As the malware threat landscape continues to evolve, hackers are continuously changing techniques to counteract detection technologies being developed by vendors. By using sophisticated methods to evade current antivirus technologies, hackers are relentless in their pursuit of damaging IT systems and oftentimes gaining access to sensitive information.

Several years ago, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph into different variations, successfully bypassing signature-based technologies. The antivirus industry responded to this threat by creating emulation technologies to counteract the new breed of virus. This emulation engine was designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). However, the approach was dependent on the researcher's access to the polymorphic engine, and therefore the logic needed to be decoded before protection could be provided for specific mutations.

Figure 1 Polymorphic EPO virus

Many modern day anti-virus solutions on the market include emulation to automatically detect polymorphic code, thus allowing detection through other means such as heuristics. Normally the results obtained from emulation are used in the overall heuristics analysis in an effort to provide proactive detection.

Subsequently, proactive technologies were developed (behavioral, heuristics) when worms began to self-replicate across networks and exploit zero-day vulnerabilities faster than a signature could be created. The idea was to provide protection without depending solely on reactive technologies, which were slow and clunky, and alternatively use innovative methods that predicted dangerous characteristics. By using a statistical probability model to calculate a file's potential for being damaging, heuristics really were the first stride in proactive detection. However, as malware has evolved, today's world bears witness to  organized criminals who are creating new malware samples and have simply adapted to the technologies that vendors have developed over the years.

As the malware landscape has evolved, hackers are shifting their interests from fame to profit and will do anything for financial gain, including developing new and innovative ways to slip below the radar. An example of such out-of-the-box creativity shows up on financial sites. Hackers have found a way to create a custom HTML injection for financial sites that allows them to obtain private information without ever being discovered.

As we continue to map out the evolution of malware, several common themes appear in regards to stealth and camouflage techniques. These include:

• Custom run-time packers
• Server-side polymorphism
• Virtual machine/sandbox detection

In the lab, we have discovered that approximately 90 percent of all malware uses some form of packers, indicating that they are becoming increasingly customized. Packers are used because compressing the code prevents AV analysts from easily decoding the sample, therefore increasing reaction time dramatically. AV vendors are constantly evolving generic unpacking routines (techniques that decompress the file and reveal the malware) in order to combat the rise of packers.

We have also found the emergence of server-side polymorphism or "Crimeware-as-a-Service (CaaS)" as described by the industry, in which the polymorphic engine does not reside within the virus code, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume, and the type that incorporates PCs as part of a botnet in which specific bot variants can be mutated remotely via a command over HTTP.

This is called crimeware-as-a-service because the actual viral code does not reside on the host, but rather in the cloud, similar to a software-as-a-service platform. In other words, CaaS provides malware on demand to the infected host.

This methodology has proven to be quite effective and difficult to counteract when it comes to the traditional anti-malware model. Server-side polymorphism is hard to detect because the transformation function (the routines used to change the signature of the code) are not visible to the virus analyst. The actual algorithms or techniques that are involved in this process cannot be studied to the degree necessary to create an effective vaccination. Botnet communication is often encrypted to protect the identity of the command and control server responsible for the mutated malware. Attacks using server-side polymorphism often succeed in infecting their target while flying under the radar.

Currently, the most effective option for stopping server-side polymorphism is the use of host-based intrusion-prevention technologies, better known as HIPS. HIPS are designed for security over host-based systems where intrusions and infections are dealt with at each individual workstation. They are widely regarded by security experts as a more effective safeguard against malware. HIPS solutions implement multiple layers of inspection ranging from the network stack to the application layer by using proactive technologies (heuristics, behavioral analysis, behavioral blocking, etc.) to provide a holistic view of the threat at hand.

In choosing not to take a holistic approach to end-point security, corporations continue to risk making themselves a target for stealth tactics like those discussed here. The good news is that there are effective ways of fighting back, stopping hackers, and preventing the onslaught of malware. By taking the necessary steps to improve the security of your network you can rest assured that your valued information and assets will remain protected.