Why anti-virus is not enough
Kyle Adams of Juniper Networks explains how a custom piece of malware he created demonstrates the fatal flaws in most AV solutions
The changing evolution of the online world and the consumerisation of IT has opened new doors to cybercrime and required greater security to maintain safety and privacy on the web. Vulnerability to online attacks in the UAE is partly fuelled by a high smartphone penetration rate and a growing affinity in the workplace for the ‘bring your own device’ (BYOD) concept.
Organisations in the Middle East who have adopted modern mobile working initiatives, ordinarily implement antivirus (AV) software as an important part of a larger security defence strategy. One of the most conventional security software products available, antivirus acts as a way to slow down the spread of malware throughout the Internet. But is it enough?
Antivirus acts like inoculation. When a new threat emerges like malware, a vaccine or signature is created to identify the threat and is injected into all clients, dramatically reducing the likelihood of an unvaccinated client coming into contact with the infection.
But this system means that damage still occurs before a ‘cure’ can be developed, making AV necessary but not sufficient to protect against threats. In order to inoculate a target against a threat, the threat must be known. Therefore, at least a few clients will become infected long before any vaccine is available to protect them.
Recently, I presented on AV and malware detection strategies to help highlight this concern, and acknowledge that new, unidentified threats enter the network every day. To demonstrate this, I custom wrote a piece of malware, which was designed to operate as a command and control (C&C) bot. It would receive instructions from an attacker and execute them with the highest possible privileges on the infected machine.
With a custom written piece of malware in hand, I set forth to figure out how effective modern antivirus clients are against unknown threats. At this point, no AV vendors have had the opportunity to see the malware code, and thus have not had the opportunity to write a signature for it. This leaves the various AV vendors in a tough spot. Innovative detection strategies that do not rely on already having a signature of a specific threat are required in order to provide any form of protection.
This is where a technology called ‘code emulation’ comes into play, which many AV solutions are using to help combat the weakness of signatures. Code emulation is one of those innovative strategies that some of the higher end antivirus clients have adopted in order to identify malicious applications, even if they have never been seen before. I tested the custom virus in a number of popular AV clients with the largest market share and ideally all of these clients should have been utilizing such strategies. However in reality, I discovered that only one of the eight vendors I tested against was able to detect the custom malware.
The fact that at least one vendor was able to detect a piece of malware no vendor had seen before means at least the malware would be detected in the wild fairly quickly.
From the attacker’s standpoint, being detected by even one vendor means that their malware will not last very long, so I continued by showing the process by which malware authors make their malware undetectable by all known antivirus clients.
Code emulation works by creating a micro virtual machine within the antivirus application, which suspected malware can be executed in safely. The emulator keeps track of all the operations the suspected malware performs, and uses heuristic behaviour patterns to determine if those actions represent malicious code.
The one vendor which detected the custom virus did in fact employ code emulation. When it observed the custom virus being placed on the system, it automatically executed it within its code emulation environment and profiled the actions it was going to take. Since it was a virus, it did in fact need to write registry keys, download files, hide files, and so forth, and the antivirus correctly identified such behaviour as malicious.
Holding true to the reality of how malware authoring takes place, I then set forth to figure out how to fool the code emulator into believing that the file was not malicious.
The process involved some trivial reverse engineering of the AV client. The approach involves including some additional code in the malware that attempts to detect if it is being emulated, and if it is, aborting without doing anything suspicious. If the detection of the emulator works, the AV client will not report the file as malicious. If the detection fails, the AV client will report the file as malicious.
The entire process took about one hour before the first successful evasion strategy was identified. What I learned was that this specific AV vendor’s code emulator was only willing to emulate a finite number of instructions and time before it would assume the program was okay to run. To take advantage of this limitation, I modified the code of the test malware to run a loop of 80,000 instructions before getting to the malicious bits. The antivirus client essentially spent its entire allowance of time trying to get through a busy loop at the top of the virus and didn’t have enough time to enter the lines that actually behaved maliciously. The result was no detection.
I only utilized one way of detecting that my custom malware was running in an emulator, but know of at least six more mutually exclusive ways to get around the protection.
What should network administrators do if the tool they have relied on for years is not actually protecting them from the attackers? Well first and foremost, continue using client AV. Think damage control, not damage prevention.
Realistically, the best protection from newer threats will stem from layering more advanced solutions together. New innovations in malware detection have emerged which are capable of detecting malware without using signatures. Additionally, solutions, such as file and URL reputation tracking and machine learning strategies, will add significant efficacy.
It is also important to leverage products that include rapid real-time intelligence sharing, so that the gap between initial malware release and signature protection can be reduced as much as possible. Cloud security services are key. It is far more difficult for malware authors to identify successful evasion strategies when they are forced to test their malware against a black box detection solution hosted by vendors themselves.
With a combination of client antivirus, network antivirus, sandboxing, code emulation and reputation services, administrators can build a much more robust defence strategy. Having a powerful anti-malware solution may actually be enough to deter a targeted malware attack in the future. Nevertheless, it is important for administrators to keep an eye on malware detection rates within the network, so that targeted attacks can be identified early and monitored closely.
All is not lost, but the battle will rage until the end of time. With an increasing number of businesses establishing new offices in the Middle East, coupled with young start-ups encouraged to build a presence in the region, everyone is required to be diligent if there is any hope of surviving in the long run. Those who lag behind will surely incur serious penalties time and time again.
Kyle Adams is Chief Software Architect, Juniper Networks.