October 16, 2015 By David Strom 2 min read

A great deal of modern malware makes use of what is called polymorphic techniques. TechTarget defines the term as something that frequently changes attack states or uses different file names, hashes or signatures to encrypt or otherwise hide its code so as to avoid detection and eradication.

The Shifu Trojan may be a new beast, for example, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch.

In the past, anti-malware programs would scan for particular signatures or simple behaviors. That isn’t good enough anymore, given all the evasive maneuvers that the latest malware writers are using. Take the example of the sophisticated Angler exploit kit, which targets the vulnerabilities found in plain HTML, JavaScript, Flash and Silverlight and frequently modifies to evade detection. Other infections hide their intent and only show their hand when they decrypt their code and run exploits.

Turning the Tables

But now the good guys are turning the tables and employing some of the same kinds of polymorphic evasive techniques as protective measures. This is gaining interest since a number of vendors are using these techniques to keep malware from infecting endpoints. Just as the attackers rely on particular operating system and device weaknesses, the same knowledge can be used to harden these systems.

The techniques originally were called a “moving target defense” by several academics who held a conference last November in Arizona and presented several papers on the subject. Since then, vendors have been working on commercial polymorphic defenses.

Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing, all with no discernible pattern and lacking the typical coding constructs that one would expect. It shows a simplified login form, and the software tool replaces certain attributes with random strings. “The resulting code breaks malware, bots or other attacks programmed to submit that form, but renders identically to the original form,” the site stated.

The Hunt for Polymorphic Malware

Other vendors are looking specifically for polymorphic malware by digging deeper into the operating systems that they protect. For example, Trusteer Apex Advanced Malware Protection can prevent zero-day exploitation attempts, malware deployment and malicious communications from an infected bot. Similarly, a newer tool like Cylance Protect assumes that every malware will be a zero-day entity and looks for typical behaviors such as privilege escalation or running processes from within a browser page as part of its procedures.

It is still too early to determine if these defensive products can stay ahead of the bad guys. But turnabout is truly fair play, and it is interesting to see these solutions appear in the marketplace.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today