Advanced Persistent Threats (APTs) have been a hot topic for quite some time. In the hype created around it, the media and security specialists have ventured to provide opinions and explanations on various aspects, including what an APT is, and how to protect against it. For example, security vendors offering solutions against APTs often claim that “Traditional signature-based security won't protect you from APTs”. They also explain that they offer “a signature-less, virtualized detection engine", and other modern technologies that protect against APTs. But are they really 100% effective?
And are all these claims valid?
In our previous article Setting the record straight: what's an APT?, we clarified what exactly constitutes an APT, in an attempt to set the record straight with regards to APT definitions and characteristics. Now, let’s take a closer look at claims about APT detection.
In this article we’ll talk about how modern security solutions detect malware, and how the virtualization/ sandboxing technique can be evaded.
1. Modern security solutions
Firstly, it is important to point out that since the 1990s, anti-malware solutions have not been limited to signatures only , and there is no modern antivirus based only on signatures that maintains at least an acceptable level of malware detection. Many modern security suites which include antivirus – such as the Bitdefender products – are based on the many components which are responsible for detecting malware:
Heuristics detection analyzes new, unknown malware based on the static binary analysis
Generic detection discovers all (including currently unseen yet) samples of a known malware family
Signature-based detection detects known malware samples which do not mutate
Behavior analysis and blocking identifies new threats based on application monitoring.
There are many other components, but these four are directly related to the detection of malware, including APTs. So signature-based detection is only one of the many methods utilized by the modern security solutions.
2. Virtualization / sandboxing
Many APT security vendors emphasize the use of virtualization/sandboxing techniques in their solutions. These two attractive terms may lure the non-technical audience into assuming that such technologies would indeed provide a better detection rate for APTs or even for all types of malware.
Generally, this is not the case. Such solution typically uses a virtualized copy of the operating system, and runs the suspicious file there. As a result, the file is executed in a controlled, isolated (sandboxed) environment where its actions are carefully monitored, and where even a malicious file wouldn't do any harm. Then, its actions are analyzed, and the decision whether a file is malicious or not is made. In theory, this approach is expected to detect all kinds of new malware, including threats never seen before. In practice, however, this approach has limited applicability because it is fairly easy to escape detection, by employing one or a combination of the following four methods:
• Environment analysis. The environment where the piece of malware is being executed is typically static and consistent, with all instances of the product emulating the same or a very similar environment, which allows the malware threat to easily detect it is being analyzed. Consequently, it will cease any malicious activity and will pretend to be a clean application.
There are many clues that can give away the identity of a virtual environment, including but not limited to:
◦ The guest environment typically uses the same operating system and the same version of it, and has a fixed set of software installed.
◦ The guest environment looks out of place; for example, the important Windows updates are missing, which is very unusual in the corporate environment.
◦ The guest environment lacks traces of prior usage – recent documents empty, the only e-mail client present is not configured, no bookmarks in browsers, no extra icons on desktop and so on.
◦ The user activity on a guest is unusual. For example, the file attachment received by the e-mail is executed but the mouse does not move and no key presses are detected.
• Dependency on user activity, Time delay and Multi-stage infection are the other three methods that can enable a piece of malware to escape detection. Learn what they're all about from the whitepaper A Candid View on APT Protection: Debunking myths and choosing the right providers.
These are the well-known ways to escape the sandbox detection and they cannot be reliably “closed,” no matter how much effort the security vendor puts into it. This is why the sandbox detection cannot be considered reliable against targeted attacks, where the malware writer knows the target, and the security solution they are using.