Question

In: Computer Science

Research the methods attackers are using to bypass virus scanners to get users to run malicious...

Research the methods attackers are using to bypass virus scanners to get users to run malicious code. Theorize some mitigation methods

Solutions

Expert Solution

Methods Attackers are using bypass virus:

1. Script-based attacks
In a script-based or "fileless" attack, the malware is actually a script that runs in an existing, legitimate application to leverage PowerShell or use other already-installed Windows components. There's no new software being installed, so many traditional defenses are bypassed.

According to Ponemon, these kinds of attacks are significantly more likely to result in a successful breach, and they're going up, from 30% of all attacks in 2017 to 35% last year. "There would be very few artifacts — for example no actual malware binary to scan," says Jérôme Segura, senior security researcher at Malwarebytes.

There could be some network traffic that could be picked up by security systems. "However, attackers can encrypt those communications as well and use a trusted communication route to exfiltrate the data quietly," he says.

According to the Symantec Internet Security Threat Report, released earlier this year, the use of malicious PowerShell scripts increased 1000% last year. Attackers use PowerShell by, for example, executing commands that are not readable by humans such as base64-encoded commands, says Naaman Hart, cloud services security architect at Digital Guardian. "PowerShell is a necessity these days and therefore it’s generally always available for exploit."

The key to catching these kinds of attacks is to look for instances where common applications are executing uncommon operations, Hart says. "If, for example, you tracked the last thousand executed commands in your environment, you’d be looking for the ones that occurred less than five times," he says. "This will generally lead to the uncommon commands, which are more often than not the ones that are nefarious."

2. Hosting malicious sites on popular infrastructure
Many security platforms defend against phishing attacks by preventing users from clicking on malicious links. For example, they might check if a particular IP address has been associated with other malware campaigns. "However, if you host it on something like Azure or Google cloud, then this is infrastructure that is widely used and cannot be blacklisted," says Segura. Slack, GitHub, and other collaboration tools can also be used to help bypass defenses.

Once malware has already been installed, it often communicates back to command-and-control (C&C) servers to get instructions for what to do next and to exfiltrate data. Again, this communication channel can be disguised if the C&C server is hosted on an otherwise legitimate platform.

Plus, these services have built-in encryption features, says Liviu Arsene, senior e-threat analyst at Bitdefender. Even online photo-sharing sites can be used as part of attacks. "Attackers create social media accounts and upload photos that contain hidden code or instructions within the image," he says. "The malware is then instructed to simply access the account, look at the most recent picture, pull the set of instructions hidden in the image, and then execute the instructions."

To the IT department and corporate security teams, it will just look as if the employee is browsing social media. This is hard to catch. Even the latest generation of endpoint protection technology will have trouble since the attackers are mimicking normal user behavior.

To guard against this, defenders may want to look for instances where these otherwise normal communications are taking place at unusual times, or when an application isn't typically used by a department.

The technique of hiding commands in images, called steganography, can also be used to hide commands in image attachments. In May, ESET published a report about Turla LightNeuron, a backdoor designed to target Microsoft Exchange mail servers. According to ESET, LightNeuron uses emails to communicate with its command and control servers, and hides the messages in image attachments, such as PDFs or JPGs.

3. Poisoning legitimate applications and utilities
Every enterprise has a multitude of third-party apps, tools and utilities used by employees. If attackers compromise those applications by getting into the companies that develop them, into the upgrade utilities, or into the codebase of open source projects, they can install backdoors and other malicious code. "For example, Cleaner, a popular computer utility for cleaning potentially unwanted files and registry entries from a computer, was tainted with a backdoor," says Arsene.

According to the Symantec Internet Security Threat Report, the number of attacks that targeted the software supply chain rose by 78% in 2018.

Open-source code is particularly vulnerable, says Tim Mackey, principal security strategist at Synopsys. First, attackers contribute a legitimate bug fix or software improvement that actually works. "The legitimate code is there to mask any malicious code in an effort to pass the review process," he says.

If the review process doesn't vet the full functionality of the contribution, the contribution becomes part of a future release of the software, Mackey says, "but more importantly could become part of a branch of that component embedded into commercial software packages."

To defend against this, enterprises and software developers must be careful to inspect software for open-source code, Mackey says, and then map that code back to its precise origin so that it can be removed or remediated quickly once spotted.

4. Sandbox evasion
One common feature of next-gen endpoint protection platforms is sandboxing, where unknown malware is detonated within a safe, virtual environment. This is a useful technique when attackers are constantly modifying malware so that it isn't picked up by signature-based defenses.

"A hacker can also easily bypass such filters," says Oliver Münchow, founder at Lucy Security. They do this by writing the malware in such a way that it only activates the bad behavior outside the sandbox. For example, it might only activate when a real person interacts with it, or when other criteria are met.

There might be a delay, for example. Malware might wait hours, or days, or even weeks before it detonates, allowing the infection to spread as far as possible before the payload is triggered. Or the malware can simply check if it's running in a hypervisor environment. For example, the latest version of the JasperLoader malware queries the Windows Management Instrumentation subsystem to find out where it's running, and if it's on VirtualBox VMware, or KVM it terminates execution, according to a May report from Cisco Talos.

5. Unpatched vulnerabilities
EternalBlue, a security tool first developed by the National Security Agency (NSA), was leaked online in 2017. Since then, EternalBlue has been implicated in attacks against the British healthcare system, a $400 million attack on FedEx, a $670 million attack on Merck, and many other targets — even though Microsoft had quickly released a patch.

Most recently, Baltimore was hit by a ransomware attack that reportedly used the EternalBlue vulnerability. And Baltimore isn't alone. According to security firm ESET, the number of attack attempts involving EternalBlue have been rising since 2017 and have reached historic peaks this spring. Almost a million machines in the world still use the obsolete, vulnerable SMB v1 protocol, and more than 400,000 of them are in the U.S., ESET reported.

According to Ponemon, 65% of organizations said that keeping up with patches was challenging or extremely challenging.

6. Taking down the security agents
The average device has ten security agents. That's a lot of endpoint protection. However, it isn't always as effective as it could be. To start with, the agents overlap, collide and interfere with one another. At any given point in time, 7% of endpoints are missing protection and 21% have outdated systems.

Even if the endpoint protection security is installed, up-to-date and fully effective, once attackers gain a foothold — such as by the use of EternalBlue — they have several ways to turn off endpoint protection services. For example, they can use an existing legitimate application such as PowerShell, says Humberto Gauna, consultant at BTB Security.

They can also launch a denial of service attack against the endpoint security agents, overwhelming them so that they are no longer able to function, or they might be able to take advantage of agents that haven't been properly configured, Gauna adds. Then, attackers make changes to the registry to escalate privileges, so that they can override the endpoint protection services once they resume.

The way to protect against it is by creating a more rigorous privilege hierarchy, Gauna says, and by consistent patching.

All the above methods are sophisticated. They typically show up in attacks from nation-state attackers.

Well, they used to. Now, they're being used by a much broader set of attackers, says Justin Shattuck, director of threat research at Baffin Bay Networks, a cybersecurity company based in Sweden. "This is really problematic," he says.


Related Solutions

Research email virus scanners and compare them to how host-based virus scanners work
Research email virus scanners and compare them to how host-based virus scanners work
Research methods spammers use to bypass Spam filters and comment on how effective they have been
Research methods spammers use to bypass Spam filters and comment on how effective they have been
Describe why research is difficult to do and what methods you use to get your research...
Describe why research is difficult to do and what methods you use to get your research done.
• 2. Get all the information from the user using methods Java • B. if the...
• 2. Get all the information from the user using methods Java • B. if the inputs are not given in the proper format the program should prompt user to give the proper input (eg. Name cannot be numbers, age cannot be String)
2. Create a php program to get all the values from the forms using various methods...
2. Create a php program to get all the values from the forms using various methods and control structures like switch, if else, for, foreach, while, do while The question is required to write a program
Diane Greene -- Utilize your research and identify the methods these innovators or leaders are using...
Diane Greene -- Utilize your research and identify the methods these innovators or leaders are using to communicate through technology in an effort to remain relevant in their industries. -- Explain how technology has advanced each of their businesses, leading to growth. -- Determine if innovative products, such as Google X, iWatch, or the new Cardboard Bike, can be linked to transformational or transactional leadership. Defend your position. -- Self-managed teams are often used to hide inventions from public view....
I am trying to find an appropriate statistical test to run for a research study using...
I am trying to find an appropriate statistical test to run for a research study using someone else's gathered data (so that no IRB process is needed). In their data they present: Likelihood of Falling Asleep: Never 17 Seldom 22 Moderate 15 High 12 Use of napping during duty: Never 27 Rarely 19 Sometimes 16 Often 4 Both of these seem to be independent variables, but is there a way to show a relationship (or lack thereof) without a dependent...
I am trying to find an appropriate statistical test to run for a research study using...
I am trying to find an appropriate statistical test to run for a research study using someone else's gathered data (so that no IRB process is needed). In their data they present: Likelihood of Falling Asleep: Never 17 Seldom 22 Moderate 15 High 12 Use of napping during duty: Never 27 Rarely 19 Sometimes 16 Often 4 To simplify I think that it would probably be beneficial to group these as: Likelihood of Falling Asleep Never: 17 Yes: 49 Use...
Business Research Methods: 1. What are the likely advantages and drawbacks of using a Grounded Theory?...
Business Research Methods: 1. What are the likely advantages and drawbacks of using a Grounded Theory? 2. What are the likely advantages and drawbacks of using a Narrative Inquiry?
"Accounting Methods and Inventories" Please respond to the following: Using the Internet or Strayer databases, research...
"Accounting Methods and Inventories" Please respond to the following: Using the Internet or Strayer databases, research an example of fraud by inventory misstatement for a public company in the last five (5) years. Next, explain this incident, including the particulars of how the fraud was achieved and how it was detected. Research clearly shows that whistleblowers are the best detection method. Explain the role whistleblowers played in the fraud example you selected previously, or how a whistleblower would have enhanced...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT