At SecondWrite, we compared the detection results of the three evasive malware samples deemed malicious by our DeepViewTM cloud-based malware detector against other leading endpoint tools from Gartner’s magic quadrant. We measured over a thirty day period. The SHA256 hashes of these three difficult-to-classify samples are:
We discovered that the file features extracted using our Forced Code Execution (FCE) and Automatic Sequence Detection (ASD) technologies enabled our malware classifier to detect these samples on day zero in about 5 minutes. We compared against 21 leading endpoint-based malware scanners. On average, SecondWrite’s Malware DeepViewTM detected these samples a full week before 46% of scanners tested. Six months later, 37% of the scanners tested still did not catch these samples.
SecondWrite’s Malware DeepViewTM product can reduce malware the time it takes to detect malware (i.e. the dwell time) in an enterprise. It is important to reduce dwell time since not detecting malware within a few minutes of the infection can result in millions of dollars worth of loss to an organization. According to a report done by Aberdeen Group in 2017, the median detection time for data breaches was 38 days.
For the complete malware analysis reports, the malware samples themselves, or the collected PCAP files, please contact us at firstname.lastname@example.org.
Sample #1: Time- and Operating System-based Evasions
This malware sample was designed to evade detection by terminating early if the current system time was different than some expected time. Early termination typically results in very few malicious behavioral indicators. Our Forced Code Execution (FCE) technology was able to defeat this time-based evasion and force the malware to continue its execution.
The sample then checked for the presence of an operating system dependency that happened not to be in our sandbox. This again caused the sample to terminate early. As it is impossible for a sandbox to be simulate every possible execution environment, DeepViewTM realised that it had too few dynamic indicators to correctly determine maliciousness. DeepViewTM then used its static feature-based ML model in conjunction with Automatic Sequence Detection (ASD) to declare this sample as malicious. Here is the corresponding evidence from our malware report:
How did the rest of the industry do?
On day zero, only three other scanners were able to identify this suspicious sample. Ten days later, no other detection tool had yet to join those first three. One month later, 16 other scanners were able to identify the sample correctly.
In short, 61% of the scanners took at least ten days to catch this sample and 24% of the scanners never detected the sample even after six months. No wonder dwell time in a network can be so long!
Sample #2 – Forced Code Execution (FCE) to the Rescue!
The second sample also had a malware evasion that was defeated by our Forced Execution Technology (FCE) technology. Our neural-networks and CNN based machine learning classifier then classified it as malicious on zero-day. Here is a snippet from the report showing the extra behavior detected by FCE.
And the rest of the industry?
This sample had many more malicious behavioral indicators than the previous one, but it still took a while for most of the industry to catch it. It was declared malicious by two other scanners on day 0, five on day 5, seven on day 10, and eleven on day 30.
In short, of the 11 scanners that would eventually flag this sample, only 45% caught it after five days. Of the scanners tested, 29% of them took more than ten days. Furthermore, 48% still had not detected this sample as malicious even after six months.
Sample #3 – Automatic Sequence Detection (ASD) for the Win!
This sample did not execute very far since it did not have the permissions it needed in our sandbox environment. However, even without executing the sample, our Automatic Sequence Detection (ASD) technology was able to recognize the instruction sequences as being closer to malicious samples than benign ones. Therefore, our ML declared this sample as malicious on day zero. Here is a snippet from our report that gives you this information.
From day 0 to day 5, only three other scanners discovered this sample. On day 10, twelve scanners found it and by day 30, the total number was thirteen. In short, 48% of scanners tested missed this sample in the first five days. Even six months later, 38% of the tools tested had yet to detect the samples as malicious.
DeepViewTM is a malware processing engine that looks at a myriad of static and dynamic features when classifying the maliciousness of a sample. It is built on forward-looking technology based on strong theoretical knowledge of program analysis. This research pedigree is the backbone of our company. The results speak for themselves.
Please contact us at email@example.com for the malware samples, PCAP files, or the full file reports. The reports contain the following sections:
- Malware Score
- All Indicators of Compromise
- Static imports and strings
- Static section information
- Matched Yara patterns
- Detailed process graph
- Detailed APIs
- Files written, read, opened and copied
- Registry Keys opened, read and written
- Detailed Network information of all the IP addresses contacted.
- Network Map
- Detailed file information
We offer 21 days free licenses to try out DeepView. You can sign-up for a free trial here.
Proprietary DeepViewTM Technologies
- Forced Code Execution (FCE) – A technology leveraging patented binary rewriting to dynamically force the execution of all code paths within a program, exposing hidden behavior within a sample and defeating the evasive intent of the malware writer.
- Automatic Sequence Detection (ASD) – A technology that uses deep machine learning to automatically identify program code patterns that are more frequently found in malicious programs than in benign programs and vice versa.
Chief Operating OfficerPaul Talamo is an entrepreneur with twelve years of experience in the cyber security industry. He has been a founder or principal employee at three startups.