How can malware bypass the most advanced security measures?

How can malware bypass the most advanced security measures?

This year, new reports are reported almost every week on the subject of data leaks from a large blue-chip company with strong financial resources. These companies usually purchase and deploy the most advanced security tools, but attackers can still break through their layers of defense. Even worse, many attacks are often not discovered for several months. Let's take a look at how this happens.

Attack path

Each leak event must use at least one attack Channel to install persistent malware on the network of the affected organization. Attackers often use multi-stage malware. They initially installed a small backdoor. This allows more complex tools to be deployed on machines and networks.

You can use several attack methods to install the main malware, which is also known as infection. Its goal is to always run malicious code. Some of the most common attack methods are as follows:

• Browser-based social engineering tricks: users are tricked into clicking a seemingly legal URL that exploits the security vulnerabilities of browsers or browser plug-ins in Java and Flash to trigger code execution. More advanced attacks can be hidden in legitimate traffic without any user interaction. These are generally called passing downloads.

• Email-based social engineering tricks and phishing: the user receives an email containing hidden or visible binary code, and the code is executed once the user clicks it.

• Credential theft: a suspected or stolen credential is used to access a remote machine and execute (malicious) code, such as installing a backdoor.

To avoid detection, malware uses five main methods during and after installation.

• Packaging. This process attaches malicious loads (the installer or malware itself) to legal files. After a legal file is installed, it is installed with malicious loads (usually before the legal file is installed ). Using static features to detect packaging files is basically ineffective, because new files can be easily created on a regular basis and often generate false positives. Windows and OS X malware distributed through pirated software and P2P networks usually adopt this approach. IceFog is a well-known malware. It is usually packaged with seemingly legitimate CleanMyMac applications to attack OS X users. On Windows, OnionDuke is used together with a legitimate Adobe installer shared through Tor networks to infect machines.

• Obfuscation. This means that tampering with advanced code or binary code does not affect the function of the code, but completely changes its binary features. Obfuscation was initially used to protect legitimate software from reverse engineering and piracy. Malware authors use this technique to bypass the Anti-Virus engine and disrupt manual security research. Using XOR encoding is one of the obfuscation methods. Hiding processes and file names, registry items, URLs, and other useful information can greatly slow down the investigation/reverse engineering of new malware samples.

• Compression tool. These software tools are used to compress and encode binary files, which is another obfuscation method. A compression tool is usually embedded with malicious binary code. It will "decompress" the load to the memory at runtime and execute it. Several common compression mechanisms are used today, such as UPX, PECompact, Armadillo, and other such tools. This method is extremely effective in avoiding static feature engines.

• Anti-debugging. Like obfuscation, anti-debugging was initially developed by software developers to protect commercial code from reverse engineering. Anti-debugging prevents binary code from being analyzed in virtual machines, security sandboxes, and other simulation environments. For example, ZeroAccess malware uses a self-debugging method to prevent external debugging activities. Another example is malware attempts to delay execution (or sleep) for a long time ). This option applies to bypassing the sandbox solution, because this solution can only maintain binary code for a period of time in the simulation environment, and then classify them as benign code, release them to the network.

• Aim. The premise for implementing this approach is that malware is designed to attack a specific type of system (such as Windows xp sp 3), applications (such as Internet Explorer 10) and/or configuration (such as machines that have not run the VMWare tool, which often indicates that virtualization technology is used ). Targeting techniques Ensure that malware is triggered and installed only when specific conditions are met, which allows malware to circumvent detection in sandbox because they are not like attacked hosts.

As malware's avoidance technology continues to develop, our security measures must keep pace with the times. Nowadays, the industry is carrying out a lot of work, aiming to change from traditional feature-based static security methods to behavior-based analysis, analysis, and real-time information sharing between security solutions. After studying and analyzing the above malware techniques, we understand that the closer we implement security measures to targeted assets, the more likely we are to detect and block malware.