With 80% of malware evading antivirus applications, signature-based protection isn’t enough anymore

23 Feb 2023, by Slade Baylis

When it comes to protecting IT infrastructure and cyber-security, it’s an everlasting race between the malicious third-parties aiming to break into systems and the cyber-security professionals aiming to thwart them.  An unfortunate truth that’s not going anywhere is that as soon as a new technology is developed, parties on both sides hit the ground running – one determined to find the ways this new technology can be used for harm and the other aiming to be ahead of the curve by preventing it.  It’s much like an arms race between world powers, each actor is required to constantly develop new technologies, techniques, and strategies in order to stay ahead.

One early example of this was the development of the Enigma code (and associated Enigma machine) by the Germans during World War II.  The Enigma machine was used to encrypt communication within all branches of the German military and was considered so secure that it was even used to encrypt top-secret messages that were vital to their war effort.  Under the direction of famous mathematician Alan M.Turing, it was his team of scientists, mathematicians, and cryptographers that are credited with cracking the Enigma code and helping to end the war.

When it comes to cyber-crime though, one of the more recent developments that has got experts concerned is new language model AIs like ChatGPT.  We’ve covered some of its advanced and concerning abilities recently, but in short, not only is it able to be more convincing when it comes to communicating in a more human-like manner, but it’s also able to generate functional code.  Not unsurprisingly, the security implications of this could be innumerable - as being able to generate malicious code instantly with little to no effort has thrown old methods of detecting malware and viruses into question.

To fully understand why this is the case, we’ll need to briefly touch on the history of malware and viruses, as well as the ways of combatting them that evolved alongside them.

The humble beginnings of malware and the protection against it – the start of an everlasting arms race

When it comes to computer malware, the initial concept goes all the way back to the mid-nineteenth century.  That’s right, the idea of a self-replicating computer programs was first conceptualised by John von Neumann in the late 1940s when he published his paper called the “Theory of self-reproducing automata”.  The term “automata” is derived from the Greek word “αuτoματα” which means “acting of one’s own will”.  However, the first implementation of this idea wouldn’t occur for another twenty years or so.

The world’s first computer virus was created with the development of a particularly harmless computer “worm” – a name for a piece of software designed to automatically spread to other connected devices.  Dubbed the “Creeper”, this software would display the message “I’m the creeper, catch me if you can!” on any computer it moved to, before moving on to other computers it could reach. 

It didn’t aim to do anything malicious, in fact it didn’t do anything more than that – it didn’t try to steal, destroy, or encrypt data, nor hold anyone to ransom like the viruses of today do.  In fact, it was only created as an experiment by a man named Bob Thomas, testing what was possible in the realm of “mobile applications” - which are applications that can automatically move from machine to machine.  His colleague then went on to create a modified version, making it not only move from machine to machine, but also leave a copy on each machine that it passed through.  However, he also created another partner program called the “Reaper” - which was used to find any infected computer and help “disinfect it” by removing the Creeper.

In some ways, this was not only the invention of the first virus, but also the invention of the first antivirus software.

Since then, the world of malware has become a lot less playful and a lot more malicious – the reason for this is in part due to the fact that cyber-criminals have found numerous ways of monetising malware and infected machines, creating large incentives for the creation of new and more sophisticated versions of it. That ever-increasing threat also in turn created a mirrored incentive, an ever-growing demand for security software to be created in tandem to prevent new infections, as well as detect and remove malware from already infected machines.

Antivirus applications – The evolution of features and approaches to detecting malware

In 2023 so far, it’s estimated that around 5.3 billion people are on the internet – not only that, but the average increase year over year is 300 million additional people getting connected.  With that sort of target, it’s no wonder that criminals are increasingly targeting people online.  As an ever-increasing threat, it’s more important than ever to make sure you’re protected. 

For individuals, this will mean making sure that each of your devices has some form of antivirus.  For businesses, it will mean making sure that at a minimum, each one of your end-points have the same.  An end-point is defined as any device that connects to and exchanges information over a computer network, including web and email servers, staff computers/phones/tablets, etc.

At a basic level, at least historically, the primary way antivirus applications detected malicious files and applications was through using “signatures”.   At a basic level, a virus signature is a unique “hash” generated from sample of known bad code.  To break that down, in this context, a hash is a short number that’s generated from that malicious code.  Generating a unique hash based off the original code allows you to identify it in the future by comparing a new hash of new encountered code with those previously generated hashes.  These hashes are much smaller than the source code they’re generated from, which allows you to store large databases of them and easily share them amongst devices – this is much more effective than having to store full copies of the malicious code for matching against every type of virus!

When it comes to signature-based detection, the common security cycle is:

  1. A new virus or malware variant is discovered.
  2. An antivirus vendor creates a signature based on that new variant.
  3. The vendor tests the signature to ensure it detects the malware it was designed to find.
  4. They then distribute it to their customers/users via updating their signature-databases.
  5. Once their customers/users have the new definition, their antivirus program will be able to detect that new variant.

Over the course of time, on top of just being able to detect if files contained malicious code and removing them, other features were introduced and quickly became standard inclusions in most antivirus offerings.

Features that were introduced included:

  • Quarantine – Being able to quarantine a file if it’s suspected of being malicious, so that an administrator could specify the appropriate action and prevent false positives.
  • Real-time scanning – Instead of having scans scheduled to run at specified intervals, files and executables were able to be scanned immediately prior to execution, in order to catch any new files that had yet to be scanned.
  • Safe browsing – By blocking known malicious websites and potentially unsafe downloads, malicious files could be prevented from gaining access to your devices in the first place.
  • Ransomware protection – By preventing applications from modifying, deleting, or encrypting files without express permission, these solutions were able to help prevent their users from becoming hostages to ransomware.

However, nowadays new technologies and techniques are showing that these traditional approaches – such as the signature-based method detailed above - might be falling behind the latest developments on the malware front. 

Fileless Malware, Malware Cryptors, AI Code Generation, and “Cybercriminal Quality Assurance” – Why relying on signature-based protection isn’t enough anymore

As reported by ZDNET1, it’s an unfortunate and not widely known truth that even as of 2006 around 80% of new malware was able to escape the most popular antivirus applications available on the market. 

At the time, Graham Ingram, the general manager of AusCERT (Australian Computer Emergency Response Team), said that popular desktop antivirus applications just “don’t work”.  "At the point we see it as a CERT, which is very early on - the most popular brands of antivirus on the market ... have an 80 percent miss rate. That is not a detection rate that is a miss rate” … "so if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in" said Ingram. 

The reason for this is that malware is becoming more advanced, and the bad guys, the criminals, are becoming more sophisticated in their approaches.  One of these approaches is a direct response to that previously ubiquitous and heavily relied on feature of signature-based detection.  As mentioned previously, the core concept behind signature-based detection is to attempt to detect malware through comparing files and the code within them with known bad code through signatures.  In order to bypass or escape this method of detection, a new type of malware referred to as “fileless malware” was invented - which was able to work directly within a computer’s memory instead of the hard drive.  By avoiding having files with malicious code stored on a device’s storage, any traditional detection method that relies on hardware scans to locate threats may miss these altogether!

Another new approach is the use by cyber-criminals of malware “cryptors”.  As defined by WebRoot2 - one of the world’s leading cyber-security companies - malware cryptors are designed to mask malware from being discovered by computer security programs through allowing malicious code to be encrypted repeatedly until malware becomes unrecognisable to antivirus scans.  Not only that, but this technique is now being offered aaS (as-a-Service) – that is, cyber-criminals are now offering these crypting services to other cyber-criminals, allowing them to easily acquire malicious executables that they’ve found have the highest chance of evading detection!

On the AI front, ChatGPT and other language model AIs are the next most concerning development on the horizon.  We’ve covered this in our recent The latest AI craze – why does ChatGPT have cyber-security professionals concerned? article, but it is ChatGPT’s incredible ability to generate potentially infinite variations of function code that’s got people worried.  “Polymorphic” malware and viruses utilise a technique that’s been around for a while – taking some inspiration from their biological name-sake, it’s a technique where malware is created with the ability to be able to evolve and mutate their identifiable features in order to evade detection – however language model AIs take it to the next level.

In experiments ran by researchers at CyberArk, a world-leading security firm, they were able to demonstrate how it could be used to generate different variations of malicious code built to achieve the same end.  What this allows for is the creation of malware code that is able to be completely unique in each instance it’s used, thus bypassing any sort of detection that relied on signatures.

As reported by Gizmodo3, this result was achieved despite of the fact that ChatGPT has inbuilt protection to prevent it from generating malicious code. They described how the researchers from CyberArk were able to out-manoeuvre these protections – they did so by rephrasing requests and simply insisting it proceed, effectively bullying the AI into doing what they wanted.  However, even if OpenAI, the developers of ChatGPT, were able to improve the protections that are in place, open-source versions of similar language model AIs are available currently.  With this being the case, it’s just a matter of time until cyber-criminals have their own version of these AIs with much less inbuilt concern over ethics and legality!

What all of these techniques are evidence of - is an increase in the sophistication of cyber-criminals - nowhere is this more evident than in the “quality assurance” processes that are now common prior to launching a malware campaign. No longer are cyber-criminals “sloppy” in their approach, as they can now put their newly created malware through the gauntlet with an extensive range of tests against all the popular antivirus engines in order to ensure that it can evade them – this too often being offered aaS (as-a-Service) to other criminals who need to do the same.

Behaviour-based and heuristic-based detection – How Endpoint Protection and EDR services can help protect you from zero-day vulnerabilities

Due to all of these threats that evade the traditional detection methods, it’s important to make sure that any security services that you use, utilise other techniques to detect malicious behaviour. That’s not to say that there is no place for signature-based detection, but it should only be one part of a much larger strategy to stay protected.  Key amongst the methods we recommend are security services that utilise behaviour-based and heuristic-based detection, such as Endpoint Protection and EDR (Endpoint Detection and Response) solutions.

In response to threats beginning to evade old approaches, many security vendors have changed the way they look to detect threats – instead of looking through code for known malicious code, they now look to evaluate behaviour.  The approach of looking at the behaviour of applications and code, rather than looking at the applications and code itself, is referred to as “behaviour-based” detection.  By monitoring what an application is doing and flagging anything that looks unusual or out of the norm, these solutions are even able to potentially catch brand new threats that haven’t been seen before “in the wild”.

Heuristic-based detection isn’t mutually exclusive with behavioural detection, in fact it’s often used in combination with it.  In psychology, a heuristic is a mental shortcut that allows an individual to solve a problem quickly, with minimal mental effort.  For example, using your intuition to make a decision, rather than working through every problem from first principles, is one example of this.  Heuristics are used because they are reliable and allow people to act in the moment, though sometimes are imperfect and not the most optimal solution.  In a similar way, when it comes to cyber-security, “heuristic-based” detection is used to make a decision on what to do when a suspected threat is detected, usually erring on the side of caution to be right “most of the time”.  The theory that’s used with this technique is that it’s better to have the potential inconvenience of false positives than the alternative of missing an actual threat.

Endpoint protection solutions that include EDR (Endpoint Detection and Response) features implement both of these – they allow organisations to detect threats that exist within their infrastructure and respond to them.  For example, our go-to recommendation is Carbon Black Endpoint Protection – as it’s able to thwart attacks that would bypass traditional approaches; provide reports on how attacks were initiated; which systems and/or endpoints were attacked; give visibility over current malicious activity on a network; and allow for live responses to such events should they occur.  Without having these sorts of solutions as part of your infrastructure, protecting and having knowledge about what’s occurring within your IT infrastructure is much, much harder. 

It’s for this reason that we recommend every one of our clients look to have these included as part of their business cyber-security strategy.  Doing so will be a critical component to protecting IT infrastructure, such as staff devices, web and email servers, and back-end systems such as CRMs (Customer Relationship Management software) or financial systems. 

Want to know more about Endpoint Protection and EDR services? 

If you are interested in finding out what options are available for Endpoint Protection, EDR, and other security services, reach out to us!  You can call us on 1300 769 972 (Option #1) or email us at sales@micron21.com to discuss how we can best meet your security requirements.

We can provide a range of solutions, from security suites from Carbon Black, Sophos, Bitdefender, and more.  For those who want to go even further to secure their systems, we can also help with network firewalls, WAFs (Web Application Firewalls), DDoS protection, and vulnerability scanning!

Sources

See it for yourself.

Australia’s first Tier IV Data Centre
in Melbourne!

Speak to our Australian based team.

24 hours a day, 7 days a week
1300 769 972

Sign up for the Micron21 Newsletter