Detecting Both Malicious Code and Malicious Behaviors
Most malware detection systems identify malicious code by monitoring its execution in a sandbox environment to detect anomalous behavior. As the malware runs, the sandbox searches for signs of odd or unauthorized actions like:
- Elevating privileges to “administrator” or “root” when the program doesn’t ordinarily require them
- Adding new users to the system, or changing the privileges of existing users
- Downloading and installing other programs
- Unusual incidents of deleting or modifying data
- Accessing system or data files that are not necessary for the application’s normal workflow
- Connecting to other systems, either within the network or on the Internet when such a connection is not normal
- Connecting to known malicious sites on the Internet for “command and control” instructions
- Encrypting data
- Transmitting data when either the data itself or the destination is abnormal
Uncovering any of the above anomalous behaviors is indicative of malware, and is a crucial part of malware detection. Most sandboxes and next-generation firewalls rely heavily or even exclusively on this approach to identify malicious objects.
Although anomalous behavior detection is important, this method of identifying malware has one serious limitation – it requires the malicious portion of the code to execute. Unfortunately, today’s advanced malware will merely stall or perform benign functions if it suspects that it is being monitored. When this happens, nothing dangerous occurs for the malware detection system to identify that the code as malicious, even though it actually is.
To effectively spot 100% of malware infections, the detection system must be capable of identifying venomous code even when it does not fully execute. Legacy systems use hashes or signatures of known malicious code in order to identify it. This is a proven method for previously discovered malware, but completely fails to detect new unseen threats – and a major reason why infections and data breaches are so prevalent today.
A better, more comprehensive approach is definitely needed. Lastline performs both behavior and hash (signature) analysis to detect dangerous code, but also adds several other technologies that can identify malware – even when the code has not been executed. These additional methods include probing the actual, compiled code for structural abnormalities or malicious programming techniques such as:
- Internal stalling procedures to avoid discovery
- Fingerprinting routines designed to spot sandbox environments so the malware can evade detection
- Calls to escalate privileges
- Return-Oriented Programming (ROP)
- Embedded shellcode or abnormal macros
It’s critical to detect both malicious behavior and malicious code. By combining the use of signatures, and both behavior and code analysis, Lastline detects malware that other solutions miss.
Click here to learn more about the Lastline solution.