New polymorphic malware caught evading antivirus solutions to disrupt businesses

New polymorphic malware caught evading antivirus solutions to disrupt businesses

Hackers may leverage VPNFilter malware to target Champions League final

Researchers have discovered a new polymorphic malware variant which can evade detection by most antivirus solutions and which can easily be copied by hackers to launch fresh attacks on countries, businesses and individuals.

Since antivirus engines cannot detect every polymorphic malware, users can protect themselves by implementing layered security and by avoiding suspicious links.

Discovered by security researchers at Bromium, the new polymorphic malware is unique in itself because unlike traditional malware which use different hosts to infiltrate devices but retain their individual identities, it repackages itself continuously and changes secondary executables, thereby staying undetected by even advanced antivirus solutions.

‘Historically, malware writers simply change the packaging or wrapper when they distribute malware. For instance, it might be a PDF or Word document, but the dropped malicious file inside could be weeks old and, as such, known to AV. Now we see the secondary executable is changing as well, so the malware is not recognized by AV.

‘Worryingly, this shows that malware writers are really improving the standard of their engineering – that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win,’ said Matt Rowen, a software engineer at Bromium.

According to the firm, the Emotet banking trojan, which is the polymorphic malware in question, has its packed executables rewritten by its authors so well that at times, it appears like completely different software from what it was hours ago. Such morphing ability allows the malware to avoid signature-based anti-virus as well as package detection and static analysis.

What’s most worrying about polymorphic malware is that there are no sure ways to detect it before it starts infecting machines. Because it changes its form and takes new shapes, it stays beyond the reach of antivirus software which can only detect specific threats.

So while the same executable will probably not work twice as antivirus software makers will quickly roll out new fixes, hackers will still have the upper hand over anti-malware machines when launching first-time attacks. However, according to Fraser Kyne, EMEA CTO for Bromium, there are ways to contain and even destroy polymorphic malware.

‘Ultimately, AV protect-to-detect techniques are always going to be playing catch up. The only way to prevent this type of attack is to contain and isolate the application itself using virtualization. For example, opening email attachments or email links in isolated micro-VMs contains and controls malware. This way, even if an email does have malware, the hacker has nowhere to go, nothing to steal, and no way to persist on the machine,’ he says.

He also suggests that users must implement layered security on their devices, turn off macros to control running applications, update their devices with the latest security patches, and stay away from suspicious links that may contain polymorphic malware that antivirus solutions may not have detected. In short, users must practice appropriate cyber hygiene and tread with caution while surfing the Internet.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]