Advanced malware is difficult to catch because current breed of automated malware analysis solutions cannot examine all dimensions of malware behavior. Other automated malware analysis solutions, commonly called as sandbox-based solutions, detect malware only by monitoring the interaction of malware with it’s external environment. They lack the ability of deep introspection akin to manual reverse engineering. This results in several blind spots that are exploited by malware writers.
Most modern advanced malware exploit blind spots in other automated malware analysis solutions and avoid detection by altering and hiding their behavior while being monitored by such solutions. It is a fundamental threat to automated sandbox solutions with more than 80% of modern malware being evasive in nature. These evasive malware appear harmless during analysis but launch successful attacks on live systems.
Advanced malware hides from a variety of cybersecurity tools, such as anti-virus (AV) tools, endpoint tools, debuggers, and binary analyzers, making them hard to detect. Unfortunately this anti-analysis behavior cannot be detected by most other cybersecurity tools, enabling such malware to escape detection.
The Result: A High Number of Alerts
The lack of deep introspection of malware implies that other solutions classify a suspicious object primarily based on its external behavior, resulting in a flood of false alarms since external behavior is insufficient to conclusively determine maliciousness in many cases.
To avoid detection, malware programs use...
Sleeping or Hiding
Knowing when to attack
Detecting user input
In all cases above, the evasive malware appears harmless on the sandbox, but launches an attack on the endpoint.
Extrapolated average values per week
Data provided by Ponemon Institute 2015
Average Malware Alerts
Only 4% of alerts are investigated
$1.27M/year wasted per organization for examining inaccurate alerts