Why are we consistently reading about businesses, educational institutions, government agencies and non-profit organisations falling victim to malware attacks, despite all the publicity and abundance of products offering solutions? Clearly something isn’t working.
With rich rewards on offer there is an incentive for malware writers to be innovative, yet we seem fixated on the traditional method for the detection of malware that relies on a combination of two approaches – both of which are flawed. The risks are so high, we tend to believe any failed incidents must be caused by inattention to these methods. But, we find such logic to be deceptively incorrect.
The first approach relies on some aspect of the malware being identified through a unique string within its code, i.e. its signature. This ‘blacklist’ approach requires the malware to have been previously identified, i.e. there are already one or more victims out there. Having identified an appropriate string within the malware code as a signature, this approach relies on the malware always containing this string in a form that can be located in a search.
Notwithstanding the issue of ‘zero day’ exploits, malware authors have adopted a number of techniques in order to hide their presence from scanning of filesystems and memory. The authors of malware are aided in some respects by their ability to upload their own artifacts to public sites like Virustotal and purchase other security tools in order to defeat detection through signature recognition.
Unfortunately, CPU instruction function testing is no more effective than signature checking and the use of simple base64 encoding, for which there is no guaranteed detection method and can be used to hide pivotal pieces of an attack. Yet, we seem reluctant to acknowledge these issues…Click here to read full article.
