You hear these stats all the time, signature based anti-virus software needs to be 100% updated to be 80% effective and no that does not cover zero day exploits, the figure drops to as low as 10-20% detection with zero day malware.
Having been in the security industry for a few years now, I have seen host security evolve from simple pattern matching signatures to complex behavioural detection (remember Cisco Security Agent?). And I am a firm believer of behavioural malware detection.
What shocked me though was a recent video I saw on the usenix conference site which details progress in advanced malware obfuscation and how the virus of the future will avoid detection from AV software.
The talk is a quick 15 minute eye opener on where malware is headed. At a very simple level, the author talks about logic which dynamically creates malware by simply stictching together code snippets from existing benign software programs on your computer. So the very programs that you and your AV trust like file explorers, document programs, spreadsheet handlers, etc. are a treasure trove of simple code that can be harnessed right on your computer to create a piece of malware to infect you then. Very interesting and shocking.
With the whole 'bring your own device to work' trend, organisations are starting to lose control of their endpoint security and with such advances in malware obfuscation, enforcing a piece of AV software may not be enough anymore. There is still a whole lot you can do off the network with intelligent network access control technologies and netflow based anomaly detection, however one can only hope there are some serious advances made in the endpoint security industry to battle the new wave of intelligent malware.
The video referenced above is a must watch and can be found here Frankenstein: Stitching Malware from Benign Binaries
The detailed paper is here and slides here. Here is a little more insight on the paper
"This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware. Specifically, although mutants produced by current state-of-theart metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software.Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for featurebased malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality."
Having been in the security industry for a few years now, I have seen host security evolve from simple pattern matching signatures to complex behavioural detection (remember Cisco Security Agent?). And I am a firm believer of behavioural malware detection.
What shocked me though was a recent video I saw on the usenix conference site which details progress in advanced malware obfuscation and how the virus of the future will avoid detection from AV software.
The talk is a quick 15 minute eye opener on where malware is headed. At a very simple level, the author talks about logic which dynamically creates malware by simply stictching together code snippets from existing benign software programs on your computer. So the very programs that you and your AV trust like file explorers, document programs, spreadsheet handlers, etc. are a treasure trove of simple code that can be harnessed right on your computer to create a piece of malware to infect you then. Very interesting and shocking.
With the whole 'bring your own device to work' trend, organisations are starting to lose control of their endpoint security and with such advances in malware obfuscation, enforcing a piece of AV software may not be enough anymore. There is still a whole lot you can do off the network with intelligent network access control technologies and netflow based anomaly detection, however one can only hope there are some serious advances made in the endpoint security industry to battle the new wave of intelligent malware.
The video referenced above is a must watch and can be found here Frankenstein: Stitching Malware from Benign Binaries
The detailed paper is here and slides here. Here is a little more insight on the paper
"This paper proposes a new self-camouflaging malware propagation system, Frankenstein, that overcomes shortcomings in the current generation of metamorphic malware. Specifically, although mutants produced by current state-of-theart metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software.Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for featurebased malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality."
