When protecting endpoints from malware or any type of command and control based Malcode (malicious code), many different approaches and techniques are utilized by the software an organization or enterprise chooses to utilize in order to protect the machines in their environment. Different solutions to safeguard endpoints include on-site binary isolation, server-based micro-virtualization, real-time system-isolation, and on the fly or over-the-wire binary static analysis.
Most detection software is usually performed on the binary in motion rather than on each machine as true static and/or dynamic analysis via sandboxing and off-site intermediate representation analysis is very CPU and memory intensive or if sent off-site for further analysis making it too late and rendering the machines infected before the binary is determined to be malicious.
Currently, most malware detection end-point solutions utilize very simple and easily evasive technologies looking for signatures in binaries. This could be by checking the entropy of the binary to determine if it’s highly entropic, looking for SHASums or strings in the binary for known command and control centers, analyzing the binary for known IP addresses that communicate to command and control centers or other malicious behavior. Malcode developers have adapted to these basic checks by standard endpoint protection systems by using multiple packers when compiling the malware, developing anti-debugging functions into their code to bypass the security software, leaving the endpoint once again infected or open to attack.
Developing malware that’s capable of evading signature-based protection system is rather easy and can be performed on the binary post-compile. This makes it very simple to alter trusted system binaries to be infected and thus bypass security measures. Binary masking and anti-debugging are often used in conjunction when developing malware or making modifications to take a trusted executable binary and force it to appear completely safe and benign on to detection.
Proper endpoint protection must take the above into account to properly protect an organization from being a victim of wide-spread infection.
Endpoint-based sandboxes or micro-segmentation is designed to emulate the execution of each binary executing on the machine inside of a virtual residence by spinning up micro virtual machines that determine what the binary’s intent is. Usually malware checks it’s environment before delivering its payload by checking the uptime of the machine, the current network around it, the virtual environment’s hard drive space (if it’s too small it will think it’s being sandboxed and not execute) the uptime of the machine, how many programs are installed and the current time and date of the server that’s providing the staging environment for the malware execution checks.
While network-appliance based sandboxing services have had historically helped determine new dynamic threats, the above solution does not apply to current intelligent Malcode that can detect it’s environment and act accordingly.
When designing malware, the Malcode-developer is very aware of these detection techniques and utilize recursive packing techniques that are used to bypass the sandbox environment once it’s detected that it’s actively analyzed. The families and variants of malware today are more intelligent than the protection software monitoring them by simply watching for real user-interaction on the machine, uptime, hard drive space, and generic usage/programs installed.
At the time of detection, the malicious code is fully aware of its environment and has identified that it’s in a false state it performs polymorphism in order to undetected by sandbox based detection engines and is thus rendered benign, eventually deleted itself from the system and never being analyzed again because the SHASum is now trusted.
The proper way to protect an end-point from infection is to avoid network or off-site intermediate sandboxing or avoiding any offsite-detection engine or cloud-based “next-gen” binary static analysis altogether.
How Volico’s Endpoint Protection actively works to prevent malware from infecting your business network, servers, and endpoints?
Volico endpoint protection utilizes the endpoint-macro-virtualization on the end-point itself to perform sandboxing by using the actual endpoint as the environment of execution by wrapping the binary in a predictive jail by watching and allowing the malware to execute without it being aware that it’s in a jailed environment, all while reporting home the true nature and intent of the malware.
As threat landscapes change, constantly new detection techniques and approaches are required. Positive endpoint protection utilizes end-point based micro-virtualization to attach to the binary, get to know what it’s the true intent and inform a dashboard about the life cycle of the Malcode and attempt to almost be-friend the malware all to notify the security analyst about its intent.
This allows the analyst to look at a birds-eye-view dashboard and determine the true nature of a binary, actually detecting if it’s benign or malicious and predict through static and dynamic real-time monitoring and analysis. Because this technique does not use signature-based algorithms or any predefined attribute detection, the levels of false-positive detection is manageable.
As metamorphic, polymorphic, and semi-self aware malware is becoming more relevant every day, the current statistics determine that over 2 million new Malcode variants are developed every month. A single variant of these malicious binaries can perform tremendous financial loss and destroy trust in the organization, enterprise, or brand of the infected.
Endpoint-based micro-virtualization spaces remove the staff overhead where security teams need to spend time training or writing YARA (tool designed to help malware researchers identify and classify malware samples) detection signatures to determine which binaries are safe versus what’s ill-intent or has other malicious intent. This is the proper approach to endpoint protection as the product does not use any definition files or signatures at all.
Allowing end-point based micro-virtualization to run each binary in a separate space can easily identify memory based malware or Malcode with birthday attack techniques by fast forwarding the time in the virtual environment.
The endpoint protection technology used to determine new emerging threats properly must be performed on the intended end-point itself in a macro-jailed environment to successfully detect & prevent malware, assuming that all malware will eventually reach its endpoint for infection.
Once the Malcode reaches the endpoint using a sandbox-by-end detection based approach method can determine if malicious intent will be caused by the infected binary (or its variant) unlike any other signature-based or static analysis detection systems by analyzing the entire lifecycle characteristics of the malware as well as the entire malicious behavior and properly identify the suspicious activity of its execution, all unknown to the binary as the malware has passed all evasion checks and believes it’s inside a true working active environment.
This technique is one of the only ways to detect and prevent unseen malware, including the type of on the fly morphic-Malcode that does not exhibit any static signatures or known indicators of compromise. Standard dynamic and static behavior analysis, real-time integrity monitoring & analysis as well as behavior-based detection is easy to detect and prevent once the binary that is executing such tasks is properly wrapped inside of a sandbox at the machine level.
This work allows the intended malicious activities to actually execute (inside of jail) and perform its operations according. The system then reports on all disk, memory, network & registry changes that were intended and reports home, never executing outside of its micro-virtualization environment.
Do you plan on implementing endpoint protection software in the near future?
Volico’s Endpoint Protection solutions provide excellent defense against unwanted intruders from both the internet and the office. Delivered with maximum flexibility for your environment. Our endpoint security is a cost-effective, scalable solution that helps your business guard against intrusion.
Get in touch with us today for a FREE consultation!