The future of malware and antivirus is set to be an interesting battleground. Malware is constantly evolving, forcing antivirus developers to maintain pace. But the futuristic visions of automated machine-learning anti-hacking systems is much closer than you think.
In fact, the future is here.
It’s arriving just in time, too. A new spate of fileless malware is infecting government institutions, businesses, and banks around the globe. Fileless malware is essentially invisible. Once the sole remit of nation-state threat actors, it is now entering the mainstream.
The malware is sufficiently advanced that regular users like you and I don’t have to worry about it. At least, for the time being. Nonetheless, there is a clear picture of what security needs in the coming years.
Machine Learning Antivirus
British cyber-security company Darktrace’s Antigena is a machine-learning anti-hacking system automation tool. In layman’s terms, it is antivirus software that learns when exposed to new data. In this case, Antigena is used to hunt for odd behavioral patterns on corporate systems. Some attacks are easier to spot than others.
Antigena spotted unusual behavior at one company after the U.K. voted to leave the European Union. An employee, disgruntled at their employer’s Brexit (a portmanteau of “Britain” and “Exit”) strategy, attempted to leak confidential documents. Antigena tracks the threat, but also automates the response.
The machine-learning system represents another step-forward for Darktrace. The system genuinely learns, though some attacks are easier to stop than others. For instance, a ransomware attack “looks like a bomb going off” while an insider attack is much subtler.
The major difference is response time. Antigena notices an attack in the very early stages of infection, preventing a ransomware attack from encrypting files. “We start interrupting those types of attacks,” explains Dave Palmer, DarkTrace’s director of technology. By the time a human, or even a traditional endpoint security suite has responded, it is too late.
Behavioral Cyber Defense
The machine-learning antivirus solution isn’t unheralded. Home users’ antivirus products now make regular use of heuristic scanning. Instead of scanning for specific file signatures, the heuristic approach analyzes suspicious characteristics and behavioral patterns. Heuristic analysis main purpose is to head off an attack before it begins, comparable to Antigena.
Advanced machine-learning solutions like Antigena aren’t likely to hit home computers for a long time. It is simply too complicated and too powerful. The mathematical principle and advanced environment scanning is already filtering through, forcing home antivirus providers to rethink their development strategies.
This is driving progressive, automated, security design.
What Is Fileless Malware?
What else is driving progressive antivirus design?
Fileless malware is a relatively new but unconventional attack vector. A fileless malware infection exists only in the system RAM or kernel, rather than relying on direct installation to a system hard drive. Fileless malware leverages a range of infiltration tactics to penetrate a system while remaining completely undetected. Here is one example of how an attack works:
- A user visits a website using their browser, coerced via a spam message.
- Flash is loaded.
- Flash calls and uses PowerShell to insert memory-based commands.
- PowerShell silently connects to a command and control (C2) server to download a malicious PowerShell script.
- The script finds sensitive data and returns it to the attacker.
There are no files downloaded throughout the entire process. The level of stealth on display is impressive. Terrifying, but impressive.
The fileless attack leaves no trace, unless the attackers are careless — read our next section — or want you to find the file, like a calling card.
Furthermore, fileless malware grants a precious resource to attackers: time. With time on their side, attackers deploy sophisticated, multilayered exploits against high-value targets.
Russian ATM Scam
Do you ever find yourself dreaming about money pouring out of the ATM just as you walk by? Well, a team of Russian hackers did just that, liberating $800,000 from at least eight ATMs. It looks extremely simple.
A man walks up to an ATM. The ATM dispenses a wad of cash. The man walks away, presumably happy with his newfound wealth. Forcing an ATM to dispense cash on demand isn’t a new trick. However, the almost paperless-trail method used is.
Kaspersky Labs reported that the attackers left behind a single log file, giving researchers a vital clue in their investigation.
“Based on the contents of the log file they were able to create a YARA rule — YARA is a malware research tool; basically, they made a search request for public malware repositories. They used it to try to find the original malware sample, and after a day the search yielded some results: a DLL called tv.dll, which by that time had been spotted in the wild twice, once in Russia and once in Kazakhstan. That was enough to begin untangling the knot.”
The attackers had installed a backdoor in the bank security. Then, they installed malware on the ATM from within the bank’s infrastructure. The malware looks like a legitimate update and fails to trigger any warnings. The attackers run a remote command that first asks how much cash is in the machine, followed by a trigger to dispense.
— Mustafa AFYONLUOGLU (@afyonluoglu) April 11, 2017
The money dispenses. The hacker walks away richer. At the same time, the malware begins the cleanup operation, deleting any executables and scrubbing any changes made to the ATM.
Protecting Against Fileless Malware
When fileless malware first surfaced, it made the target system run very slowly. Early examples were inefficiently coded. As such, they were easier to spot because the target system would grind to a halt. Of course, this didn’t last for long, and a fileless malware infection is incredibly difficult mitigate. However, it isn’t impossible.
- Update. Keep everything updated, all the time. Security updates are critical. Vulnerabilities are found and patched. According to US-CERT, “85 percent of targeted attacks are preventable” with regular patching.
- Education. Fileless malware will arrive through an infected site or phishing email. Brush up on how to spot a phishing email among the spam-noise.
- Antivirus. Rumors of antivirus’ demise have been greatly exaggerated. An up-to-date antivirus might block communication with the command and control server, stopping a fileless malware infection downloading its scripted payload.
The single biggest takeaway is keeping your system updated. Sure, there are zero-day vulnerabilities. But despite their taking the headlines, they’re still the exception — not the rule.
Steaming Into the Future
Enterprise antivirus solutions are already considering how the future of malware will look. Advances made will filter through to consumer products that protect you and I. Unfortunately, this process is sometimes slow, but a significant shift toward behavioral-based antivirus is underway.
Fileless attacks, so hot right now. pic.twitter.com/ovmjS2Gdac
— Malware Unicorn (@malwareunicorn) April 4, 2017
Similarly, fileless malware is making its way into the mainstream, but is still a specialized “tool” in the hacker handbook. As such fileless malware has only been used against high-value targets but, rest assured, malevolent hackers will ensure it winds up on our computers.
Malware is constantly evolving. Do you think our antivirus products do enough to protect us? Or should the onus be on user education? Let us know your thoughts below!
Image Credits: ktsdesign/Shutterstock