Defeating Fragmentation Divide-and-Conquer Attacks
In a previous blog, titled Evasive Malware – The Art of Doing Nothing, we covered how advanced malware evades detection by stalling and postponing all malicious activity whenever a sandbox is detected.
In today’s blog, we’ll look at another sophisticated evasion technique known as fragmentation. This occurs when malware authors split malicious payloads into separate objects. Each object is by itself harmless, and when individually evaluated by a conventional sandbox nothing dangerous is seen and they are allowed into the enterprise. However, when the objects are later combined within a real host, they become malicious.
As an example, consider a case where multiple .dat files are downloaded or traverse the network. After rudimentary evaluation, the file passes through a conventional sandbox without being flagged as malicious. Subsequently, an additional object looks for the earlier .dat files and if they are found, joins them together into an executable piece of malware.
This latter object designed to join the earlier fragments will also evade detection by a conventional sandbox. Because the earlier fragments are no longer present on the sandbox, the objects are not joined and no malicious activity occurs. Since nothing malicious takes place within the sandbox, every fragment of the attack passes through without detection.
Lastline adds a completely new dimension to sandbox technology. Using deep content inspection, Lastline evaluates the actual code as it executes within the CPU. It’s extremely difficult for malware to determine that it’s running within a Lastline environment, and as a result will begin executing its malicious routines. Each instruction being executed is completely visible to Lastline’s deep content inspection technology. When suspicious code is found, the object can be tagged as malicious or further evaluated.
Click here to learn more about how Lastline detects evasive malware that other systems miss.