In the previous articles, we looked at Introduction to Malware analysis, types of malware analysis techniques and how to perform static analysis. Today, I would like us to have a look at how to detect malware. Malware detection is not that simple when we take into account the different techniques/methods that are being used by malware developers or writers to evade detection.
Malware detection is the process of detecting the presence of malware on a host or system. This can be through scanning, manual searching etc. and we have various tools that have been created for this specific purpose.
Some Malware detection tools include:
- Anti-Malware software: this is a program that designed to prevent and detect malware by scanning the device regularly for any malicious software or malware. It can also remove malware from a host if detected. Examples are ClamAV, Windows Antimalware Scan Interface etc.
- Endpoint Protection Platforms (EPP): this is a tool that is designed to provide device-level protection by identifying malicious files, detecting malicious activity and providing incident response tools.
- Wazuh: it is an open-source tool for threat detection, integrity monitoring, incident response and intrusion detection. Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. It can detect hidden files, cloaked processes and unregistered network listeners among other things. Through the file integrity monitoring feature, wazuh is able to generate the unique hashes of files added or modified and using virus total determine if it is malicious or not.
The above is just a couple of examples. We have very many tools both open-source and enterprise version that you can deploy in your environment to help in the early detection of malware.
As I say this, I do acknowledge that today’s malware has greatly advanced and are implementing evasive behaviors to avoid detection. Some of these techniques include:
- Environmental awareness
This technique allows the malware to detect the environment it is trying to infect. This allows the malware to determine if it is in a sandbox environment or bare metal environment. In the case that it determines it is in a sandbox, it will not run.
- Obfuscation
Obfuscation is the act of hiding the internal meaning of something. This is one of the most common evasion techniques implemented by most malware developers since most antivirus and antimalware solutions are not able to detect them and they also do this to make it difficult for a malware analyst to analyze the malware.
- Hiding itself
Malware can attempt to edit an operating systems data structure to make the malicious process no longer appear under the list of running processes.
- Hijack another process
Some malware will take over an innocent process causing it to create another thread to run the malicious code. The hijacked process will continue to run as expected but it will have a parasite-like thread running
- Timing-based evasion
In this evasion technique, the malware runs at specific times or runs following certain actions taken by the user/victim. The malware can use the registry keys such as RunOnce i.e., it will run when a user logs on.
Malware is becoming more and more advanced with respect to the evasive technique used. However, security researchers are coming up with different ways on how we can counter-attack evasion and this is very helpful and satisfying news for other security professionals e.g. for malware analysts, it is advisable to randomize the environmental triggers that malware commonly search for so as to know if it is in a sandbox environment.
Having knowledge of the different techniques that malware can use to avoid detection in your environment is important for every security professional. This information will help you and your team know what best defenses can be put in place to secure your critical servers.
Conclusion
Attackers are constantly modifying malware to evade detection. In order for an adversary to collect information about the victim’s infrastructure, they prefer using malware with built-in functionality to detect and evade sandboxes and code analyzers.
Traditional defenses may not be able to detect advanced malicious programs this is why it is important for you to have an antivirus/antimalware solution that is constantly updated. It may be difficult for antivirus solutions to catch up with the increasingly high number of malwares being created every day that is why having more than one detection tool is good practice.
Enriching the IOC (Indicators Of Compromise) database of your sandbox environment can also help in improving your response to cyber threats. This can also include the creation of new yara rules whenever you encounter a new malware that you would like your organization to keep watch on.