Chasing and detecting evasive malware

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

Giovanni Vigna is CTO at


. He is appearing at

Cyber Security Expo in a keynote presentation

that analyses evasive malware techniques.

We caught up with him for a quick chat about the current state of anti-malware techniques and the inspiration behind his upcoming talk. Here’s what he told us.

1 Are our existing tools for combating cybercrime becoming redundant?

I wouldn’t say redundant, we still need antivirus and other conventional tools. But the rapidly changing nature of malware requires a multi-faceted solution. Malware is a fast moving target. It’s also become personalised, and targeted against individuals in the enterprise. So we need increased customisation of anti-malware, and a mix of anti-malware solutions. But by the same token the bad guys are evolving malware to avoid detection in increasingly sophisticated ways. There are very different set of targets. Home users and CEOs get attacked by very different types of malware, and

targeted attacks

can now bypass traditional barriers to reach very high levels in an organization. Then we have opportunistic attacks. Even if just 10% of the 10% ransomware attacks that hit the target result in payment, its still lucrative for the cyber criminals.

2 Your talk sounds fascinating, particularly this concept of evasiveness. Can you explain briefly what you mean?

Evasiveness has become an important side of the game. Malware is becoming evasive in many different ways, using stalling techniques to prevent detection or even altering [its] fingerprint. So we need to detect this evasiveness and identify if a website or a


is being attacked. If we can identify the fact that the malware is looking around, knowing it is being analysed, then we can see that it is malware. But of course it is hard to do this without sophisticated

analysis techniques

. Which is what I will be expanding upon at Cyber Security Expo!

3 Is there still a place for antivirus in the modern enterprise?

Yes. I don’t think that antivirus is dead, I think it works for certain types of threats but the antivirus community is having a hard time keeping up with modern malware. Antivirus uses recognition and static analysis, which provides a very useful signal in many cases. Unfortunately we now see threats that are easily bypass traditional antivirus. Any organisation that uses AV as sole protection is making a huge mistake.

4 Is academic research underused in the battle against cybercrime?

I cover both the research and commercial worlds. It’s of course very important that we take academic

cyber research

and try to make it work in the commercial world. But many academic things are very difficult to transfer. For example, the evasive behavior that was studied in the academic world a few years ago was considered cutting edge and rare in the real world. Now it’s become commonplace. So it’s important that we take notice of the research being done right now on new and rare threats, before they become common and substantial threats.

5 Should security vendors share more information with each other?

Of course they should yes, it’s a great way to improve the state of the art in

cyber security

. The problem is that information and intelligence is a major differentiator between vendors, so it’s not feasible strategy from a commercial point of view. If everybody shares the intelligence, then the competitive advantage will disappear. Take APTs. A company like Mandiant that made it their business to track APTs would not exist. So for all political and strategic reasons such cooperation is unlikely. And a forum for shared intelligence would be very difficult to regulate, someone may simply suck out intelligence and use it against you competitively. Microsoft has become very good at sharing information with security vendors about vulnerabilities. If everybody would do the same, that would be good. If software companies would share this with vendors - everybody wins. This would commercially viable

6 What are you most looking forward to at

Cyber Security Expo

this year?

I’m looking forward to seeing innovation. New and radical approaches to security. There is so much going on that we need to be aware of in mobile


, APT and other areas. I am sure Cyber Security Expo will have much to offer in this respect.

See the video of Giovanni's keynote that analyses evasive malware techniques