A great deal of modern malware makes use of what is called polymorphic techniques. TechTarget defines the term as something that frequently changes attack states or uses different file names, hashes or signatures to encrypt or otherwise hide its code so as to avoid detection and eradication.

The Shifu Trojan may be a new beast, for example, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch.

In the past, anti-malware programs would scan for particular signatures or simple behaviors. That isn’t good enough anymore, given all the evasive maneuvers that the latest malware writers are using. Take the example of the sophisticated Angler exploit kit, which targets the vulnerabilities found in plain HTML, JavaScript, Flash and Silverlight and frequently modifies to evade detection. Other infections hide their intent and only show their hand when they decrypt their code and run exploits.

Turning the Tables

But now the good guys are turning the tables and employing some of the same kinds of polymorphic evasive techniques as protective measures. This is gaining interest since a number of vendors are using these techniques to keep malware from infecting endpoints. Just as the attackers rely on particular operating system and device weaknesses, the same knowledge can be used to harden these systems.

The techniques originally were called a “moving target defense” by several academics who held a conference last November in Arizona and presented several papers on the subject. Since then, vendors have been working on commercial polymorphic defenses.

Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing, all with no discernible pattern and lacking the typical coding constructs that one would expect. It shows a simplified login form, and the software tool replaces certain attributes with random strings. “The resulting code breaks malware, bots or other attacks programmed to submit that form, but renders identically to the original form,” the site stated.

The Hunt for Polymorphic Malware

Other vendors are looking specifically for polymorphic malware by digging deeper into the operating systems that they protect. For example, Trusteer Apex Advanced Malware Protection can prevent zero-day exploitation attempts, malware deployment and malicious communications from an infected bot. Similarly, a newer tool like Cylance Protect assumes that every malware will be a zero-day entity and looks for typical behaviors such as privilege escalation or running processes from within a browser page as part of its procedures.

It is still too early to determine if these defensive products can stay ahead of the bad guys. But turnabout is truly fair play, and it is interesting to see these solutions appear in the marketplace.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…