Researchers have discovered a new polymorphic malware variant which can evade detection by most antivirus solutions and which can easily be copied by hackers to launch fresh attacks on countries, businesses and individuals.
Since antivirus engines cannot detect every polymorphic malware, users can protect themselves by implementing layered security and by avoiding suspicious links.
Discovered by security researchers at Bromium, the new polymorphic malware is unique in itself because unlike traditional malware which use different hosts to infiltrate devices but retain their individual identities, it repackages itself continuously and changes secondary executables, thereby staying undetected by even advanced antivirus solutions.
‘Historically, malware writers simply change the packaging or wrapper when they distribute malware. For instance, it might be a PDF or Word document, but the dropped malicious file inside could be weeks old and, as such, known to AV. Now we see the secondary executable is changing as well, so the malware is not recognized by AV.
‘Worryingly, this shows that malware writers are really improving the standard of their engineering – that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win,’ said Matt Rowen, a software engineer at Bromium.
According to the firm, the Emotet banking trojan, which is the polymorphic malware in question, has its packed executables rewritten by its authors so well that at times, it appears like completely different software from what it was hours ago. Such morphing ability allows the malware to avoid signature-based anti-virus as well as package detection and static analysis.
What’s most worrying about polymorphic malware is that there are no sure ways to detect it before it starts infecting machines. Because it changes its form and takes new shapes, it stays beyond the reach of antivirus software which can only detect specific threats.
So while the same executable will probably not work twice as antivirus software makers will quickly roll out new fixes, hackers will still have the upper hand over anti-malware machines when launching first-time attacks. However, according to Fraser Kyne, EMEA CTO for Bromium, there are ways to contain and even destroy polymorphic malware.
‘Ultimately, AV protect-to-detect techniques are always going to be playing catch up. The only way to prevent this type of attack is to contain and isolate the application itself using virtualization. For example, opening email attachments or email links in isolated micro-VMs contains and controls malware. This way, even if an email does have malware, the hacker has nowhere to go, nothing to steal, and no way to persist on the machine,’ he says.
He also suggests that users must implement layered security on their devices, turn off macros to control running applications, update their devices with the latest security patches, and stay away from suspicious links that may contain polymorphic malware that antivirus solutions may not have detected. In short, users must practice appropriate cyber hygiene and tread with caution while surfing the Internet.