How To Detect Zero-Day Malware And Limit Its Impact

An increasing percentage of malware has never been seen before. Here are some tips for stopping it

Dark Reading Staff, Dark Reading

November 9, 2012

4 Min Read

[Excerpted from "How to Detect Zero-Day Malware and Limit Its Impact," a new, free report posted this week on Dark Reading's Advanced Threats Tech Center.]

It was never easy to keep ahead of the cyber bad guys, but with the recent uptick in zero-day malware, things are only getting harder.

Indeed, the malware landscape is changing dramatically, as attackers seek to take advantage of automated construction kits to generate several thousand malware variants at once. Security experts estimate that more than 70,000 new instances of malware are being released each day. While traditional antivirus products are generally effective at detecting and blocking "known bad" samples, they are challenged to keep up with the rapidly increasing volume of malware we have been seeing.

There has been a "seismic shift" in how malware is developed and distributed, says Andrew Brandt, director of threat research at Solera Networks. Malware developers are increasingly crafting one-time-use malware, so by the time an antivirus vendor has released a signature to detect the malware sample, the bad guys have most likely moved on to a new version.

Developers are using do-it-yourself construction kits such as Zeus and Poison Ivy to create their own variants, says Gunter Ollmann, CTO and VP of research at security vendor Damballa. Thanks to these kits, criminals can generate "hundreds and thousands" of malware variants per hour with a single press of a button. Add in armoring techniques such as run-time obfuscation, polymorphism and packers, and the likelihood of antivirus products detecting these malicious programs is just 2%, he says.

So what's the next-generation solution? The future of security lies in shifting toward behavior-oriented scanning, says Dennis Pollutro, president and founder of cloud security vendor Taasera. While "there will always be a place for signatures," security products have to begin identifying malware by what it's doing, rather than what it looks like, he says.

Several things have to happen before the malware infection results in damage or data theft on the compromised computer, which gives defenders a "couple hundred processes" to monitor for, Pollutro adds. Threat intelligence allows administrators to recognize patterns of behavior, such as creating directories on a file system or communicating with an IP address that had previously been flagged as suspicious.

Even if the actual source code (and the resulting hash of the file) of various malware samples is different, that doesn't mean the malware's actual behavior has changed, says Solera Networks' Brandt. That makes sense, considering the number of variants generated using DIY toolkits and that the changes to the code may be as simple as inserting extra instructions that don't actually do anything. Even the use of polymorphism or packing changes just how the malware looks, not how it executes.

Organizations also should look for security products that emphasize behavior scanning instead of relying primarily on signatures, says Roger Thompson, chief emerging threat researcher at product security testing and certification organization ICSA Labs: "Everybody agrees this is a good idea; it's a matter of getting everyone to actually do it."

Most antivirus vendors have already shifted their products to include network heuristics and behavioral analysis, but there needs to be a greater emphasis on behavioral scanning, says Thompson.

Application whitelisting is another approach that can help with zero-day malware, experts say. Just as email or website whitelisting works for spam and Web filtering, application whitelisting refers to a list of approved software and programs authorized to access network resources.

By restricting what programs can run on the network, the entire environment is protected from malicious applications, says Dan Brown, security researcher at Bit9.

Traditionally, whitelisting has been used only for fixed-function devices, such as point-ofsale systems, where administrators specified the handful of applications that should be available, says Brown. Today, there is more flexibility as organizations move toward private software marketplaces with trusted software that employees can download and install.

For more insight on tools and methods that can be used to detect and control zero-day malware -- including a look at the role of big data -- download the free report on defending against previously-unseen malware.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights