Threat metamorphosis adds a whole new dimension to malicious malware.
It’s an understatement to say that today’s cyber adversaries and cyber threats are reaching unparalleled levels of sophistication. Malevolent entries and their creators have, and will continue to, devise über-complex malware that will seem to take on an intelligence of its own. In fact, artificially intelligent malware is coming to a system near you.
The ability of threats to morph, on the fly and in real time, will raise some interesting issues as more and more objects become autonomous, especially in the Internet of things/Everything (IoT/E). There is a new level of threat, being developed by intelligent and driven super coders working together to find ways to compromise systems – from the government on down. These are individuals and groups that see potentially enormous gains from hacking into all types of systems.
For those outside of the industry, trying to convince them that the nature of the cyber-threat beast is much worse than they think is can be a hard sell. Many end users have no idea how sophisticated cyber threats have become, and in the face of the Internet of Things/Everything (IoT/E), this looms as a real problem for the cyber guards. Education is half the battle. To wrap a company in a threat security blanket requires a lot of resources.
“The best defense is a multi-layered defense, combining different technologies, with distinct purposes, and observing all of your environment using competent analytics and monitoring tools,” said Rui Serra, product manager at Anubis Networks.
Such defenses are complex and resource-draining. But organizations are coming around to the fact the cost of defense, is much less than the cost of damage control.
One of, if not the, most threatening technology to get a handle on is threat morphing – malware that morphs constantly. Metamorphic viruses change the appearance of the code while keeping the functionality of virus intact. Metamorphic viruses use several code obfuscation techniques including Instruction reordering, data reordering, subroutine inlining, subroutine outlining, register renaming, code permutation, instruction substitution, and garbage code insertion. Fig. 1 shows the distinct signatures of the metamorphic viruses.
That means a static defense is useless because by the time the threat is identified, attempted countermeasures or neutralization of the discovered form generally will be ineffective. The malware already will have assumed a different form. The only strong defense is for the countermeasures to be able to “morph” with the threat and anticipate its next form. This is one critical component of threat analysis.
There are generally two types of metamorphic forms that malware comes in; Polymorphic and metamorphic. Polymorphic malware uses a polymorphic engine to mutate but keeps the original algorithm unchanged. Essentially, it changes its binary code each time it infects a new file by creating usable, slightly modified, copies of itself. This type of malware has a different pattern with each morph so it is extremely difficult to discover under normal methods.
A typically, polymorphic code would have an encrypted virus program body (EVB) and a virus decryption routine (VDR). When an infected application launches, the VDR decrypts the EVB back to its original form and the code will run as written. Once it has run, the virus is re-encrypted and added to another vulnerable host application. Because the virus body is not altered, and contains some static code, it has some identifiable components.
Metamorphic malware is rewritten with each iteration, such that each succeeding version of the code is different from the preceding one. In spite of the permanent changes to code, each iteration of metamorphic malware functions the same way. The longer the malware stays in a system, the more iterations it produces, and the more sophisticated the iterations become.
Metamorphic code is more complex and difficult to create. Metamorphic code is capable of changing both its code and signature patterns and often uses multiple transformation techniques that including code permutation and expansion, code shrinking and garbage code insertion, and register renaming. Essentially, it creates some variant of its own code under some type explication. Such malware requires much more sophisticated techniques, such as negative heuristic analysis, emulation, and access to virtualization technologies for detection – all components of the threat analysis toolbox.
Derailing morphing code
There have been some very cutting-edge technologies developed of late that raise the bar against morphing and APT threats, and they are, indeed, impressive. One such system from Raytheon that the U.S. Army is trying out, is a shape-shifting algorithm called Morphinator (acronymic for Morphing Network Assets to Restrict Adversarial Reconnaissance). It takes a page from the malevolent morphing codes with some very forward thinking methodologies. For example, according to information published in AFCEA’s Signal Magazine, Morphinator can dynamically modify aspects and configurations of networks, hosts, and applications in a manner that is undetectable and unpredictable by an adversary, but still manageable for network administrators (called cyber maneuvering).
The initial prototype will focus on IP address and application port hopping, much like spread spectrum uses frequency hopping to thwart radio eavesdropping. For example, an IP address assigned to a Windows machine could be switched to a Linux machine, and vice versa, in an ongoing, random pattern. Likewise, applications would randomly switch ports to keep attackers guessing.
A second new-age approach is intelligent data manipulations developed by a company called Azos AI called CogDat, which stands for cognitive data capability that creates intelligent, “self-aware” data. CogDat can “sense” its situation and autonomously take actions for self-protection — including self-destruction. This method embeds self-protection and intelligence inside the data itself. For example, if CogDat data detects it has been stolen, it can autonomously harvest information about its current environment and send it back to a designated authority and then self-destruct. The catch is that target data must be saved in the CogDat data format. It also offers protection to data in-use. It dynamically controls computer processes while sensitive data is exposed.
So progress is being made. However, sleeping on the job is still not a good idea. A short nap can leave you at the mercy of one of those zero-hour scenarios in a heartbeat.
Implications for the semiconductor industry
One might think this is all on the virtual platform, but that is not the case. As it turns out, intellectual property is high on the hit list for cyber thieves. According to Adam Vincent, CEO of Cyber Squared, about four years ago hackers in China were targeting small and medium-size businesses on the high-tech front — very highly innovative smart energy projects. Unfortunately, these small businesses had very little defense to stop the IP theft. Vincent describes it as akin to “trying to keep the Navy SEALS from entering your house if they want to. Maybe Lockheed or Boeing has the resources to deter such cyber intrusions, but startups and such do not.”
So Vincent and his contemporaries developed what is today called threat connect “The technology is built on the premise that everyone has a piece of the puzzle, but until you put the pieces together, one would not see the whole picture it represents,” he said. “The technology merges what everyone knows about the threat, at the security level, so one can make better decisions to thwart it.”
This works on the data and IP that semiconductor companies have in-house. But what about the hardware itself? There is some talk that threat intelligent algorithms can be put into IP, and integrated into ASICs, FPGAs and other ICs. At present, however, it is still in the conceptual stages. And there are good reasons for that.
“At the microprocessor level, one has to think about how to apply algorithms that use threat intelligence,” Vincent said. “While it is theoretically possible to apply threat intelligence at the µpc level, it isn’t really possible to the degree required for it to be effective quite yet, for several reasons.
One of the major challenges is that threat intelligence is a constantly evolving discipline against a constantly evolving enemy. It is not like writing algorithms that can spot and derail malwares that behave in a certain manner, then putting those into an IP block to integrate into the chip’s fabric. With morphing code, the anti-malware IP code would have to be self-aware and evolve to challenge ever iteration of the threat. So far, there is no evidence this kind of microprocessor IP block exists.
There is hope on the horizon, however. A work-around is being developed that places an “appliance” in harm’s way. “There are available high-speed hardware-based appliances that are configured to look for things that the organization is creating within that aggregate analysis lifecycle of threat intelligence,” Vincent said. So as the intelligence realizes that a particular technique is being applied that is instituting malware or trying to exercise command and control, high-speed hardware kicks in and begins to look for patterns, both known and probable.
The question still remains whether there will there be some sort of appliance that will function, or be integrated at the µpc level. It is likely that over time hardware will allow for this kind of deep scrutiny of I/O data, but performance has to be fast enough to not slow down a system.
Threat intelligence is a fairly new and complex area that is very fluid. The overall concept is straightforward – take all the threats that exist, and the ones that will exist, analyze the data from all possible sources, and create a machine that can tell the future. In effect, threat intelligence is trying to predict the future with a constantly updating past. It stacks the odds in its favor by doing the best due diligence it can, but still, it is doing the best educated guessing it can.
Roberto Martinez, security researcher at Kaspersky Lab, sums it up this way: “One of the key elements in threat intelligence is the knowledge of the actors and adversaries who may have some interest or motivation towards various organizations. These are not all the same type of adversary, and can differ for a financial company, an energy company, governments, or private companies. Having a deep well of knowledge allows you to create strategies and make decisions that are more appropriate and effective, resulting in a better defense and protection.”
As with any emerging and evolving technology, some things work better than others. Threat intelligence works better on static data than dynamic, although progress is being made in that arena. It also works better for some types of data than others, IP for example.
The one thing that is painfully clear, however, is that the complexity of threats are growing by orders of magnitude, as is the sophistication of the perpetrators. There really isn’t any other way for malware to be dealt with, other than intelligently. Going forward, intelligent threat assessment, containment, and neutralization isn’t one of the ways – it is the only way.