Cloak and Dagger: Unpacking Hidden Malware Attacks

Malware attacks have become part of our daily life. In just the past six weeks, we’ve seen a major DDoS attack take down Twitter, Spotify and other high-traffic internet properties, a ransomware attack on the San Francisco Municipal Transportation Authority, and perhaps most notably, the new "Gooligan" attack on Android phones – reportedly responsible for "the biggest single theft of Google accounts on record."

According to AV-TEST, there are 578.7 million malware programs in existence today, with four to five new malware threats per second. Many of these malware programs make use of "packers" – software programs used to compress and encrypt files for transport, which are then executed in memory upon arrival.

While packers themselves are not malware, attackers use them to hide malware and obfuscate the code’s real intention. Once unpacked, the malware executes and launches its malicious payload with impunity – often bypassing firewalls, gateways and malware protection. Over the past 10 years, attackers have shifted from using commercial packers (UPX, PECompact, ASProtect, Themida, etc.) to creating custom packers, which use proprietary algorithms to bypass standard detection techniques.

Many of the emerging custom packers are polymorphic, which simply means that they use an anti-detection strategy whereby the code itself changes frequently, but the purpose and functionality of the malware remains the same. Custom packers are also able to use clever ways of injecting code into a target process and change its execution flow, frequently throwing off unpacker routines. Some of them are computationally intensive, calling special APIs that make unpacking difficult.

In short, custom packers are growing increasingly sophisticated, operating like "cloaking devices," to steal a Star Trek metaphor, to hide the attack until it’s too late. (Romulans may or may not be involved). In fact, custom packer usage has become so widespread that by 2015, Symantec saw them deployed in upwards of 83% of all malware attacks, with Upatre, Virut and Sality malware families being particularly virulent.

Symantec Endpoint Protection 14 has introduced a powerful new malware killer – called the Emulator – to counter custom packer attacks. The Emulator fools malware into thinking it will run on the regular machine, and instead unpacks and detonates the file in a lightweight virtual sandbox on the endpoint. The malware then opens up and shows its true colors, causing threats to reveal themselves in a contained environment.

While this sounds straightforward, it requires incredibly sophisticated technology that mimics operating systems, APIs and processor instructions, while managing virtual memory and running various heuristics and detection technologies to examine the payload. All this takes place in milliseconds – an average of 3.5ms for clean files and 300ms for malware -- to minimize impact on the user experience. The sandbox so created is ephemeral and goes away after the job is done.

The real power of Emulator is that it works in concert with Symantec’s full endpoint suite to protect and respond at scale. This includes a broad array of powerful techniques including advanced machine learning, memory exploit mitigation, behavior monitoring and reputation analysis. Sometimes multiple engines come into play, collaborating in an orchestrated response to prevent, detect and remediate attacks.

All of this is fueled by the world’s largest civilian threat intelligence network. Thanks to our broad footprint across endpoint, network and cloud security, we have threat data from more than 175 million endpoints and 57 million attack sensors being monitored in real time every day, minute by minute. Our Security Technology and Response team also monitors malicious code reports from 200-plus countries, tracking more than 25,000 vulnerabilities affecting more than 55,000 technologies from more than 8,000 vendors.

The advantages to this approach are easy to see:

1. Our customers’ security teams are able to expose and evaluate the deepest layers of malware, maximizing protection and minimizing the impact of malicious payloads.
2. Threat intelligence can be used to educate security systems and protocols, while informing new techniques to stay ahead of the bad guys.
3. Threats can be detected quickly with minimal performance and productivity impact, so people can focus on getting their jobs done.

Attackers are always on the lookout for new ways to penetrate the enterprise, and custom packers have been a big open hole in the security landscape. We’re excited to deliver new techniques like the Emulator to help our customers fight back.

# # #

Check out our webinar with Adrian Sanabria from 451 Research to learn more about next-generation endpoint protection, and watch this space for regular blog posts that drill deeper into key capabilities with insights from Symantec and third-party experts.