When protecting endpoints from malware or any type of command and control based Malcode (malicious code), many different approaches and techniques are utilized by the software an organization or enterprise chooses to utilize in order to protect the machines in their environment. Different solutions to safeguard endpoints include on-site binary isolation, server-based micro-virtualization, real-time system-isolation, and on the fly or over-the-wire binary static analysis.
Most detection software is usually performed on the binary in motion rather than on each machine as true static and/or dynamic analysis via sandboxing and off-site intermediate representation analysis is very CPU and memory intensive or if sent off-site for further analysis making it too late and rendering the machines infected before the binary is determined to be malicious.
Currently, most malware detection end-point solutions utilize the very simple and easily evasive technologies looking for signatures in binaries. This could be by checking the entropy of the binary to determine if it’s highly entropic, looking for SHASums or strings in the binary for known command and control centers, analyzing the binary for known IP addresses that communicate to command and control centers or other malicious behavior. Malcode developers have adapted to these basic checks by standard endpoint protection systems by using multiple packers when compiling the malware, developing anti-debugging functions into their code to bypass the security software, leaving the endpoint once again infected or open to attack.
Developing malware that’s capable of evading signature-based protection system is rather easy and can be performed on the binary post-compile. This makes it very simple to alter trusted system binaries to be infected and thus bypass security measures. Binary masking and anti-debugging are often used in conjunction when developing malware or making modifications to take a trusted executable binary and force it to appear completely safe and benign on to detection.
Proper endpoint protection must take the above into account to properly protect an organization from being a victim of wide-spread infection.
Endpoint-based sandboxes or micro-segmentation is designed to emulate the execution of each binary executing on the machine inside of a virtual residence by spinning up micro virtual machines that determine what the binary’s intent is. Usually malware checks it’s environment before delivering its payload by checking the uptime of the machine, the current network around it, the virtual environment’s hard drive space (if it’s too small it will think it’s being sandboxed and not execute) the uptime of the machine, how many programs are installed and the current time and date of the server that’s providing the staging environment for the malware execution checks.
While network-appliance based sandboxing services have had historically helped determine new dynamic threats, the above solution does not apply to current intelligent Malcode that can detect it’s environment and act accordingly.
When designing malware, the Malcode-developer is very aware of these detection techniques and utilize recursive packing techniques that are used to bypass the sandbox environment once it’s detected that it’s actively analyzed. The families and variants of malware today are more intelligent than the protection software monitoring them by simply watching for real user-interaction on the machine, uptime, hard drive space, and generic usage/programs installed.
At the time of detection, the malicious code is fully aware of its environment and has identified that it’s in a false state it performs polymorphism in order to undetected by sandbox based detection engines and is thus rendered benign, eventually deleted itself from the system and never being analyzed again because the SHASum is now trusted.
The proper way to protect an end-point from infection is to avoid network or off-site intermediate sandboxing or avoiding any offsite-detection engine or cloud-based “next-gen” binary static analysis altogether.