The Challenge

Attackers continuously advance their methods to design, create, and deliver malware.  This results in an arms race with enterprises and cybersecurity industry who are likewise developing defenses.

Malware writers use tailored evasive techniques to hide from attack detection tools, e.g.:

Security Endpoint Tools static analyzers operating at the host/server and PC/laptop level, like: A/V tools, IDSs, HIDs, debuggers, etc.

Network Endpoint Tools static analyzers operating at the network level, like: firewalls, NIDs, etc.

Sandbox Tools dynamic analyzers operating at the network level, like: denotation chambers, light sandboxes, sandboxes, etc.

Malware Facts
  • Antivirus tools detect only 43% of attacks [Ponemon 2018]
  • Zero-day malware can go undetected for 4-6 months. [Ponemon 2018]
  • Zero-day attacks are increasing – 37% of malware attacks today. [Ponemon 2018]
Malware Statistics
  • Over 66% is obfuscated [2019 Q4 Report by WatchGuard]
  • Over 93% is polymorphic [2019 Threat Report by WebRoot]
  • 78% of malware uses file packing to evade detection [2017 Annual Report by PandaLabs]
  • Automated malware distribution accounts for 70%-80% of attacks [2019 Q4 Report by WatchGuard]
  • 28% of security breaches involved malware [2020 Data Breach Investigations Report by Verizon]
Malware Attack Costs
  • 86% of security breaches were financially motivated [2020 Data Breach Investigations Report by Verizon]
  • 27% of malware incidents attributed to ransomware [2020 Data Breach Investigations Report by Verizon]
  • A single ransomware incident costs $713,000 on average [Reported to CNBC by Kaspersky Lab]
  • Total cost of an average malware attack is $2.6m [2019 Cost Of Cybercrime Study by Accenture]
  • The March 2018 malware attack on Atlanta’s Payment Portal, with a variant of SamSam, resulted in:
    • Atlanta paying $50, 000 in ransom
    • The City covering $2,267,328 in recovery costs
    • Citizens unable pay their water bills
    • Law enforcement writing reports by hand
    • the City unable to take applications for employment [Jan 2020 CPO Magazine]
Evasive Techniques Against Static Analysis

Malware writers use techniques to hide the malicious code from being scanned, thus avoiding and evading having its signature detected, including:

  • Polymorphismwhere the code in malware is slightly changed, so that it does not match the original code signature, so hash lookups are no longer found
  • Control-Flow Obfuscationwhere the malware is purposeful hidden by making the code unreadable to binary analysis tools
  • Packingwhere the code in the malware is encrypted to prevent its analysis
Evasive Techniques Against Dynamic Analysis

The malware checks some condition and does not execute the malicious code in those conditions, thus avoiding and evading detection by a sandbox, including:

  • Sleeping/Hidingwhere the malware sleeps or executes useless work until a sandbox times out
  • Detecting User Inputwhere the malware seeks user input, often not provided by a sandbox
  • Detecting A Sandboxwhere the malware runs tests to determine if a sandbox is present
  • Targeted Attackswhere the malware only attacks an intended victim computer identified by IP address, username, machine name, etc., so its attack remains hidden in a sandbox
  • Timing Based Attackswhere the malware checks for a specific date or time, which is unlikely in the short sandbox run

Copyright 2020, SecondWrite, Inc.  All rights preserved.