack by a state-sponsored organization. Right now, we see tons of infections by run-of-the-mill cybercriminals, not even highly sophisticated APT actors, against regular people, against large businesses, mainly because the human element leaves us all more vulnerable than if we were only dealing with a technological attack."