A great deal of modern malware makes use of what is called polymorphic techniques. TechTarget defines the term as something that frequently changes attack states or uses different file names, hashes or signatures to encrypt or otherwise hide its code so as to avoid detection and eradication.
The Shifu Trojan may be a new beast, for example, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch.
In the past, anti-malware programs would scan for particular signatures or simple behaviors. That isn’t good enough anymore, given all the evasive maneuvers that the latest malware writers are using. Take the example of the sophisticated Angler exploit kit, which targets the vulnerabilities found in plain HTML, JavaScript, Flash and Silverlight and frequently modifies to evade detection. Other infections hide their intent and only show their hand when they decrypt their code and run exploits.
Turning the Tables
But now the good guys are turning the tables and employing some of the same kinds of polymorphic evasive techniques as protective measures. This is gaining interest since a number of vendors are using these techniques to keep malware from infecting endpoints. Just as the attackers rely on particular operating system and device weaknesses, the same knowledge can be used to harden these systems.
The techniques originally were called a “moving target defense” by several academics who held a conference last November in Arizona and presented several papers on the subject. Since then, vendors have been working on commercial polymorphic defenses.
Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing, all with no discernible pattern and lacking the typical coding constructs that one would expect. It shows a simplified login form, and the software tool replaces certain attributes with random strings. “The resulting code breaks malware, bots or other attacks programmed to submit that form, but renders identically to the original form,” the site stated.
The Hunt for Polymorphic Malware
Other vendors are looking specifically for polymorphic malware by digging deeper into the operating systems that they protect. For example, Trusteer Apex Advanced Malware Protection can prevent zero-day exploitation attempts, malware deployment and malicious communications from an infected bot. Similarly, a newer tool like Cylance Protect assumes that every malware will be a zero-day entity and looks for typical behaviors such as privilege escalation or running processes from within a browser page as part of its procedures.
It is still too early to determine if these defensive products can stay ahead of the bad guys. But turnabout is truly fair play, and it is interesting to see these solutions appear in the marketplace.