Incident Response, Malware, TDR

AV is getting crazy complicated! But is it actually helping you?

When designing security programs, it's considered “table stakes” for companies to deploy some form of anti-virus (AV) to protect against many of the known threats employees run into as part of their daily work. As the threat landscape continues to advance, attackers have become better at developing tools and attacks that get around the signatures AV rely on to prevent compromise, causing many to question the efficacy of today's AV solutions.

In response, AV vendors have added new capabilities aimed at preventing zero-day attacks by leveraging sandboxing and heuristic-based detection. These technologies run code in an isolated sandboxed environment to detect patterns of malicious activity before allowing it to run on a machine or network. Instead of simply blocking known threats, this technology allows companies to detect previously unknown threats that take malicious actions before reaching the network. 

Sounds pretty good right? But is sandboxing AV's silver bullet?

A few months ago, I was preparing to give a presentation about how an advanced and persistent attacker might compromise an internal network using custom malware and a USB drive. The idea was to write a new piece of malware, use a USB drive as a delivery mechanism, and trick the receptionist into plugging it in, effectively installing a command-and-control bot on the receptionist's machine even if the machine had anti-virus.

Imagine my surprise when the brand new malware, which had never been seen before, was detected by the AV solution within 30 seconds. This would make my presentation less than compelling, so I had to find a way to overcome its detection.

I knew the AV product didn't have a signature for my malware but upon further investigation it did have a heuristic analysis engine that found my script was behaving like malware and subsequently blocked it from compromising the system. I had no idea what actions my malware took that the AV product defenses didn't like. All I knew was that something it did triggered the heuristics to rule the file was malicious. I needed to understand the problematic actions and how to hide them from the heuristics.

After running the code a few times and selectively removing key lines, I narrowed the part being considered malicious down to one statement. Next and most importantly, I needed to find a way to get around the sandbox, which led me to try techniques that take advantage of the fundamental limitations of heuristic defense. In this case, it was time.

The first trick I tried was to tell the malware to wait (or sleep) for 30 seconds before it does anything.  Since the heuristic process takes less than 30 seconds, I assumed that would work. The AV software still detected the malware. But the blocking was an interesting result, because it meant that the AV software somehow executed the entire script in less time than the sleep operation demanded. That shouldn't have been possible, unless it was ignoring sleep operations to keep things fast and run the malware without waiting 30 seconds. So next, I wanted to program it to detect when it was in a sandbox and to only execute the malicious line after it was free of the sandbox.   

I set about coding a function that only executes the malware code if the sleep operation waited long enough based on expected execution time versus the sleep function being skipped in the sandbox. Now from the perspective of the heuristic engine, this script that runs in the sandbox does absolutely nothing when analyzed, but when executed in real time, will perform the desired malicious actions.

The trick worked and a modern AV solution's heuristic detection was bypassed with five lines of code and about 20 minutes of testing.

This simple example clearly shows that while adding heuristics to AV is a positive sign of things to come, it is far from perfect. Heuristics are a cool and powerful addition to anti-virus solutions, but it's clear we have a long way to go before it actually presents a challenge to sophisticated attackers. Anti-virus is not perfect, it's just another important layer of protection to consider as one part of a holistic security approach.

After a few years of research and development, heuristics may prove to be exceptionally effective, but for the time being, it represents one more mildly annoying obstacle an attacker must overcome, and therefore raises the bar at least a little. The more difficult, expensive and time consuming it is to execute an attack, the less likely an attacker is to do it. But practically speaking, at least for now, a strong defense requires a layered approach consisting of good network firewalls, network anti-virus, client anti-virus, and next-gen firewalls, but most important of all, education and awareness.  Make sure users are aware that anti-virus is not perfect and that they must remain ever vigilant when dealing with potentially hostile resources on the internet.  Don't let AV marketing pitches lull you and your organization into a false sense of security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.