I recently spoke with Lenny Zeltser, an expert on malware who recently joined Minerva Labs, a cybersecurity firm that has pioneered technology that causes malware to “go to sleep” rather than inflict damage on infected systems and networks. Lenny and I discussed many interesting developments in the world of combatting malware – bouncing ideas off one another related to both the challenges that malware creates and various methods for overcoming them. Here are four especially interesting points that emerged from our conversation – all four are important for information-security professionals to understand and recognize.
Malware is quite common – yet an unusual type of crime.
While malware is, unfortunately, quite common in the world of computers, it actually represents a rare, unusual form of crime in that criminals intentionally leave behind their tools, which contain clues to their methods of operation and, sometimes, even to their identities. Physical-world thieves normally take numerous precautions to avoid leaving anything for investigators; many physical crimes are solved by leads established when criminals make mistakes in this regard. Those of us combating malware should take advantage of the unusual opportunity created by criminals’ always leaving us leads.
Signature-based malware detection is clearly no longer sufficient.
Signature based detection of malware – that is, looking for malware lurking on machines and networks by searching for code in memory or on disk that look like known malware – is a technique that has been utilized for many years, but suffers from a major weakness: it will often miss new malware, which may be precisely the type most likely to inflict the worst damage. Newer approaches are needed – including looking for anomalous activities resulting from the execution of unwanted code, and stopping malware from inflicting damage even when it cannot be detected.
Malware is tricking sandboxing technologies – and security companies are fighting back.
As security companies have created and deployed sandboxing technology – that is, technology that executes suspected malware within the confines of a “sandbox” testing environment that prevents anything running within it from escaping and impacting any resources outside of it – criminals have started to create malware that is cautious about where it runs. Because anti-malware technologies that detect malware in a sandbox often create signatures for the malware and more easily block and remove those strains elsewhere, some advanced malware looks for signs that it is sitting within a sandbox rather than on a real personal computer or server – and, if it finds them, it will not execute. Zeltser pointed out that one of the capabilities that drew him to Minerva was the firm’s technology that both allows real systems to trick malware into thinking that they are sandboxes and lets sandboxes convince malware that they are real systems – capabilities which both protect the real systems by preventing the malware from running, and increase the odds of catching the malware at other locations by incenting it to run in sandboxes where it can be identified, studied, and mapped into a signature database.
Malware is growing increasingly stealthy when it comes to communications.
Many variants of modern malware relay data from an organization to criminals. Some also receive instructions from so-called remote “command-and-control systems” operated by criminals. Both of these types of communications normally transpire across the Internet. One way of combatting malware is, therefore, to look for anomalous Internet communications – red flags should be raised, for example, if all of a sudden large amounts of data are being sent from a CFO’s computer in New York to some computer at an unrecognized IP address halfway around the world. But, many forms of malware communications are not nearly as obvious and easy to detect. Furthermore, criminals are trying to one-up security technologies by disguising their communications – either by relaying them within HTTPS packets (thereby hiding the contents of their communications) – or via leveraging illicit DNS-type communications. For example, to relay intercepted credentials to a hacker, malware may be programmed to attempt to send a normal request to BankName22Com33JohnDoe33HelloWorld.hackersdomain.com – where the primary DNS server servicing hackersdomain.com is run by the hacker, and understands how to decode the subdomain information and return the DNS for the domain as if nothing were unusual. So, when the malware sends the request, the local DNS server – which does not recognize the domain – asks the hacker’s DNS server to resolve it – thereby transferring information to the hacker. Various detection capabilities exist – but, the battle against malware remains mouse vs. mouse – and, controlling the damaging behavior of malware even when the actual malware has not been detected remains important.
This post was sponsored by Minerva Labs.