Roughly a third of malware sent to a virtualized environment for analysis is able to elude detection, a security expert says.
Security vendors sell virtualized appliances to run and analyze thebehavior of suspicious applications to identify malware, determine howit entered a network and then plug vulnerabilities. Over the last fewyears this technology has been used, cyber criminals have found ways tomake their malware appear benign in such environments.
“Overall, there are so many ways malware can uncover it is inside avirtual environment that it is practically impossible to completelyobscure from malware that it’s running inside a virtualizedenvironment,” Gunter Ollmann, vice president of research at malwareanalysis company Damballa, said Tuesday. Damaballa’s customers includetelcos, internet service providers and Fortune 1,000 companies.
Of course, the flipside is malware detection systems today correctlyidentify two thirds of the malicious apps entering an organization viaemail attachments, USB devices or Web sites. Nevertheless, thecautionary note is to emphasize the sophistication of malware developedby cybercriminals today, which demands a layered approach to security.Antvirus systems alone can catch known malware, but new appsgoundetected because they do not contain the watched-for code sequences.
Hackers have multiple evasive techniques against AV technology. Thoseinclude encrypting the malicious file or compressing it, so it has tobe unpacked before it can be checked, an additional step not normallyperformed by AV software.
Within the hacker underground, there are services cybercriminals use tohave thousands of malware checked at one time against all the availableAV software to determine which crimeware is undetectable. Some servicesalso offer to fix detectable malware.
“The tools that are being developed by the bad guys to ensure thattheir malware is undetectable and successfully installed inside anenvironment has always been more advanced than the antivirustechnologies,” Ollmann said.
Flame a hint of things to come
The latest example of the advancements in malware was the Flamecyber-espionage app discovered last month. The creatorsobtained adigital certificate that allowed them to sign their code as coming fromMicrosoft toevade detection in their attacks on Middle Easterngovernments.
To battle highly advanced malware, organizations’ security approachneeds to shift away from assuming malware can be prevented fromentering a network. “There’s a paradigm change going on,” Ollmann said.”Organizations need to do what they can to prevent malware frominfiltrating their organizations, however, they now need to work on theassumption that it will successfully make it through whatever defensesthey put in.”
So the only answer today is to update security technology regularly andto have systems for preventing malware from entering a network and fordetecting apps that make it through. Examples of the latter technologywould include system that can detect when malware is communicating to acommand and control server in a remote location.
“The less time the bad guys have inside your network, the less data youlose and the less embarrassing it becomes overall for theorganization,” Ollmann said.