Detecting Return-Oriented Programs Critical to Fighting Advanced Malware

Detecting Return-Oriented Programs Critical to Fighting Advanced Malware

ROP-based-malware.jpg

Only those malware detection systems that can view and analyze each instruction as the malware executes within the CPU can effectively detect Return-Oriented Programming-based threats.

Today’s advanced malware continues to enhance the technologies it uses to avoid being detected. One of these evasion techniques is known as Return-Oriented Programming or ROP. It’s a very effective way to hide malicious activity from being discovered, even by most technologies that claim to be able to detect advanced malware. Only a malware detection system that can view and analyze each instruction as it is executed within the CPU can effectively detect ROP-based threats.

Return-oriented programming is a technique where malware manipulates the computer’s stack, which is the system responsible for managing the requests (calls) to execute different code segments or processes. Malware authors alter the return sequence of the stack so when a called function or process completes, instead of returning directly to the malware program, execution is redirected to a different process, or multiple processes before ultimately returning to the malware. 

Malware that is ROP-based (or has segments of code that use ROP), defies discovery by making multiple calls to the operating system or other programs, and these external processes actually perform the dirty work. Since the nasty deeds are not performed directly by the malware program itself, it avoids detection. 

Because the code in ROP-based malware relies so much on external programs and functions, the amount of logic inside the malware itself is limited. Instead of lots of internal processing, the code has a very high number of calls to external processes, along with the associated high number of returns from those external processes. This is why it’s referred to as Return-Oriented Programming.

Legacy sandboxes and next-generation firewalls can’t see inside the actual malware to discover what it is actually doing. They only see the isolated, independent interactions between the malware and the operating system. Obvious security violations like a request to connect with a known malicious IP address will be detected. But malware authors know that glaring misbehavior will be caught, so ROP-based techniques are used to make small, seemingly innocent and unrelated calls that appear benign or are unseen by most malware detection systems.

Since Lastline can view the actual instructions as they are executed within the CPU, it easily detects malware that uses sophisticated evasion techniques like ROP. Lastline is the only malware detection solution with this capability, and this is one of many reasons why it can identify advanced malware that other solutions miss.

Click here to learn more about the Lastline solution