Research & Opinion
Malware Decoded: How It Looks Like And Is Deadly For Firms
Every day, we encounter multiple news regarding cyber-attacks on government agencies, Big Corporates & SMEs sector across the liveable planet. The majority of these attacks or frauds happen through Malwares. In this article, we shall try to understand – What is Malware, What all Types of Malwares, Pros & Cons are. Isn’t it amusing to know how does it look like & how it becomes so deadly for any organization/Individuals.!
What is Malware: “Malware” has been derived from the Spanish language, wherein “Mal” means “Bad,” making the term “Badware.” This sort of “Malicious Software” is designed to damage or do other unwanted actions on a computer system.
Common examples of Malware are viruses, Spyware Trojans, etc. Typically this Malware software contains lines of Codes & some file signatures.
How this is prevented: In the market, quite a few products are available, under the category of Antivirus, Anti Malware Anti Spyware, which ideally should product individual or enterprise computers from the menaces of Malware.
How Anti Malware Works: The majority of Anti Malware security products rely on file signatures in order to detect Malware and other malicious files. The technique involves reading or scanning a file and testing to see if the file matches a set of predetermined attributes. These attributes are known as the Malware’s ‘signature.’ Malware signatures, which can occur in many different formats, are created by vendors and security researchers. Sets of signatures are collected in databases, some of which may be public and shared, while others are contained in proprietary databases exclusive to a particular vendor.
With rapid advancement, Quite a few Security vendors have come out with other options,e signatureless AntiMalware solutions, which do need any signatures for the operations.
Methodology of Malware Signatures Creation: In order to create a signature for a particular malware file or family of files, a security analyst needs one or more (the more the better) samples of the file to work from. Such samples may be gathered ‘in the wild’ from infected computers, sourced from the darknet and other places malware authors trade their work, or from shared malware repositories where security researchers (and in some cases the public) can share known malware files. Some popular malware repositories available to security professionals include VirusTotal, Malpedia and MalShare.
Once a vendor has a set or ‘corpus’ of files to work with, they begin to examine the files for common characteristics. These characteristics can involve factors such as file size, imported or exported functions, data bytes at certain positions (‘offsets’), sectional or whole-file hashes, printable strings and more.
The process of generating signatures can be automated, but it is often initially done manually by specialist malware analysts and reverse engineers, particularly when an entirely new family of malware is found.
As a matter of fact Implications of Ransomware Crisis and new TTPs (Tactics, Techniques & Procedures) were discussed very extensively during recently concluded this year’s “BlackHat” edition.
While there are many different formats for creating signatures, one of the most popular formats widely in use today is YARA, which allows malware analysts to create signatures based on textual and binary patterns. For example, the following image shows a slice of code from a well-known malware family distributed by APT threat actor OceanLotus on the left, and a YARA signature to detect it on the right.
Note the signature condition, which states that the file must be of type ‘Macho’ (Mach-O), and have a file size of less than 200KB, while also containing all the strings defined in the rule.
In the YARA format, the strings may occur as regular human-readable characters set between quotation marks, or – as in the example above – as hexademical-encoded bytes set between curly brackets. Some signature writers exclusively use the latter, even when the string to be matched is a string of human readable characters. Thus, ‘hello, world’ might be encoded in the signature as { 68 65 6c 6c 6f 2c 20 77 6f 72 6c 64 }.
There are various programs available that allow you to easily translate back and forth between human readable strings and hexadecimal. On Mac and most Linux machines, the command line utility xxd is one such program.
As we shall see below, sometimes malware is packed in ways that an engine cannot easily unpack, and a signature may need to rely on calculating hashes from one or more sections of a file, as in this snippet from another YARA rule:
As per VMWare’s 2021 Global Incident Response Threat Report found the severity of attacks thus far this year has skyrocketed, with destructive and zero-day attacks occurring 51% of the time, attackers deploying custom malware 52% of the time, and counter incident response occurring 61% of the time.
Advantages of Signature Based Detection : Signature-based detection offers a number of advantages over simple file hash matching. First, by means of a signature that matches commonalities among samples, malware analysts can target whole families of malware rather than just a single sample.
Second, signatures are very versatile and can be used to detect many kinds of file-based malware. Signatures can easily include or exclude different file types, whether those be shell scripts, python files, Windows PE files, Linux ELF files or macOS Mach-O files. The same malware database, and even the same rule if it were appropriate, could potentially scan and match a signature across almost any file type.
Third, signature formats like YARA are very powerful and offer malware analysts both a wide variety of logic by which to define malicious behavior as well as a relatively simple format that is easy to write and test. Moreover, as signatures are text-based, a single database can contain many thousands, even millions, of signatures without itself being excessively large.
A common signature format like YARA is also easy to share among researchers and threat intelligence data feeds, ensuring that known malware is widely detected and the greatest number of computer users as possible are protected against known threats.
Even when vendors use proprietary signature formats, it is usually unproblematic to translate a signature from a public format like YARA to a vendor-specific format, since most signature-based formats have similar capabilities.
Disadvantages of Signature Based Detection
Signature-based detection has been the standard for most security products for many years and continues to play an essential role in fighting known, file-based malware, but today an advanced solution cannot rely solely upon or even primarily on file signatures for detection. Some of the reasons for this are the way threat actors have adapted to evade signature detection, and some are related to drawbacks inherent to scanning a file for specific attributes.
The first major drawback of using signatures to detect malware is that signatures can only be written after a malware sample has already been seen. This means that any solution that relies solely on signatures will always be one step behind the latest attacks.
The second major problem resides in the fact that today unique malware samples are created at such a rapid rate that was writing enough effective signatures is not a realistic goal. This is part of the reason why so many signature-based solutions fail to catch known malware.
Even without those two significant issues to contend with, there are other problems for signature-based detection. Not least among these are that many attacks today are fileless, meaning that the malicious code is executed in-memory rather than by launching a malicious executable.
Moreover, the efficacy of a signature is proportional to the number of different samples of malware that share the same attributes used in the signature. If analysts only have a small set of samples – or sometimes only a single sample – to work from, the signature’s efficacy is both limited and prone to false positives: detecting non-malicious code that may have the same attributes.
As noted above, signatures can contain conditions such as only matching a file below a specific file size. Vendors often use the ‘filesize’ condition in static signatures for performance reasons: the larger the file, the more resources it takes to scan. While limiting the files to be examined by size is suitable for performance, it is a drawback that can quickly help malware authors who have been known to bloat files with garbage code to avoid being detected.
Another severe drawback to signature-based detection is the use of compression and packing by malware authors. These technologies mean that the file’s attributes are hidden from a static scanner and only become apparent once the packed or compressed file is executed. While some vendor engines take account of this and include their unpackers for common technologies like UPX, malware authors always have more custom packers and compression methods at their disposal than detection engines can incorporate.
Even when signature-based detections work as intended, the strength of the signature relies on how time-expensive the signature makes it for malware authors to refactor their code to avoid the signature. Signatures are weaker to the extent they look for characteristics that the authors can easily change.
Moreover, public signatures have a limited shelf-life, given that threat actors can also see the detection logic and adapt their malware accordingly. This is why some intelligence is only shared privately among law enforcement and trusted vendors. It is also one reason why most security solutions hide their static signatures from prying eyes through encryption. Even so, the other drawbacks mentioned above mean that signature-based detection is not sufficient to deal with today’s malware threats.
Moving Beyond Signature Based Detection
Vendors like SentinelOne , Armantec realized from the outset that signature-based detection was insufficient to protect endpoints not only from commodity malware but also from targeted attacks. Rather than relying on file characteristics to detect malware, Armantec developed machine learning algorithms and behavioural AI that examine what a file does or will do upon execution.
Conclusion: Detecting malware using a file signature has been a staple of security vendors for decades. Both vendors and analysts will continue to use file signatures to characterize and hunt for known file-based malware. The technique provides both simplicity and a common framework for describing malware and sharing intelligence.
However, for endpoint security vendors, signature-based detection must be supplemented with more advanced detection layers that are not restricted either using execution (file-based or fileless) or the implementation. Contact us for more information or request a free demo if you want to see how Armantec can help your organization detect malware, known and novel, reliably and at machine speed.
Such an approach solves the most serious drawbacks associated with signature detection. To begin with, harnessing the power of computer processors and machine learning algorithms takes the burden off analysts having to write individual signatures for new malware families.
More importantly, behavioral AI can recognize both known and novel malware that has never been previously seen. Regardless of the implementation, all malware and malware authors have a finite set of objectives: to achieve persistence, exfiltrate data, communicate with a command-and-control server, and so on. By training our models on attacker objectives rather than malware implementation, we can catch threats regardless of their construction. Its always better to have “Overlapping Security tools/controls” which are totally custom made & not having presense on Surface web.
Author: RED Team of Armantec, led by Shamsher Bahadur – Cyber Security Practice Head.
This Article has been Submitted by Armantec Systems Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on custom & overlapping Ransomware & Malware Attacks Solution for Critical Information Infrastructures (CIIs).