Advanced Malware

Teamwork in the office

Detect and Outsmart

Despite substantial investments in numerous security products, organizations continue to be victims of successful malware attacks and data breaches.

Today’s sophisticated malware has been engineered to discover and outsmart “advanced” security tools like firewalls, IPS, and sandbox technologies. These technologies are unable to detect the wide range of evasion techniques described below.

Advanced Malware Knows
When It’s in a Sandbox

Sandboxes use virtual machine (VM) technology to analyze suspicious objects. Although VMs resemble a real host, they also insert artifacts into the VM environment for the virtualization to work. These artifacts include additional operating system files and processes, supplementary CPU features, and other components. Sophisticated malware can detect these artifacts, alter its behavior and avoid detection.

Hacker stealing dollars from bank

Advanced Malware Evasion Techniques

Advanced malware avoids being detected by sandboxes or other security controls by altering its behavior and adopting one or more evasion tactics, such as:

  • Stalling Delays: The malware simply does nothing for an extended period. Typically, 10 minutes is sufficient for most sandboxes to timeout and assume the object is benign.
  • User Action Required: The malware avoids doing anything malicious until a user performs a specific action (e.g., a mouse click, pressing a key, opening or closing a file, or exiting the program).
  • Suspended Activities: The malware postpones these malicious actions while it is operating within a sandbox:
    • Injection or modification of code within other applications
    • Establish persistence and download additional code
    • Move laterally across the network
    • Connect to its C&C servers
  • Fragmentation: The malware splits into several components that only execute when it is reassembled.
  • ROP Evasion: Return-Oriented Programming (ROP) The malware injects functionality into another process without altering the code of that process. This is achieved by modifying the contents of the stack, which is the set of memory addresses that tell the system which segment of code to execute next.
  • Rootkits: The malware hides malicious code in the lower layers of the operating system where conventional sandbox technology can’t see it.
Lastline Discovers All Evasive Actions

We designed Lastline Enterprise to provide complete visibility into malware behavior that other technologies miss, while remaining hidden from the malware itself. We created Deep Content Inspection™, a unique isolation and inspection environment that simulates an entire host including the CPU, system memory, and all devices.  Deep Content Inspection allows Lastline Enterprise to interact with the malware and observe all the actions a malicious object might take.