Page 12 - Cyber Warnings
P. 12
threats, fewer organizations are successfully discovering and then reporting these highly
targeted attacks, making information about new attacks less available for informing signature-
bases solutions.
Don’t Wait for Signatures
Verifying that a new file is malicious, and adding its signature to a database of known malware
usually takes several days and is complicated. And often the malware has already evolved by
then. The Cisco 2017 Annual Cybersecurity Report found that up to 95% of malware files they
analyzed were less than 24 hours old, indicating a very fast “time to evolve.” The delay in
identifying new forms of malware makes corporations vulnerable to serious damages.
Modern malware will often strike immediately, inflicting incredible damage in a short period of
time. Jigsaw, a particular nasty form of ransomware, starts deleting files within 24 hours.
HDDCryptor, another ransomware monster infected 2000 systems at the San Francisco
Municipal Transport Agency before it was detected. Being vulnerable to infection while waiting
for a signature is very risky.
Another major problem with signature-based malware detection is that today’s advanced
malware can alter its signature to avoid detection. Signatures are created by examining the
internal components of an object. Malware authors simply modify these components while
preserving the object’s functionality and behavior. There are multiple transformation techniques,
including code permutation, register renaming, expanding and shrinking code, and the insertion
of garbage code or other constructs.
Another example that has seen a significant increase over the past few years is Metamorphic
malware, which automatically changes itself with each new instance or infection.
Behavior-based Malware Detection
Behavior-based malware detection evaluates an object by its intended actions before it can
actually execute that behavior. This is typically accomplished by activating it within an isolated
environment such as a sandbox.
An object’s behavior, or in some cases its potential behavior, is analyzed for suspicious
activities. Any attempt to perform actions that are clearly abnormal or unauthorized would
indicate the object is malicious, or at least suspicious.
There’s a multitude of behaviors that point to potential danger. Here are some examples:
• Any attempt to discover a sandbox environment
• Disabling anti-virus or other security controls
• Modifying the boot record or other initialization files to alter boot-up
12 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
