Although antimalware software is beneficial, it is not the most reliable method to protect endpoint devices. The antimalware solutions that use licensing to stop common malware will not defend your system from tailored malware attacks and could expose it to risk. Let’s learn how antimalware works, its nuances, how threat actors get beyond this solution’s security, and the methodology needed to safeguard endpoints and data.
The recent alleged VirusTotal hack indicated that antimalware solutions aren’t as robust as many expect. They are only one imperfect level of protection for your organization. Understanding how antimalware software works and how it is circumvented is the first step in surrounding it with other safeguards in a defense in depth. Â
The VirusTotal Hack
VirusTotal, owned and operated by Google, is a free online service that scans user-provided content for malware. The serviceOpens a new window uses “over 70 antivirus scanners and URL/domain blocklisting services†to identify potentially malicious code and sites for service users. This is a lot of malware detection, but it apparently was not enough.
In May 2021, the Israeli security vendor CySource allegedly used a vulnerability (CVE-2021-22204Opens a new window ) in ExifTool to send and execute malware using a DjVu file. CySource researchers claim that ExifTool is one of the tools used by VirusTotal to extract metadata from certain file types. DjVu is a graphics file type used as the format for digitally scanned versions of books, manuals, ancient documents, and newspapers.Â
The vulnerability can enable a threat actor to use remote code execution (RCE) on unpatched sandboxing machines that use antivirus engines. According to Juha SaarinenOpens a new window , the CySource researchers embedded a malicious payload into the metadata of a DjVu file. When ExifTool opened the file, the payload allegedly executed with elevated privilege while undetected by any of VirusTotal’s antivirus engines.
Once the payload was installed, the researchers claim they used a reverse shell to access more than 50 internal network hosts at Google and its VirusTotal security vendor partners. Saarinen said this access was at elevated privilege levels across all compromised systems.Â
As per John LeydenOpens a new window , Bernardo Quintero, VirusTotal’s founder, asserts that CySource’s distributed payload only ran on third-party scanning systems; it did not run on VirusTotal devices. He also claims that VirusTotal does not use the vulnerable version of ExifTool. Â
See More: Malware Threats Can Easily Bypass Antivirus Software (Know the Limits of Antivirus)Â
Whether CySource researchers accomplished all they claim, bypassing malware detection can be achieved by expert threat actors. Antimalware solutions have improved substantially over the years, but like any single safeguard, deploying an antimalware solution is not enough to protect the enterprise.Â
How Antimalware Works
To understand how threat actors bypass antivirus solutions, it is essential to know the three basic types of engines used to detect malware. Anusthika Jeyashankar describesOpens a new window these approaches to antimalware analysis as static, dynamic, and heuristic.
Static engines are the oldest and most straightforward approach to detecting malware. They compare entries in databases of patterns or signatures to files during a scan. This works if every malicious payload is known and in the database used. As I describe later, threat actors can easily bypass this with polymorphism.
Dynamic engines improve on static analysis by assessing a file at runtime. Monitoring API calls is one approach to dynamic analysis. Another is running a sandbox separate from the operational memory to detect and analyze malicious payloads.
Antimalware vendors took steps to augment static and dynamic analysis by developing heuristic engines. A heuristic engine looks at how running processes behave. It uses behavioral rules often adjusted to establish baseline operation. Many solutions also use machine learning and AI algorithms to improve and strengthen abnormal behavior detection. Â
Popular and effective antimalware solutions use all three engines, but threat actors can frequently bypass all of them.
How threat actors bypass antimalware defenses
Threat actors have developed tools, techniques, and procedures (TTP) to bypass antimalware engines. The TTP enables five basic antimalware circumvention methods:
- Obfuscation: This technique, also known as polymorphism, change the malware payload so that static engines do not recognize it. This does not change the function of the malicious code. Â
- Packing: It is a form of obfuscation. It prevents static analysis by compressing or encrypting the payload. The resulting payload consists of a new portable execution header, packed sections, and a decompression stub used to unpack/decrypt the file.Â
- Process hollowing:Â Wesley Chai writesOpens a new window that process hollowing removes code from a normal executable and replaces it with malicious code. When the user/device executes the altered code as part of a regular operation, the malicious portion of the code executes first. In other words, the threat actor changes authorized code into a container that looks legitimate to antimalware scanners.
- Inline hooking: A memory-resident technique intercepts function calls within authorized processes and redirects them to loaded executable malware. A subset of this is API hooking. Irmik Parsons describesOpens a new window API hooking as a method to monitor or change information accessed via API calls.
Beyond traditional malware scanning
Antimalware is just one of many safeguards in a defense in depth. A layered approach is needed to protect endpoints and the data they process or store. The first step in creating a layered architecture is changing perspective; antimalware will not stop all persistent threats.
As I explain in the video, Communications and Network Security Part 19 – Defense in DepthOpens a new window , layers of defense begin with policies and other administrative safeguards that drive a controls framework. Organizations should base their framework on recommendations from security framework standards, such as the NIST Cybersecurity FrameworkOpens a new window or COBITOpens a new window .
Controls in each layer support the controls in other layers; there are always gaps if only one layer is addressed. One or two-layer focus will usually result in higher than acceptable residual risk. An example of a one-layer focus is only relying on antimalware as an endpoint defense.
Managing risk requires three activities across all layers: protection, detection, and response. These activities are provided via EDR (Endpoint Detection and Response) within the endpoint layer. EDR analyzes both device and user behavior. While using compromised user accounts, threat actor behavior usually moves from baseline to anomalous behavior patterns. Similarly, compromised device behavior also deviates from baselines.
See More: Denonia: The First Crypto-Mining Malware That Targets AWS Lambda
EDR also includes creating and maintaining a complete inventory of endpoint devices. Organizations that allow endpoints to disappear from maintenance schedules increase the risk associated with a lack of patching, configuration reviews, and inclusion in monitoring activities.
In addition, EDR vendors provide threat intelligence that helps with continuous risk management activities. Without regular threat intelligence, device, system, and network hardening falls short and weakens malware infection protection, detection, and response.
Part of network-level defenses is segmentation. A segmented network controlled with regularly tested and reviewed network traffic controls helps prevent the automatic spread of malware and the use of compromised systems by threat actors to pivot to more sensitive targets. As I wrote in VLAN network segmentation and securityOpens a new window , one way to do this is with VLANs.Â
Finally, organizations must document and practice incident responseOpens a new window plans associated with threat actor activities across the cyber attack chain. Effective response minimizes the negative business impact of inevitable malware infections.
Final thoughts
Antimalware is an essential safeguard for endpoint devices. However, it is only one control. A single control is never enough to protect classified and categorized data and systems.
Organizations must insert antimalware into a layered security framework in which controls in each layer support the safeguards across other layers. This approach, including an incident response program, helps minimize residual risk when implemented in an overall risk management process. Â
Does your organization rely on antimalware software alone to keep malware at bay? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!