We all know what polymorphic malware is: the ability of malware to adapt to current conditions and evade security...
software to do its dirty business on a target computer. This type of malware can easily evade signature-based scanners and other standard means of detection since it is always changing the nature of its attack vectors when it executes.
But what if we could harness this same behavior and use it defensively? The idea is for the target computer or system to appear to be changing so a piece of malware can't easily infect it. That seems like a very sophisticated notion, but it is gaining traction.
Indeed, polymorphism is just a new way of describing what many academic security researchers have long been calling a "moving target defense" and something that has been studied for quite some time. An Association of Computing Machinery (ACM) conference last November in Arizona covered many ways of implementing such a defense, such as with game theory and other advanced algorithms. Another academic paper goes into greater implementation detail here.
These research projects have moved into the next stage with a new series of security products from vendors such as JumpSoft, Morphisec, Shape Security and CyActive, among others. Each of these vendor’s products is still in very early stages, but you can get an idea of what they are trying to do and how quickly this area is evolving.
Certainly, defending Internet-based assets has gotten more complex. Security researcher Dudu Mimran has blogged about the growing digital gap because "security tools did not evolve at the same pace as IT infrastructure. … Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft."
This is because many attackers rely on knowledge about particular operating systems, devices or applications, and then target their weaknesses with their exploits. Making systems harder to identify makes them harder to attack and thus improves online security. Mimram is also the CTO for Morphisec, which plans on announcing its first product in the near future.
Shape Security calls its ShapeShifter product "the first botwall" and it is designed as an appliance to protect the user interface to client Web servers. As the startup explains on its website, "The use of polymorphism lets you preserve the functionality of code while transforming how it is expressed. In this example, a simpliﬁed login form has certain attributes replaced with random strings. The resulting code breaks malware, bots or other attacks programmed to submit that form, but renders identically to the original."
By using this polymorphic defense, customers can block DDoS, man-in-the-browser and account takeover attacks. The appliance is installed behind the load balancer and, with a few simple firewall rules to direct traffic to it, Shapeshifter can be up and running.
One way many websites have been protected in the past is by putting rate, volume and IP address limitations in place to prevent a large series of automated login attempts. Malware actors get around these limits by using a large database of stolen login credentials that are injected using a large-scale distributed botnet running on a huge number of IP addresses. Another popular past method is to use CAPTCHAs to protect logins; this is falling out of fashion as a number of automated or large-scale manual methods have been developed to defeat them.
Shape's appliance dynamically changes the underlying code of the protected website each time a page is viewed to defeat the types of scripts used in these kinds of login exploits.
“The 'poly' part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. With polymorphism in place, attackers cannot build effective repurposable attacks against the protected area," Mimram said on his blog. He suggested all polymorphic defenses share the following four attributes:
- First, start with some sort of trusted source that controls the dynamic changes to the host.
- Next, build a solution that isn't easily identified with the typical attack patterns, which makes them much more resilient.
- Integrate the internal code changes in such a way that these changes aren't readily apparent to external users or software programs.
- On top of this, harden the code to make reverse engineering and propagation very difficult.
CyActive uses bio-inspired algorithms as training data for a smart detector that can identify and stop future malware variants. PayPal recently acquired CyActive's technology, showing just how serious this market segment is getting.
JumpSoft has its own software management platform called JumpCenter, which includes JumpCenter Moving Target Defense or MTD; users can sign up for a free test drive of JumpCenter here. The company claims to protect all layer 7 applications with its code.
Whether these polymorphic defenses will prove vulnerable to even more sophisticated exploits isn't yet clear. But at least turnabout is fair play, and the bad guys are finally getting a taste of their own evil-tasting medicine.
About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com. Read more from Strom at Strom.com.
Learn how new Web security models use polymorphism to protect against data theft and fraud
Find out how security vendors and law enforcement took down the SIMDA botnet