In recent years advanced persistent threats (APT) have become widespread in targeting organization and businesses for political and/or economical motives. The initial infiltration is generally performed by use of social engineering, sending attachments and/or links by email (referred to as spear phishing) and/or using active content on websites (referred to as a watering hole) to serve as a malicious exploit. An email may contain an attachment with specially designed documents (for example word documents or PDF files) that exploit vulnerabilities of the programs used to view the attachments.
Once a user opens the email attachment or accesses the water hole with a web browser, a first stage of attack takes place exploiting the vulnerability of the application executed at the user's workstation (e.g. the web browser (EXPLORER, CHROME), WORD, ACROBAT READER etc). typically the exploit manages to gain control and builds an environment to execute low level code called a “shell-code”, which expands or downloads a full functional backdoor. Once the backdoor is installed on the user's workstation it can establish a connection with an attacker control server and receive commands or operate independently.
Most of the detection solutions concentrate on the last stage in which the malware already landed at the user's workstation. Traditional antivirus programs typically use static signatures to detect malicious malware. The signatures are created manually by an analyst after analyzing the malware. Various malware analysis techniques allow the analyst to quickly determine in detail the risk and intention of a given malware sample. The analyst can react to new trends in malware development by refining existing detection techniques and countermeasures to mitigate the threat from the malware sample.
The desire of analysts to understand the behavior of a given sample and the opposing intention of malware authors to disguise their malicious intent, leads to an arms race between the two parties. As analysis tools and techniques become more elaborate, attackers come up with evasion techniques to prevent their malware from being detected and analyzed. These techniques include self modifying or dynamically generated code, as well as detecting the presence of an instrumented analysis environment and responding differently when being analyzed.
A security technique called “sandboxing” aims at detecting malware code by subjecting it to run in a dedicated simulated virtual environment on a computer based system of one type or another to analyze it for behavior and traits indicative of malware. A sandbox system tries to get infected by the malware and analyze its behavior inside the simulated virtual environment. Nowadays, sandboxing is a leading alternative to traditional signature-based malware defenses, and it is used to spot and analyze prior unknown malware and stealthy attacks in particular.
Malware authors sometimes use evasion techniques to thwart attempts to analyze them. The malware attempts to detect whether it is being run inside a sandbox or in a real execution environment. If the malware detects a sandbox it can act differently or simply not run. There are many techniques used today by malware authors to evade “sandboxing” technology, for example:
1. Stalling code that delays the execution of malicious code so that the sandbox times out. The stalling may be implemented by using direct CPU instructions or by performing useless computations to give the appearance of performing activity;
2. Environment checks that test the operating system or the virtual environment by the malware to determine if they are running in a legitimate environment or are being watched. Analysts are then forced to “patch” the sandbox to prevent the malware from detecting them and disguising their operations.
Most of the sandbox evasion techniques are implemented during the last stage when the full operational backdoor is in place on the target machine or at the earliest during execution of the “shell-code”. During the exploit stage the attacker does not yet control the computational resources sufficiently to apply evasion techniques. Therefore it is desirable to detect the malware during the exploit stage.
No matter what particular exploitation method is employed, the ultimate aim of an attacker is to perform malicious computations on the target system by executing machine instructions that are under control of the attacker. Usually, malicious computations are caused by illegitimate code that was not provided or intended to be executed by the developer of the exploited process (e.g. WORD) or the by the end user of the system. The malicious code is usually injected into the target system using external network data or application files.
As a countermeasure to injecting external code, operating systems have adapted techniques to prevent execution of code that was not intended to be executed. One method is Data Execution Prevention (DEP), which ensures that code is not executed from data pages. Another method is Address Space Layout Randomization (ASLR) in which the execution addresses of executed processes are allocated at random so an attacker will not know the execution address before the process is actually loaded.
Most of the technologies today analyze and search for the malware itself. However since new malware or new permutations of old malware are introduced almost every day it makes it extremely difficult to find all of them and create signatures in a timely manner to thwart attacker attempts with standard protection programs.