Polymorphism changes its appearance in each instance of itself in order to avoid detection through common patterns and investigations (Hosmer, 2008). When on the subject of malware, polymorphic malware changes its signature so that modern anti-virus (AV) can’t detect it by its pattern of behavior. This is a problem because even behavioral-based AV detection won’t see this category of malware. This is especially dangerous when contending with ransomware or rootkits that can hide from detection and become a major compromise the longer they remain on an organization’s network and systems.
This is especially challenging because professionals can’t rely on a common file name or am known malware signature detection to see that a machine is compromised within their environment. This means that AV needs to look in different places to detect this kind of malware. In the case of polymorphic malware, the decrypted code of the software is the same, which means that examining memory block hashes could lead to detection by looking at the memory remnants of the software itself.
Externally located behavioral-based solutions may also hold a key to detecting polymorphic malware. Thought the actions it takes on a machine might be obfuscated; malware can’t hide what it does over the network. When malware calls-out to known malicious servers on the internet, usually command-and-control (C2) servers, most SIEM solutions are able to detect and log that kind of network traffic, and they can send alerts based on that information so that incident-response teams may act on that info as fast as possible (Digital Guardian, 2019).
In a best-case scenario, you have an AV solution that also scans memory for signs of compromise and is able to detect this type of malware and you also have a SIEM solution that alerts on the malware’s C2 call-outs. This way you have indisputable proof from 2 different tools that there is a compromised machine, and this minimizes the chances of a false-positive. In a worst-case scenario, neither solution sees the malware infection and the security team must rely on the end-user to report the problem in order to find out there is malware on the enterprise network. Depending on the type of malware, the bad guys could have been on the network for months or even a year before they are detected.
Luckily, tools are coming out to help detect polymorphic malware by taking a whitelisting approach. Tools like “Cylance Protect assumes that every malware will be a zero-day entity and looks for typical behaviors such as privilege escalation or running processes from within a browser page as part of its procedures” (Strom, 2015). As anti-malware tools become more sophisticated as to keep up with the growing sophistication of malware, so too must the security professional become more knowledgeable of the new malware detection-avoidance techniques so that they aren’t completely reliant on the tools they use.
References
Digital Guardian. (2019). Definition of Polymorphic Malware. Retrieved from Digital Guardian: https://digitalguardian.com/blog/what-polymorphic-malware-definition-and-best-practices-defending-against-polymorphic-malware
Hosmer, C. (2008). Polymorphic & Metamorphic Malware. Retrieved from BlackHat: https://www.blackhat.com/presentations/bh-usa-08/Hosmer/BH_US_08_Hosmer_Polymorphic_Malware.pdf
Strom, D. (2015, October 16). What Is Polymorphic Malware and Why Should I Care? Retrieved from Security Intelligence: https://securityintelligence.com/what-is-polymorphic-malware-and-why-should-i-care/
Metamorphic and polymorphic malware are two categories of malicious software programs (malware) that have the ability to change their code as they propagate.
A metamorphic virus is a type of malware that is capable of changing its code and signature patterns with each iteration.
Metamorphic viruses are considered to be more advanced threats than typical malware or even polymorphic viruses. Metamorphic virus authors use techniques to disguise their malicious code in order to avoid detection from antimalware and antivirus programs, as well as make attribution of the malware more difficult.
Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one. The code changes makes it difficult for signature-based antivirus software programs to recognize that different iterations are the same malicious program.
In spite of the permanent changes to code, each iteration of metamorphic malware functions the same way. The longer the malware stays in a computer, the more iterations it produces and the more sophisticated the iterations are, making it increasingly hard for antivirus applications to detect, quarantine and disinfect.
Polymorphic malware also makes changes to code to avoid detection. It has two parts, but one part remains the same with each iteration, which makes the malware a little easier to identify.
For example, a polymorphic virus might have a virus decryption routine (VDR) and an encrypted virus program body (EVB). When an infected application launches, the VDR decrypts the encrypted virus body back to its original form so the virus can perform its intended function. Once executed, the virus is re-encrypted and added to another vulnerable host application. Because the virus body is not altered, it provides a kind of complex signature that can be detected by sophisticated antivirus programs.
In another example, a new key might be randomly generated with each copy to change the appearance of the encrypted virus body — but the virus decryption routine would remain constant. In either scenario, it is the static part of the code that makes it possible for an anti-virus program to identify the presence of malware.
Metamorphic malware is considered to be more difficult to write than polymorphic malware. The author may use may use multiple transformation techniques, including register renaming, code permutation, code expansion, code shrinking and garbage code insertion. Consequently, advanced techniques such as generic decryption scanning, negative heuristic analysis, emulation and access to virtualization technologies are required for detection.
https://searchsecurity.techtarget.com/definition/metamorphic-and-polymorphic-malware
Peterson Discussion 7
by Asa Peterson – Wednesday, June 12, 2019, 7:01 PM
Hackers often are thought of in a negative light. However, hackers can perform both legal and illegal functions; it depends upon if the actions were taken with or without authorization, the latter being considered illegal and malicious (Taylor, Fritsch, & Liederbach, 2015,p70). Malicious is defined as “having or showing a desire to cause harm to someone”; therefore, when a hacker uses malicious software it is with illegal or harmful intent (malicious, n.d.). Early forms of malware that appeared on mainframe systems were considered to be more of a nuisance rather than a threat to the system (Taylor, Fritsch, & Liederbach, 2015, p149). With the rise of personal computers and the internet created new means in which systems could be exploited, causing damage to themselves and the user. Evolving from prank scripts to means of harming systems, a recent development in the motivation of malware creation is as state-sponsored means of cyberwar. In 2010 a sophisticated virus named STUXNET was discovered on industrial control systems responsible for such equipment as nuclear centrifuges. Discovered on 14 industrial sites in IRAN, the level of sophistication has led researchers to believe that this was created with nation-state backing (Kushner, 2013). The nature of this discovery serves as a warning to all nations that malware is being developed to target civilian targets that can impact a nations ability to defend itself or wage war.
While the motivation behind those developing the malware has changed over time, so has the means and resources available to combat the malware. In 2017, at the direction of the President, the United States Cyber Command was elevated to a unified combatant command (Garamone & Ferdinando, 2017). By centralizing resources and increasing the investments into capabilities and infrastructure, a clear sign has been sent to our allies and adversaries; the United States recognizes the threats posed by cyberspace and is taking steps to mitigate the risks (Garamone & Ferdinando, 2017, para 7). While investments in defensive and offensive capabilities are a significant step for cyber professionals, assuming that adversaries are also taking steps to stay ahead of malicious actors. Tools such as antivirus software are heavily dependent upon virus signature updates which require a piece of malware to have been analyzed; it does not offer protection against the unknown virus (All about malware, n.d.). The rate at which software can be developed and deployed with state resources keep defense professionals in a state of constant vigilance. The vast amount of systems connected around the world provide would be attackers with millions of potential victims that may never be aware they are infected; if not reported the delayed investigation of the malware can increase the footprint of the infection and significantly delay analysis and mitigation for the malware. If not properly analyzed a virus signature cannot be developed to combat the spread of the malware.
All about malware. (n.d.). Retrieved from malwarebytes: https://www.malwarebytes.com/malware/
Garamone, J., & Ferdinando, L. (2017, August 18). DoD Initiates Process to Elevate U.S. Cyber Command to Unified Combatant Command. Retrieved from dod.defense.gov: https://dod.defense.gov/News/Article/Article/1283326/dod-initiates-process-to-elevate-us-cyber-command-to-unified-combatant-command/
Kushner, D. (2013, Feb 26). The Real Story of Stuxnet. Retrieved from spectrum.ieee.org: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
malicious. (n.d.). Retrieved from merriam-webster: https://www.merriam-webster.com/dictionary/malicious
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2015). Digital Crime and Digital Terrorism. Pearson.
CNCI vs. Malware
by Ronald Taylor – Wednesday, June 12, 2019, 5:35 PM
In order to understand the voluminous amount of malicious software being produced investigators must understand the reasoning behind their creation. There are an infinite number of reasons that motivate a code writer to create a code that would purposefully cause harm to an operating system or an individual. In some cases the attacker just wants to know if he or she is capable of doing it. There is no true nefarious intention, but the creator may be testing their skills. Shelby (2002) explains how some virus authors are seeking fame and fortune by becoming infamous, creating a piece of code so infectious that it is ranked among the most dangerous. In the early days of the Internet viruses were not necessarily malicious as they were just annoying. Most viruses in those days were either an accident in the original code or spread via floppy disk. Taylor, Fritsch & Liederbach (2014) describe the earliest viruses infected boo sectors and floppy disks, playing music or deleting letters in documents (pg. 149). During this era there were not as many computing devices as there are today, which essentially expanded the area of contamination. As technology grew, the demand for faster and more functional devices grew as well, thus creating a broader audience for malicious code writers. With the emergence of cybercrime law enforcement has instituted a number of initiatives strategically aimed at thwarting these threats. The first step for investigators is to identify the malicious software and possible motives. Once investigators have identified the threat they are in a position to counter these actions by turning would be attackers tactics against them. In 2009 the executive branch authorized the Comprehensive National Cybersecurity Initiative to work closely with state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy,” (Whitehouse.gov,2009). This multi agency approach creates an open dialog between each echelon of law enforcement, ensuring gaps are closed and allowing investigators to proactively pursue cyber criminals. Unfortunately law enforemcent agencies are hampered by oppents of this policy citing that the government is intruding on civil liberties and violating civil rights. They also sight a lack of transparency due to the level of classification, precluding Congressional oversight as to how these agencies actually implement these policies.
References
Shelby, D. (2002, May 21). The Viral Mind: Understanding the Motives of Malicious Coders Connect. Retrieved from https://www.symantec.com/connect/articles/viral-mind-understanding-motives-malicious-coders
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2014). Viruses and malicious Code. In Digital Crime and Digital Terrorism (3rd ed., p. 149). Upper Saddle River, NJ: Prentice Hall.
Whitehouse.gov. (2009, May). The Comprehensive National Cybersecurity Initiative. Retrieved from https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative