Beating 'Defeat Devices' in Advanced Malware
The past few months have seen the term ‘defeat device’ feature in global headlines, following the scandal over excessive emissions from tens of millions of diesel cars. Put simply, the defeat device is built into the car’s engine control software and detects when it is being tested in controlled lab conditions. It changes the engine’s behaviour to a safe mode so it passes the test, and switches back when the car is used normally.
Cybercriminals have been using similar approaches for years to help their malware evade detection by conventional security solutions and infect networks. This arms race started with the introduction of increasingly sophisticated off-the-shelf malware toolkits, which enabled criminals to easily tweak and disguise existing malware code to make a ‘new’ infection that could pass undetected through organisations’ traditional antivirus defences.
The impact of these hacker techniques is highlighted in Check Point’s 2015 Security Report, which showed that enterprise networks are hit by 106 unknown malware variants every hour – that’s 48 times higher than during the previous 12 months. What’s more, research by Enterprise Strategy Group (ESG) found that 55% of security experts in enterprises feel that malware has become much more sophisticated over the past 2 years.
But hackers are now creating malware with real defeat devices that can identify when they are being investigated by security solutions, and actively evade detection. Let’s look at how this evolutionary step happened, and what can be done to detect and block these new, advanced, evasion-resistant threats.
Safe in the sandbox?
To counter the fast growing threat of unknown malware being created in bulk using off-the-shelf toolkits, security vendors developed a solution for detecting and trapping new types of attack, and new variants of existing malware. Called threat emulation or ‘sandboxing’, it uses a virtualized, quarantined area that runs on a network security gateway, or in the cloud, and imitates a user’s conventional PC.
In effect, sandboxing works like an airport baggage scanner, making it possible to examine the contents of suspect files (such as email attachments or downloads) in a safe environment that’s separated from corporate networks and data. Files are opened in various virtual programs to simulate a user’s actions and if any abnormal or malicious behavior is found, such as attempted registry changes or network connections, the file is blocked and quarantined, preventing infection before it reaches the network.
Sandboxing proved to be a highly effective technique for detecting new, unknown malware – for a time. But criminals have in turn updated their own obfuscation and cloaking techniques, developing malware code which can actively identify when it is in a virtualized sandbox environment, and respond by shutting down and concealing its malicious actions while it is being examined. This enables the malware to avoid detection by the sandbox and bypass all other defences, posing a real risk to enterprise networks.
So how do we beat these advanced defeat devices in malware, and develop a more effective sandbox that’s capable of detecting even the stealthiest threats? The answer is to go deeper and extend the sandbox’s detection capabilities below the level of operating systems, software executables and data files.
Building a better sandtrap
No matter how sophisticated the actions of a type of malware, there is only a small handful of exploitation methods and instructions that it can use in order to download itself onto and start infecting a computer. If the sandbox is able to examine activity below the software level, and inspect what’s happening in the CPU on which it is running, any malware exploits can be spotted in the execution instructions being sent to the CPU.
This means malware in hidden in files and data can be identified before it has a chance to activate, or even try to evade detection in the sandbox. This nullifies the defeat devices planted in the malware code, and eliminates the risk of infection from even unknown attacks. The threat can then be blocked and quarantined in the sandbox, so that it never reaches the corporate network.
This entire process takes place transparently for the majority of files. If a suspect file is inspected and proven ‘clean’, the intended recipient of the file will not notice any significant pause in delivery of the file by email. Information about all detected activity is then available to the organization’s IT team in a detailed threat report.
Share and protect
This advanced sandboxing approach also delivers another key benefit. Once a new, unknown threat has been caught, it becomes a known and documented malware variant, with a fingerprint and signature that can be detected in the event of future attacks. This can be shared so that other organizations can use it to update their own defences, vaccinating their networks against the malware to prevent an infection becoming an epidemic.
Even the most responsive conventional anti-malware weapons cannot protect against unknown malware, leaving a critical gap that could enable attackers to get a foothold in your organization. Advanced sandboxing that combines both operating system level and CPU level detection closes that gap, proactively shielding your networks and data from zero-day and advanced unknown threats that would otherwise evade detection. In the battle to defeat malware, it’s a deep and wide line in the sand.
About the Author
Darrell Burkey, Director of IPS Products, Check Point, is a threat prevention team executive. Prior to Check Point he was VP Marketing at NFR Security, VP of R&D for CatchFIRE Systems and Senior Director of R&D for SAGA Software.
Edited by Peter Bernstein