There is a new banking Trojan which can successfully evade the majority of antivirus programs in operation today.
According security experts at Bromium, the new strain of polymorphic malware evaded 50 out of 65 AV engines tested, or 75 per cent.
According to Bromium, the malware is capable of avoiding antivirus programs by continually repackaging.
The company’s software engineer Matt Rowen says this goes to show how increasingly sophisticated hackers are: “Historically, malware writers simply change the packaging or wrapper when they distribute malware. For instance, it might be a PDF or Word document, but the dropped malicious file inside could be weeks old and, as such, known to AV. Now we see the secondary executable is changing as well, so the malware is not recognised by AV. Worryingly, this shows that malware writers are really improving the standard of their engineering – that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win.”
Bromium’s CTO for EMEA, Fraser Kyne, thinks this might result in copycats, as other hackers start imitating the same process for their own nefarious means. “After WannaCry hit we saw a huge spike in malware using the Eternal Blue exploit. The techniques we are seeing are easy to apply to other types of malware. This has the potential to cause big headaches for businesses relying on detect-to-protect security tools such as anti-virus software.”
To defend, Bromium repeats the usual advice, which includes not opening files you don’t know what they are, turning off macros, patching up both the OS and programs, and layer up on security.
“Ultimately, AV protect-to-detect techniques are always going to be playing catch up. The only way to prevent this type of attack is to contain and isolate the application itself using virtualization. For example, opening email attachments or email links in isolated micro-VMs contains and controls malware. This way, even if an email does have malware, the hacker has nowhere to go, nothing to steal, and no way to persist on the machine.”
Image Credit: JMiks / Shutterstock