Today threat vectors are becoming more complex and effective in a never-ending cycle to defeat the latest security controls designed to mitigate them. Some strains of malware have implemented obfuscation functionalities so powerful that traditional antivirus solutions fail consistently recognize them. Of all the obfuscation techniques polymorphic functionality appears to be the most effective at preserving campaign longevity.
“Obfuscation camouflages telltale signs of malware, undermines antimalware software, and thwarts malware analysis. New antimalware approaches should focus on what malware is doing rather than how it’s doing it.” (O'Kane, Sezer, & McLaughlin, 2011, p. 41)
What is Antivirus Solution?
Antivirus solutions are typically software programs designed to identify, respond, and remediate malware anomalies on a computer system. Almost all antivirus solutions look for signatures that are associated with known malware. Some programs additionally implement heuristic-based functionalities that look for behaviors commonly associated with malware infections. Antivirus solutions are the most popular malware threat mitigation control in use today. (Souppaya & Scarfone, 2013, p. 8) Antivirus solutions are often used with the support of other technical controls such as firewalls, Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), application whitelisting, content filtering, and Endpoint Detection and Response (EDR) solutions.
“While installing anti-virus software is one of the easiest and most effective ways to protect your computer, it has its limitations. Because it relies on signatures, anti-virus software can only detect malware that has known characteristics.” (US-CERT, 2009)
Malware can be found in numerous forms. Some common forms of malware are executables, dll files, fileless malware which exists in system memory, and malicious Microsoft macros contained within Office 365 documents. No matter what type of malware you are dealing with, it may not be detected by your anti-virus solution if the malware implements polymorphic functionalities.
What is polymorphic code?
“Polymorphism is an encryption method that mutates static binary code (rather than runtime code) to evade malware signature scanners. Malware that changes its contents can evade detection by signature scanners because no single signature sequence will match all the instances that the malware generates.” (O'Kane, Sezer, & McLaughlin, 2011, p. 43)
Since the polymorphic code has the ability to mutate its code, it will subsequently mutate the signatures associated with that code. This characteristic can single-handedly defeat traditional, signature-based antivirus solutions. Polymorphic functionality can be observed within the TrickBot and Emotet banking trojans. Both malware variants are known for quickly infecting other systems on the network. This is of even greater concern as these banking trojans are commonly used to deploy ransomware. Both Emotet and TrickBot have been observed to steal user credentials upon infection. In some of the more recent campaigns, Emotet has been observed to deploy both TrickBot and Ryuk. In one instance observed by the MS-ISAC, TrickBot was successful in disabling an organization's anti-virus application on every endpoint before finally infecting the entire network.
(Center for Internet Security, 2019)
Even if you have an antivirus solution, your system is still vulnerable.
References
Center for Internet Security. (2019, September 23). Fall 2019 Threat of the Quarter: Ryuk Ransomware. Retrieved from https://www.cisecurity.org/: https://www.cisecurity.org/white-papers/fall-2019-threat-of-the-quarter-ryuk-ransomware/
O'Kane, P., Sezer, S., & McLaughlin, K. (2011). Obfuscation: The Hidden Malware. IEEE Security & Privacy, 9(5), 41-47.
Sophos. (2019, September 24). Resolving outbreaks of Emotet and TrickBot malware. Retrieved from sophos.com: https://community.sophos.com/kb/en-us/127218
Souppaya, M., & Scarfone, K. (2013, July). NIST Special Publication 800-83. Retrieved from nist.gov: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
US-CERT. (2009, June 30). Security Tip (ST04-005). Retrieved from us-cert.gov: https://www.us-cert.gov/ncas/tips/ST04-005
-Brian