Advanced Malware is difficult to catch
Home / Problem

The Cyber Security industry is in an arms race with malware writers and attackers. Over 80% of malware is now using evasive techniques and we are beginning to see the emergence of Artificial Intelligence in the creation of malware. A recent report on the emergence of malicious use of AI in the creation of malware forecasts a dramatic shift in the threat of malware. AI generated malware is faster and easier to create and includes new threats and techniques that are harder for human analysts to find. This AI driven arms race demands that as defenders, we stay in front of the threat actors by using the latest AI and Deep Learning technologies to find and protect our cyber infrastructure.

Advanced malware is difficult to catch because current breed of automated malware analysis solutions cannot examine all dimensions of malware behavior. Other automated malware analysis solutions, commonly called as sandbox-based solutions, detect malware only by monitoring the interaction of malware with it’s external environment. They lack the ability of deep introspection akin to manual reverse engineering. This results in several blind spots that are exploited by malware writers.

Evasive Malware

Most modern advanced malware exploit blind spots in other automated malware analysis solutions and avoid detection by altering and hiding their behavior while being monitored by such solutions. It is a fundamental threat to automated sandbox solutions with more than 80% of modern malware being evasive in nature. These evasive malware appear harmless during analysis but launch successful attacks on live systems.

Anti-Analysis Malware

Advanced malware hides from a variety of cybersecurity tools, such as anti-virus (AV) tools, endpoint tools, debuggers, and binary analyzers, making them hard to detect. Unfortunately this anti-analysis behavior cannot be detected by most other cybersecurity tools, enabling such malware to escape detection.

The Result: A High Number of Alerts

The lack of deep introspection of malware implies that other solutions classify a suspicious object primarily based on its external behavior, resulting in a flood of false alerts and missed malware since external behavior is insufficient to conclusively determine maliciousness in many cases.

To avoid detection, malware programs use...

Sleeping or Hiding

Doing useless work until the sandbox times out.

Knowing when to attack

Detecting the sandbox and launching no attack

Detecting user input

Detecting user input, often not present in a sandbox.

Targeted Attacks

Launching targeted attacks only on intended victim computers identified by (e.g. their IP address or user names.

In all cases above, the evasive malware appears harmless on the sandbox, but launches an attack on the endpoint.

Extrapolated average values per week
Data provided by Ponemon Institute 2015

Average Malware Alerts

Only 4% of alerts are investigated

$1.27M/year wasted per organization for examining inaccurate alerts