Malware has threatened computers, networks and infrastructure since the 1980s. There are two major technologies to defend against this, but most organizations rely almost exclusively on one approach, the decade old signature-based methodology. The most advanced malware detection method via behavior analysis is gaining ground quickly, but is still largely unknown.
Signature-based malware detection is used to identify “known” malware. Unfortunately, new versions of malicious code are appearing that are not recognized by signature-based technologies. These new forms of malware can only be distinguished from benign files and activities by behavioral analysis.
Track of signature-based technologies known threats
In computing, all objects have attributes that can be used to create a unique signature. Algorithms can quickly and efficiently scan an object to determine its digital signature.
When an anti-malware solution provider identifies an object as malicious, its signature is added to a known malware database. These repositories can contain hundreds of millions of signatures that identify malicious objects. This method of identifying malicious objects has been the primary technique used by malicious products and remains the basic approach used by the latest firewalls, email and network gateways.
Signature-based malware detection technology has a number of strengths, the main one being that it is well known and understood – the very first anti-virus programs used this approach. It is also fast, simple to perform, and widely available. Above all, it offers good protection against the millions of older but still active threats.
Don’t wait for signatures
Checking that a new file is malicious can be complex and time consuming, and often the malware has already evolved by then. The 2017 Cisco Cybersecurity Annual Report found that 95% of malicious files scanned did not even have 24 hours, indicating a rapid “time to change.” Delay in identifying new forms of malware leaves businesses vulnerable to serious damage.
Modern malware often strikes immediately, decimating in a short time. Jigsaw, for example, starts deleting files within 24 hours. HDDcryptor infected 2,000 San Francisco City Transportation Agency systems before it was detected. Therefore, being vulnerable to infection while waiting for a signature is very risky.
Another problem is that today’s advanced malware can change its signature to avoid detection; signatures are created by examining internal components of an object, and malware authors simply modify those components while preserving the functionality and behavior of the object.
There are several transformation techniques, including swapping code, renaming registers, extending and reducing code, and inserting trash code or other constructs.
Behavior-based malware detection
Behavior-based malware detection evaluates an object based on its intended actions before it can actually perform that behavior. The behavior of an object, or in some cases its potential behavior, is scanned for suspicious activity. Attempts to perform actions that are clearly abnormal or unauthorized would indicate that the object is malicious, or at least suspicious.
There are a multitude of behaviors that indicate potential danger. Some examples include attempting to discover a sandbox environment, disabling security checks, installing rootkits, and registering for autostart.
Evaluating malicious behavior while it is being executed is called dynamic analysis. The threat potential or malicious intent can also be assessed by static analysis, which looks for dangerous abilities in the code and structure of the object.
While no solution is completely foolproof, behavior-based detection still enables technology to discover new and unknown threats in near real time today. Here are some success stories of behavior-based technology when signature-based systems fail:
- Protection against new and unimaginable types of malware attacks
- Detect an individual instance of malware targeting a person or organization
- Identify what malware does in a specific environment when files are opened
- Obtain complete information about the malware
There are a few important limitations to be aware of. If malware determines that it is running in a sandbox, it will try to avoid detection by limiting malicious activity. It is essential that a sandbox remains undetectable, and most are not.
It also takes time to analyze the behavior of an object; While static analysis can be performed in real time, dynamic analysis can introduce latency while the object is being exercised. Additionally, many behavioral solutions are exclusively cloud-based, which can be a problem for some organizations.
Not all behavior-based technologies are created equal
Conventional sandbox technologies have limited visibility and can only assess the interaction between an object and the operating system. By observing 100% of the actions that a malicious object can take, even when it delegates those actions to the operating system or other programs, CSOs can assess not only the Communication with the operating system, but each instruction processed by the CPU.
How behavior-based solutions work
Advanced malware detection solutions observe and evaluate every line of code executed by malware in context. They analyze all requests for access to specific files, processes, connections or services. This includes every instruction executed at the operating system level or other programs that have been called, including low-level code hidden by rootkits.
The technology identifies all malicious, or at least suspicious, activity that, taken together, makes it very clear that a file is malicious before it is released over the network to actually perform any potentially harmful behavior.
Signature and behavior-based malware detection is important and has advantages. The best security will come from using both technologies. Too many security managers are misled by vendors promoting “next generation” firewalls and other “state of the art” security tools. They don’t realize that these “latest” products rely exclusively on a decades-old signature-based malware detection approach that will miss evasive malware and zero-day attacks.
No organization with sensitive data or critical operations to protect should be without behavior-based malware detection to augment the capabilities of existing security tools.