Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:15 AM
Connect Directly

Custom Malware Sneaks Past Advanced Threat Detection Appliances In Lab Experiment

An independent test of advanced threat detection products demonstrates how they could be bypassed by attackers.

Some of the top advanced threat detection products failed to catch custom-written malware samples posing as targeted attacks in an independent lab study.

Researchers from the Laboratory of Cryptography and System Security (CrySyS) Lab and MRG Effitas teamed up to test five "well-established" advanced threat detection appliances to see just how effective these technologies are in spotting unknown threats. The goal of the tests was not to determine the detection rates of the products, but rather to see whether they could bypass them. The researchers did not reveal the names of the products.

One of the four custom samples written by the researchers snuck past all five of the products, while another bypassed three of them. The two most basic samples were detected by all five of the products, but in some cases they registered only a low-severity alarm.

The big takeaway from the tests, according to the researchers, is that no security tool is infallible when it comes to new malware samples. "A lot of customers believe these products can detect all advanced attacks. Believing this can provide a false sense of security," Zoltan Balazs of the UK security research firm MRG Effitas, said in an email interview.

Even so, these appliances are a key layer of security: "Defense in depth is still important, as there are always unexpected areas where advanced attackers can be detected," he said. "These products add value, and can detect attacks which won't be detected by other technologies deployed at enterprises."

All the malware test samples were devised with typical RAT features of remote code execution, along with the ability to download and upload files.

The stealthiest of the homemade samples -- dubbed "BAB0"-- that bypassed all five products was downloaded by the "victim" from a web page and was hidden behind an image using steganography. Among other things, the simulated attack hides command and control traffic inside HTTP requests.

The researchers plan to publish some components of BAB0 to help anti-APT/advanced threat protection vendors to beef up their products, as well as to help organizations test the strength of those appliances in their organizations.

"If we were able to bypass all products, then advanced attackers are surely able, too. Maybe not in the same way as we did. Maybe in an even better way," Levente Buttyan of CrySyS Lab said in an email interview. "So it is very important that vendors work together with independent testers more frequently, but our experience is that they are very reluctant to participate in tests. This should change."

However, it won't be easy for vendors to stop advanced threats,, Buttyan said.

Meanwhile, there's a range of effectiveness among various appliances, according to CrySys Labs' Boldizsar Bencsath.

Tom Kellermann, chief cyber security officer with Trend Micro, said his company's Deep Discovery product was not among the tools tested in the study. The problem with many products in this category is that they can't evaluate the lateral movement of malware across more than five protocols, and they lack proper sandboxing and correlation of unknown events, so advanced attacks can sneak by them.

The full lab report was published today.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.