I’m old enough to remember when all you needed to detect malicious software was a list of all the bad things that were tagged as “viruses”. It’s not unlike hearing people talk about the early days of Twitter when the entirety of the user base could be viewed on one page. However, as time wore on in both cases, the amount of information needed to digest what was going on quickly overwhelmed us all.
Signature-based virus detection quickly moved to heuristic detection, where we trapped the sneaky programs that didn’t name themselves virus.exe. But even the best heuristic detection in the world can’t work when the nature of the program changes. Once the professional criminals got involved and started doing more with their programs instead of wrecking systems and destroying resources it became much easier for them to evade detection. It also became much harder for companies to detect these new malware programs.
Today, we find ourselves in a place where even innocent behavior can lead to all kinds of problems down the road. Programs can be built to do all manner of ugly things. One of these is the recent Imotet banking trojan. Imotet is a polymorphic malware that scans for bank account numbers and embeds itself into the host machine and is difficult to remove. Imotet is also capable of detecting that it’s running in a virtual machine and create false echoes to evade removal. But what could possibly make this program even more nefarious?
Malware-as-a-Service
During RSA 2020, I had a chance to talk to Irfan Asrar, the head of Cyber Threat Intelligence and Operations for Blue Hexagon. Irfan told me that his company had been on the lookout for Imotet ever since its inception. He told me that one of the reasons why it was even more insidious than it first appears is not because of the behavior of Imotet but because of the way it has been developed. Imotet is part of a larger group of programs being developed on a similar framework. He called it “malware-as-a-service”.
Specifically, the family of programs that Imotet comes from enjoys some of the same rapid development and deployment features that we see in modern software development. New release or builds can be pushed out quickly and iterate on failures. New methods for scanning or infection or evading detection can be created and released in succession quick enough to overload detection programs looking for specific markers in the software. How on earth can a security department hope to catch the next Imotet before it invades their enterprise looking for juicy information to steal?
Blue Hexagon is using artificial intelligence and deep learning to help fight back against bad software. Because they start by looking at the behavior of the software instead of what it looks like they can quickly figure out when something isn’t playing nicely. Their deep learning tools mean that they’re not playing catch up by waiting for signatures to be released. Instead, they can figure out what’s going on and start creating a way to stop the problem before it rises to the level of being a serious threat.
How good is Blue Hexagon? Do you remember the issues that Iowa had with their voting app earlier this year? It may feel like last century, but the gist is that the voting app had a lot of weird behaviors that caused the tabulation of the caucus votes to be delayed well into the next day. The app had a variety of issues that didn’t feel right, such as being side-loaded onto devices instead of being downloaded from approved locations. The behaviors of the devices were inconsistent enough that Blue Hexagon received a copy of the app for analysis by their deep learning engine from one of their systems that uploaded it as a new potential threat! Ultimately, Blue Hexagon determined that this was a legitimate application but the questions raised by the methods and behavior of the app were not unknown to them.
How does this help us in the future? Once we get to the point where we are seeing daily or even hourly iterations of software designed to invade and steal from our enterprises, how can we hope to combat it? The Blue Hexagon answer is the same as the one that I give people when they ask how to keep up with the growing landscape of technology. You have to be constantly learning. You have to analyze what’s going on and adapt where you need to make changes in order to stay ahead. Only by keeping your detection system updated and in a mode to be in front of those doing the dirty work will you be able to stay secure.
Bringing It All Together
Enterprises are the next big target for malware. The people cutting their teeth on banking trojans aren’t going to be content with stealing lunch money when they can just as easily build something that can rob a bank or a stock brokerage. It’s time to ensure that our detection tools are as sophisticated as the things they’re trying to detect. That means deploying a tool focused on deep learning like Blue Hexagon. I’m very excited to see how this platform is going to keep us on the cutting edge of staying safe from the new trend of malware-as-a-service.