Virtually every week a new report surfaces about a large, blue chip company with deep financial resources that has been breached. These companies typically invest in and deploy state-of-the-art security tools, yet attackers are still able to penetrate their lines of defense. To make matters worse, many attacks often go undetected for months. Let’s examine how this can happen.
Every breach must exploit at least one attack vector in order to install persistent malware on the organization's network. Advanced attackers often use multi-stage malware, which would initially only install a small backdoor. This enables more complex tools to be deployed on the machine and network later on.
The primary malware installation, sometimes referred as an infection, can be achieved using several attack vectors. The goal is always to run malicious code. Some of the most common attack vectors are:
- Browser-based social engineering: where a user is tricked into clicking on a legitimate-looking URL which in turn triggers code execution using browser or browser-plugin vulnerabilities in Java and Flash. More advanced attacks can hide in legitimate traffic without requiring any user-interaction. These are commonly referred to as drive-by downloads.
- Email-based social engineering and spear phishing: where a user receives an email that contains a hidden or visible binary, which executes when the user clicks on it.
- Credential theft: when guessed or stolen credentials are used to access a remote machine and execute (malicious) code, such as installing a backdoor.
To evade detection, during and after installation, malware uses five primary techniques.
- Wrapping. This process attaches the malicious payload (the installer or the malware itself) to a legitimate file. When the legitimate file is installed, so is the malicious payload (which usually installs before the legitimate file does). Using static signatures to detect wrapper files is largely ineffective since new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks. IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over Tor networks to infect machines.
- Obfuscation. This involves modifying high level or binary code it in a way that does not affect its functionality, but completely changes its binary signature. Obfuscation was originally used to protect legitimate software against reverse-engineering and piracy. Malware authors have adopted the technique to bypass antivirus engines and impair manual security research. Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
- Packers. These software tools are used to compress and encode binary files, which is another form of obfuscation. At runtime, the packer, which is typically embedded with the malicious binary, will "unpack" the payload into memory and execute it. There are a handful of common packing mechanisms in use today such as UPX, PECompact, Armadillo and others. These techniques are extremely effective at circumventing static signature engines.
- Anti-debugging. Like obfuscation, anti-bugging was originally created by software developers to protect commercial code from reverse-engineering. Anti-debugging can prevent a binary from being analyzed in an emulated environments such as virtual machines, security sandbox, and others. For example, the ZeroAccess malware implemented a self-debugging technique in order to block external debugging attempts. Another example is malware attempting to delay its execution (or sleep) for an extended period of time. This is useful for bypassing sandboxing solutions since these only keep binaries in an emulated environment for a specific period of time before classifying them as benign and releasing them to the network.
- Targeting. This technique is implemented when malware is designed to attack a specific type of system (e.g. Windows XP SP 3), application (e.g. Internet Explorer 10) and/or configuration (e.g. detecting a machine not running VMWare tools, which is often a telltale sign for usage of virtualization). Targeting ensures that the malware is only triggered and installed when specific conditions are met, which enables it to evade detection in sandboxes because they do not resemble the host being attacked.
Just as malware's evasion techniques continue to evolve, so must our security measures. There is much work being done in the industry to move beyond traditional static signature-based security to behavior-based profiling, analytics and real-time information sharing between security solutions. One thing we have learned from researching the malware techniques described above is the closer we can place security to the targeted asset, the more likely we will be able to detect and stop it.