Malware discoveries transpire as often as we can say the word “malware.” In 2014, more than 317 million pieces of malware were created, nearly a million a day. It’s safe to say, we are not strangers to malware infection, and the expectation for security technology to protect us is low.
But when one malware discovery comes along that completely turns the industry on its head, you have to stop and think: What could we have done differently to protect ourselves? This was the case with the Rombertik self-destructing spyware discovered by Cisco threat researchers this month.
Cisco Threat Blog published information on the Rombertik malware, which takes a fair number of steps to evade sandboxes set up by many enterprises, but goes even further to disrupt reverse-engineering and analysis by malware experts. Fundamentally, the Rombertik malware follows the well-trodden exploitation life cycle:
- Find a site that’s running vulnerable services (WordPress, Drupal, etc.)
- Hack that site to serve up malware
- Send phishing emails to unsuspecting users tricking them to click on links
- Install a key logger in the browser to gather credentials
- Profit from data gathered from hacked devices
What’s really notable about Rombertik is the extent of the anti-evasion, anti-debugging and anti-analysis mechanisms that are built into it. Features of this self-aware malware include 8,000 useless and unused functions making up 97 percent of the packed binary, a false data generator to overwhelm analysis tools, multiple ways to detect a sandbox and exit early, complex overlapping function calls, and self-destruct mechanisms that render the infected machine useless by wiping out the Master Boot Record on the file system.
To protect against this type of malware, enterprises have traditionally relied on security products that try to determine if websites, files and applications are good or bad. Every time defenses evolve to get smarter about finding malicious content, the malware evolves also in a never-ending arms race. Simple anti-virus and intrusion detection signatures have evolved into behavioral analysis and sandboxing products, in which content is held temporarily, executed, and observed for signs of malicious activity. This was effective at first, but attackers quickly realized, among other things, that sandboxes have just a few seconds to assess and categorize Web and email content before users complain of delays. So modern malware use techniques like delayed execution and manual triggers to circumvent sandbox solutions. The Rombertik malware easily evaded most sandboxes, going completely undetected. The unusual part of this malware is the extent to which it went to stay undetected — self-destructing if it was detected in a sandbox or debugged.
At the end of the day, sandboxes are just a newer form of signatures. Instead of pattern matching on the content, the pattern is applied to the behavior and execution of the malware. However, this way of securing your network also has holes. The sandbox needs to recognize malware binary code in order to prevent infection. With BYOD and IoT taking the main stage in most enterprises, the virtual machine will never be able to identify malware outside of the host network, (i.e., working from home or in a coffee shop), leaving enterprises with significant holes in their security posture.
It’s a scenario that we’ve seen as an industry time and time again — none of the existing security solutions have been able to protect enterprise users from malware infection. We’ve thrown signatures, sandboxes, big data analytics and numerous other seemingly innovative security technologies at it, yet none have been successful. In the State of the Web 2015: Vulnerability Report, which we published last month, we found that one in three top websites pose some sort of risk to users — either they are already compromised or running vulnerable software ready to be “pwned.”
Security today is based on the premise that one can detect whether content is good or bad (e.g., web, email, or files). This premise is fundamentally flawed, and everyone knows it: Enterprises now assume that they’ve been successfully attacked and focus attention on continuously looking for and remediating inevitable breaches. That’s fair advice given the current state of affairs. But in a certain way it is also a declaration of defeat with respect to our ability to actually anticipate and completely eliminate classes of threats. As an industry, we have an opportunity and a duty to take a step back and identify those potential infection vectors that we can actually eliminate. Ultimately, we need the frontline to become effective again before we get completely overwhelmed cleaning up after fires.
The most effective way to stop a forest fire is to prevent it altogether. Web and email security are no different. Trying to stop an attack after it happens — whether it be Rombertik or otherwise — is infinitely more difficult than simply preventing it. So while it’s important to invest in attack detection and effective response, it’s a mistake to give up entirely on effective prevention. More than ever, it’s time for a new generation of attack prevention that changes the rules and eliminates malware completely from the most important attack vectors.
Kowsik Guruswamy is chief technology officer of Menlo Security.