Virtual Analysis Misses More Than 30 percent of Malware
Approach needs to shift away from assuming malware can be prevented from entering a network, security expert says.
Organizations need to do what they can to prevent malware from infiltrating their organizations, however, they now need to work on the assumption that it will successfully make it through whatever defenses they put inGunter Ollmannvice president of research, Damballa
Security vendors sell virtualized appliances to run and analyze the behavior of suspicious applications to identify malware, determine how it entered a network and then plug vulnerabilities. Over the last few years this technology has been used, cyber criminals have found ways to make their malware appear benign in such environments.
"Overall, there are so many ways malware can uncover it is inside a virtual environment that it is practically impossible to completely obscure from malware that it's running inside a virtualized environment," Gunter Ollmann, vice president of research at malware analysis company Damballa, said Tuesday. Damaballa's customers include telcos, internet service providers and Fortune 1,000 companies.
Of course, the flipside is malware detection systems today correctly identify two thirds of the malicious apps entering an organization via email attachments, USB devices or Web sites. Nevertheless, the cautionary note is to emphasize the sophistication of malware developed by cybercriminals today, which demands a layered approach to security. Antvirus systems alone can catch known malware, but new apps go undetected because they do not contain the watched-for code sequences.
Hackers have multiple evasive techniques against AV technology. Those include encrypting the malicious file or compressing it, so it has to be unpacked before it can be checked, an additional step not normally performed by AV software.
Antvirus systems alone can catch known malware, but new apps go undetected because they do not contain the watched-for code sequences.
Within the hacker underground, there are services cybercriminals use to have thousands of malware checked at one time against all the available AV software to determine which crimeware is undetectable. Some services also offer to fix detectable malware.
"The tools that are being developed by the bad guys to ensure that their malware is undetectable and successfully installed inside an environment has always been more advanced than the antivirus technologies," Ollmann said.
The latest example of the advancements in malware was the Flame cyber-espionage app discovered last month. The creators obtained a digital certificate that allowed them to sign their code as coming from Microsoft to evade detection in their attacks on Middle Eastern governments.
To battle highly advanced malware, organizations' security approach needs to shift away from assuming malware can be prevented from entering a network. "There's a paradigm change going on," Ollmann said. "Organizations need to do what they can to prevent malware from infiltrating their organizations, however, they now need to work on the assumption that it will successfully make it through whatever defenses they put in."
So the only answer today is to update security technology regularly and to have systems for preventing malware from entering a network and for detecting apps that make it through. Examples of the latter technology would include system that can detect when malware is communicating to a command and control server in a remote location.
"The less time the bad guys have inside your network, the less data you lose and the less embarrassing it becomes overall for the organization," Ollmann said.
While the buzz around big data analysis is at a peak, there is less discussion about how to get the necessary data into the systems in the first place, which can involve the cumbersome task of setting up and maintaining a number of data processing pipelines.
Next-generation endpoint protection vendor SentinelOne has received the same certification that many traditional antivirus platforms seek, meaning it can be considered suitable for meeting certain requirements of industry and governmental regulations.
Smartphone sales increased substantially in the second quarter of 2015, but the rate of growth continued to slow, fueling concerns that the market has started to become saturated, according to a study released today by Juniper Research.
Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users.