Malware, or malicious software, is software designed to take charge or disrupt its victim’s computer or network infrastructure. In recent years, not only are businesses exposed to an increasing risk each year due to the increasing number of attacks, but perpetrators are continuously producing new malware variants; making them more difficult to detect. In this blog, we’ll explain the challenges in detecting malware and how to prevent malware attacks with best practices and advanced technologies. 

What is Malware?

Malware is any type of malicious software which exploits vulnerabilities in the victim’s computer or network, including viruses, ransomware, spyware, trojans, and more. Malware either resides in files or is accessed through malicious URLs. It can perform different malicious activities, from stealing user credentials or other information, to initiating advanced attacks such as Ransomware. In a world where collaboration of content, across multiple applications, is becoming the main driver for business performance, malware becomes an irreplaceable tool in any attacker’s arsenal. In fact, while the number of detected malware applications stood at 28.84 million ten years ago, by 2020 this had reached nearly 678 million, and continues to be in a growing trend.

Figure 1: Malware delivered through a Word document

Challenges in Preventing Malware Attacks

The complex threat landscape, combined with the continued use of outdated technologies such as traditional sandboxes, results in low detection rates of malware – as low as 60-70%. Consequently, too many threats manage to evade existing protections and land straight into user inboxes.

Here are some of the challenges security solutions are facing in the detection of malware. 

Packed programs disguise malware 

Packing is the process of masking a malicious file to avoid it being detected. Packers can encrypt, compress or alter the format of a malicious file. They are used by hackers to avoid detection by antivirus software. Packing malware makes it difficult for malware analysts to reach the original code and analyze it. 

Relying on signatures is not comprehensive 

Using standard antivirus software for scanning potentially malicious content is a common first approach used in many security solutions (also called “Static Analysis”). While this works to some extent, it is far from providing sufficient protection because advanced malware threats will usually get passed this kind of scan. Antivirus software relies on databases that contain previously reported files. They look for the file signature in the database and if found, they will identify it as malware. Hackers nowadays easily evade this detection by modifying their code in a way that it will receive a new signature and so, will not be detected. In addition, new types of malware will obviously not be identified, if they are not already in the database. 

Sandboxes are slow and bypassed 

A popular approach to avoid the drawbacks of Static Analysis is to use Dynamic Scanning, which is the process of detonating files & URLs inside an isolated environment in order to detect malicious code execution. Advanced Threat Detection security solutions use Sandboxes, which employ the concept of dynamic scanning. They provide the malware with a place to “play” and act, while they perform application level checks to determine usage of exploits and vulnerabilities. 

While a legacy sandbox certainly improves detection rates over Static Analysis, it will not provide complete protection because attackers have learned to evade the dynamic scanning performed by them.  

For example, certain types of malware require command lines in order to be executed, or are set to sleep for a timeframe before beginning to execute commands. Traditional sandboxes will not be able to run such types of malware as they do not have command line options, and will often not wait long enough to detect the malicious command lines. 

How to Prevent Malware Attacks

While it is not easy to properly protect your organization against malware, there are some common techniques that advanced threat protection solutions provide that are mandatory to prevent malware attacks.

Recursive Unpacking

Recursive unpacking is the ability to uncover threats underlying any nesting level inside content such as files and URLs that are attached to emails, shared on cloud collaboration tools or saved on cloud storage platforms. This is a key capability in protecting against malware, as attackers use the burying of malicious content deep Inside files as an evasion technique – relying on the fact that many security solutions are not scanning embedded content. Therefore, this capability becomes critical for preventing malware attacks.

Figure 2: Malware hiding inside an excel that is wrapped with an encrypted zip file

Detonating files on different operating systems

As attackers become more and more sophisticated, they will attempt to find exploits and vulnerabilities that are OS-specific. For example, attackers will search for MS Office vulnerabilities, e.g. in word or excel files, that can only be found on a Mac environment. 

This is yet another evasion technique, since attackers know that detonating files and dynamically scanning them on both Windows and Mac is a capability most security solutions don’t have or can’t afford, due to their lack of efficiency and slow processing times. 

Therefore, while everyone is scanning for Windows OS threats, attackers are finding a sure way for employing malware attacks taking advantage of macOS vulnerabilities. 

Figure 3: A malicious chain of events starting with a macOS Word macro running in Word on macOS

Next-generation Sandboxing 

As mentioned, traditional Sandboxing is a behavior-based detection method, which relies on application level checks that often-times attackers have learned how to bypass. 

However, a different and modern approach to traditional sandboxes is offered using CPU-level analysis. While this next-gen sandbox technique also runs files dynamically inside a virtual machine, It will target analyzing content to expose core exploit techniques earlier in the kill chain, pre-malware release, in a non-behavioral, deterministic way. This approach leverages Intel PT (Processor Trace) to access the full execution flow of the potentially malicious artifact and analyze it using a full “trace” together with examining changes to virtual memory during execution. 

Due to the fact that files are not analyzed on the application level, but rather on the CPU/memory level, this next-gen sandboxing approach excels in speed compared to traditional sandboxes which may take minutes to scan every piece of content. 

Summary

Security experts face increasing challenges when looking to prevent malware attacks.

The complexity arises from multiple factors:

  • Hundreds of millions of new malware variants created every year
  • Increased use of advanced malware – the combination of several techniques in a single program
  • Employing evasion techniques to prevent malware from being detected
  • The proliferation of collaboration channels, which increase the organization’s exposure to malware attacks.

Legacy solutions cannot address all of these challenges. They compromise on user experience and speed, and leave end-users exposed to malware attacks on a daily basis. 

Want to know how Perception Point solves the malware detection challenge? Want to learn about our next-gen sandboxing approach? Read about our platform or contact us for further information.

We recommend searching for an advanced threat detection security solution that employs advanced techniques to protect against every type of malware. 

Here’s some related content you may enjoy: How to Detect Malware: Hancitor Malware Delivered Using Spoofed Docusign Email and Microsoft Word