Page 13 - Cyber Warnings
P. 13
• Installing rootkits
• Registering for autostart
• Shutting down or disabling system services
• Downloading and installing unknown software
• Deleting, altering, or adding system files
• Modifying other executable programs
• Connecting with known malicious sites
• Encrypting files that are unrelated to the program
• Adding or modifying user accounts
• Dynamic code building to enhance evasion capabilities
• Executing a dropped file
• Spawning Powershells
• Performing any actions that are highly abnormal
Evaluating an object for malicious behavior as it executes is known as dynamic analysis. Threat
potential, or malicious intent can also be assessed by static analysis, which looks for dangerous
capabilities within the object’s code and structure.
Static analysis is extremely efficient and is often performed prior to dynamic analysis. It’s also
useful for detecting malicious activities within code that may not execute during dynamic
analysis. Dynamic analysis monitors actual behavior, and detects malicious actions that are
missed by static analysis. Both approaches have their advantages and are important for
behavior-based malware detection.
While no solution is one hundred percent foolproof, behavior-based detection is the leading
technology today to uncover new and unknown threats in near real-time. Some examples of
where behavior-based technology succeeds when signature-based systems fail are:
• Protecting against new and unimagined types of malware attacks
• Detecting an individual or one-time instance of malware targeted at one organization or
one person
• Identifying what the malware will do in a specific environment when files are opened
• Obtaining comprehensive information about the malware, helping analysts classify the
object and respond appropriately to potential threats
There are however, a few important limitations to be aware of.
• If malware determines it’s running in a sandbox, it will attempt to avoid detection by
curtailing malicious activities. It’s critical that a sandbox remains undetectable—and
most fail to do this.
• It takes time to analyze the behavior of an object. While static analysis can be performed
in real-time, dynamic analysis may introduce latency while the object is exercised. The
ability to detect internal stalling is an important feature to maintain high throughput.
• Some behavior-based malware detection requires more hardware resources than
signature-based detection.
13 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
