Signature antivirus’ dirty little secret

If you rely only on traditional, signature-based antivirus, you are going to get infected—and probably a lot! Antivirus was, and still is, a valuable addition to your layered security strategy, but only if you understand its limitations, which have become more and more prominent over time.

What’s wrong with signature-based AV?
You probably know signature-based antimalware solutions work by recognizing patterns in known files. If a human or automated system identifies a particular file as malicious, it’s relatively easy to find some pattern that uniquely identifies that specific file, whether it be a file checksum (hash), a binary pattern, or even a more complex algorithm that looks for multiple “signs” or patterns. However, this detection methodology suffers from two issues (which even its inventors realized years ago).

1. Signatures only help after you know something’s malware – Signatures are reactive. They’re great at the prevention part, but worthless for initial detection; you can’t write them until after you’ve discovered something bad. This means unless the signature writer (AV company) identifies malware before anyone else, some initial victims will get infected.
2. Bad guys can obfuscate executables almost endlessly – Some might think a particular executable program always looks the same on a binary level (barring its creator changing something and recompiling). However, the truth is you can repack and obfuscate the same executable using many different techniques. In the underground world, black hats refer to this as packing and crypting. Without going into technical specifics, they essentially jumble up an executable on a binary level, so it looks different and even has a different checksum, but still runs. The malware does the exact same thing, but its old signature no longer catches it.

These problems are not new. Researchers, and antivirus experts have known about them for decades. However, these weaknesses have become much more prevalent over time. Here’s why.

What’s AV’s dirty little secret?
First, threat actors, and their motives and methods, have changed over time. When AV was born, you could basically categorize black hats into two profiles—script kiddies and unorganized cyber criminals. For the most part, these types of attackers didn’t customize malware or target attacks. They were indiscriminate in their victims, spamming as many folks as they could or designing malware that would mass scan the Internet and infect any victim opportunistically. This was good news for legacy AV since the malware associated with these attacks quickly hit the threshold necessary for AV companies to notice it and write a signature.

However, now that organized criminals have entered the fray, and now customize malware for specific targets (such as Point-of-Sale malware), today’s threat do not wildly spread and touch as many victims quickly. This means it takes much longer for new malware to hit the threshold where AV companies might notice and analyze it. In short, signature-based AV has always had a vulnerability window—a period of time before protection gets implemented—but that window is getting wider and wider as attackers get smarter about limiting their malware.

Second, and more importantly, today’s malware has become much more evasive. Packing and crypting, and other AV evasion techniques, have existed for quite awhile. In fact, I think security researchers discovered many of the techniques before the bad guys did. However, these techniques are technically hard. You have to understand a lot about programming, executable standards, and assembly in order to obfuscate an executable program without actually “breaking” it. Year ago, this relegated these tricks to the most sophisticated attackers.

However, criminals are nothing, if not opportunistic. If researchers release new proof-of-concepts, or other attackers use cool new techniques, smart criminals will quickly copy and adopt them. Worse yet, malware-as-a-service (MaaS) has taken off lately. Advanced hackers now create and sell tools that essentially give an “easy button” to less sophisticated criminals. Today, you can find many packers and cryptors on the underground that allow the least savvy attacker to get his malware past many AV products, even if it was previously recognized before. It’s gotten so bad that many of the malicious servers distributing malware automatically repack their payloads regularly.

This packing and crypting or evasion problem is the primary reason signature-based AV is no longer very effective—it’s the dirty little secret.

Have you ever noticed how many variants of the same malware you see nowadays? An AV vendor might list a new threat called Bad32; and a few hours later they have Bad32.b; before you know it they’re up to Bad32.azytd12d. This isn’t necessarily because Bad32 has changed much, but is often because the attackers are repacking it.

The latest malware growth trends also help illustrate the problem. For example, AV-Test reported that there were over 140M new malware variants in 2014. Do you really think attackers wrote that many unique trojans, worms, etc.? No way! Rather, they constantly repackage the same threat over and over, so it can continually evade signature-based AV. How big is the AV efficacy problem? Well, according to Damballa, AV misses 70 percent of new malware during the first hour after its submission (and remember submission to AV vendors is different than its actual release into the wild).

What can I do to catch evasion malware?
After hearing legacy AV is that bad, you may wonder what you can do. Behavioral malware detection, sometimes called next generation sandboxing, is the solution.

Although it’s become pretty easy for bad guys to obfuscate their malware files, it’s much harder for them to obscure their malware’s behavior. If you can run or open a suspicious file in an emulated or virtualized environment (often called a sandbox) you can see what it does and decide whether or not it’s bad right away. This is pretty much what human analysts did in the past; only today we can automate the process and do it close to real-time.

Behavioral analysis is not a new idea, but it too poses weaknesses or disadvantages.

For example, it takes a lot of computing resource to run a suspicious file in a virtual environment and analyze its code. In fact, the more complete you emulate a victim system, the more this sort of analysis costs. On the flip, the less complete you emulate a real system, the less effective the behavioral analysis becomes. On top of that, legitimate programs sometimes do similar things to malicious ones. This could lead to false positives, or good files that are blocked as malware.

However, unlike signature-based AV, the weaknesses with behavioral detection become less prevalent over time. Moore’s law steadily increases our processing capabilities, and virtualization technologies have become more robust, making sandboxing much faster than it was years before. Furthermore, the breadth of malicious behaviors we recognize today has grown significantly, allowing us to fine-tune behavioral detection and lessen false positives.

In short, advanced malware protection has moved from the realm of the experimental and into the reach of even the smallest business.

If you want to block today’s malware, adopt advanced threat protection
In summary, signature-based AV can’t keep up and fails to catch the latest malware on a regular basis. Behavioral or heuristics-based malware detection helps, but basic implementations found in host-based solutions are only partially effective. If you really want to protect your organization from today’s highly-evasion, constantly morphing threats, I highly recommend you add an advanced malware detection or next-generation sandbox solution to your existing layers of defense.