Cyber attackers use sneaky tricks to evade detection. This post reviews the classes of attacks that bypass detection.
We often interact with customers that are a bit puzzled by what we do. They already have a cybersecurity software on their endpoint, an AV and a firewall. Why would they need anything more?
Preventive vs Detective Security Controls
While AV detects malicious code, it really should be viewed as a preventive measure.
Most modern AV software will run any unknown code in an emulator to see what it does before letting it run on the system. If the AV finds any malicious pattern in the code, it will block execution rather than let it through.
AV is much better at finding malware before it runs on the computer than after.
Once malware has run, it can hide from the AV. That’s why you often have to unhook the persistence mechanism of a running malware before it can be successfully detected after the fact by AV.
Isn’t preventing the infection much better than detecting it and having to clean it after the fact?
Well, yeah. However, that preventive power is not free. The main drawback to preventive measures is that the cost of false positives is much greater.
The Cost of False Positives
How would you like it if a Windows patch essentially made your computer unusable because your AV thought it was malicious software? Or you couldn’t update to the latest version of a product because your AV thinks it’s malicious?
Most preventive measures go to great lengths to avoid false positives. As discussed in the post about alert fatigue, the trade-off for less false positives is more missed malicious events. In other words, to avoid blocking legitimate users from doing legitimate stuff, AV lets malware though by design.
A second layer, one that can be less strict with false positives because it doesn’t proactively block anything, needs to be added.
Layered Detective Controls
The use of layering detective controls to address the risks that cannot be prevented is a tried-and-true approach.
In fact, in every heist movie you have ever seen, the item that they have to steal is not only protected by locked doors and biometric access controls (preventive controls), but also by security cameras and alarm systems (detective controls). Nobody in the physical realms thinks they shouldn’t install security cameras because they don’t stop robbers. Nor do they think that the security cameras should have guns mounted on them to “remediate” incidents immediately (although, I’m sure we could find advocates for that one…)
In that sense, EDR should be seen as a 2nd layer of detection in the same vein as a security camera.
Modern AV Detection
Now that we’ve established why AV lets things through, we can look at the techniques AV uses to detect threats.
The common point of all of these techniques is that they can be tuned to produce a very small number of false positives. There are three main techniques for detection:
- Signature-based detection
- Heuristic-based detection
- Threat intelligence/reputation engines
Let’s go over the first two detection techniques and their bypass methods. The third technique will be covered in a future post where we will talk about operational security for malware operators (and how defenders can use it to their advantage).
The signature-based detection is how AV used to work. People still think they work this way.
In this paradigm, the detection is based on a unique property of the malware. For example, its cryptographic hash (which is unique for each program) or a special string of characters inside the code. This method of detection is very fast and extremely reliable when detecting known samples (given that suitable care is made in generating the detection string).
Unfortunately, this method is easy to bypass by creating unique variants. In fact, creating variants is so easy that it is the single cause behind the explosion in the malware statistics.
Polymorphism, as applied to software, is the ability to take many forms. In software, there is usually many paths that lead to the same destination. For example, let’s say you have an inventory of apples and oranges and you want to know to the total number of fruits. You could take a straightforward approach like this:
Fruits = apples + oranges
However, you could also get the same result with the following:
Fruits = 2*apples + oranges – apples
While both of these equations are structurally different, they are functionally the same. That is why, when using polymorphism, you can easily create two distinct programs with the same functionality. Now two signatures are needed for the same malware.
Obfuscation is a subset of polymorphism that, in addition to keeping the same functionality, makes the decoded program harder to read. For a good example of obfuscation in action, refer to the Powershell example in our Emotet blog post.
Heuristic-based detection is the AV answer to the exploding volume of malware that came with polymorphism.
In the general sense, a heuristic is a rule of thumb that is not guaranteed to give the correct answer, but usually gives one that is close enough to the true solution.
What does that have to do with detecting malware? To answer the question, we must make an unfortunate detour in the realm of computational complexity.
Detection Lessons from Computer Science
Let’s say you wanted to buy a car and want to make sure you bought the best car available on the market for the best price. You can take into account, car price, fuel economy, reliability, safety, comfort, number of seats compounded by the number of children you are statistically expected to have, etc.
The number of combination of criteria can quickly become overwhelming but would be the only method where you could be absolutely certain to get the best car for the price.
You could also make a spreadsheet with all the car reviews and the price and easily get the result for the best star to dollar ratio and buy that car. While the choice is not guaranteed to be the best, it would be close enough (heuristic).
In computing science, problems are evaluated based on the complexity of the program that can be used to find the exact solution in relation to the possibility space of answers. Some problems are “easy” to solve while other are “hard”.
When you hear that someone cannot crack their encryption solution within the lifetime of the universe with current computing software, you can guess that this is a “hard” problem.
Finding if two pieces of non-identical code have the same functionality (eg. does this software look a lot like this known malware sample) is one of those “hard” problems. It is not possible to know for sure, hence the use of heuristics to find “pretty good” solutions in a short period of time.
Strategy 1: Wait it Out
The first strategy to beat a heuristic detection is usually to just wait for a while.
Imagine you launch your new accounting software, the AV launches it in an emulator, and then you need to wait for three days for the AV to tell you if it’s safe to run or not.
That is obviously ridiculous.
One of the most frequently used techniques to evade detection is for malware to adopt a waiting period. Then, when the emulation system recording the behaviour of the malware asks itself if it saw any behaviour that look like bad patterns yet, the answer will be no.
In fact, it seems like the program under inspection didn’t do anything! Clearly, there is no danger present.
Strategy 2: Alter Behaviour
The second trick is similar to the first. Malicious software will use tricks to detect that it is under inspection, and alter its behaviour to just perform innocuous actions. Then, when the malware is allowed to run on the real machine, it will be free to be its malicious self.
Strategy 3: Abuse Known Good Software
Finally, one of the best methods to avoid detection is to abuse known good software that is already present on the system to perform your malicious actions. Your antivirus software will never flag the Powershell program, it is a critical component of the Windows operating system. However, it can be leveraged to perform malicious actions as was demonstrated in previous post about Emotet. This is the so-called living-off-the-land attacks and the explanation for why these attacks are becoming increasingly popular for the attackers.
When Threats Evade AV…CYDEF Protects Your Operation
Preventive security controls, like AV software, are incredible tools to defend your business. However, much like locked doors, savvy attackers know how to bypass these tools. Additional security controls are needed to address the residual risk.