A new form of attack threatens to circumvent many conventional antiviruses. Should you upgrade to something new?
The problem for any antivirus, is that the challenge is constantly shifting. No sooner have you developed a solution to one attack than the spammers are busy coming up with the next one. As the cyber criminals become more sophisticated, they are also producing attacks which are more difficult to foil. One such attack comes in the form of a ‘doppleganger’ virus which has been shown to be successful against several of the world’s leading antiviruses.
Research presented at Black Hat Europe by Endpoint Security Firm EnSilo revealed a new way for cyber criminals to slip past conventional cyber attacks by passing off malicious actions as benign. Known as Process Doppleganging, the attack manipulates the way in which Windows processes files.
“The 'Process Doppelgänging' attack method we discovered leverages several complex mechanisms in Windows operating systems and intimate knowledge of the inner-workings of AVs' file scanning engines. Putting all this together allows masquerading a malicious executable as legitimate, bypassing all tested security products,” said the report’s co-author Tal Liberman.
Fellow researcher Eugen Kogan added that “this is another example of how a few subtle manipulations of code, based on deep insight into the operating system internals, are all that is required to upend many layered detection and traditional prevention defences. Our research shows that even the latest protections can be negated by an attacker's creative bid to skip a malicious file payload altogether and infiltrate dangerous content through Windows' intricacies.”
How it works
The attack replaces code in an open file before making malicious processes out of that code. It then reverts the file to its previous state so that nothing is ever written to disc. The researchers say that the virus cannot be patched because it exploits fundament features of the core design of the software. Because it does not exploit a vulnerability it is not something that Windows can easily remedy.
The researchers found that the attack vector went undetected by several leading antivirus providers, when run on Windows 7. However, they do not mention whether the same vulnerability exists on Windows 10.
However, there are two rays of light. Firstly, the attack is difficult to pull off; and secondly – predictably – EnSilo say their own software can pick up the attack. They claim its ability to provide protection before and post infection with features such as Threat Hunting, Incident Response and Virtual Patching enables it to combat attacks which impersonate legitimate Windows processes.
Time to go next-gen?
Their message – like many next generation providers – is that they can provide solutions to attacks which more conventional antivirus systems will miss. They may come with a higher price tag, they say, but the extra money will be worth it. So, is this the case?
Next gen systems will offer a range of advanced and sophisticated features such as EDR Forensics which uses a large set of data collected from endpoints like logs, packets and process behaviour to find out what happened to a virus. It might also offer application whitelisting which sets parameters for everything an app is allowed to do.
These apps are also using machine learning and artificial intelligence to offer a more proactive and intelligent layer of defence. This can adapt to threats in a similar way to a human offering a more agile and responsive approach.
Advanced features like these can be useful in protecting against more sophisticate cyber-attacks, which themselves are making use of features such as AI to create more effective attack vectors. However, they do come with a more expensive price tag and, because they are more sophisticated, they will require more memory to run.
Reports such as these also come with a caveat. Because they come from a provider of next generation antivirus software, they have a vested interest in exposing so-called flaws of conventional antivirus systems. The research, therefore comes with an agenda and cannot be said to be independent.
To answer the question, then, it pays to do some research of your own, to read reviews and find out what people are saying about software. Work out what features you need, how much data you store on your computer, and how many apps you tend to download.
What the report does do is demonstrate the importance of staying alert. The threat environment is shifting and conventional antiviruses may not always be sufficient, especially if you use a network of multiple connected devices. Sharing data across all these platforms can be great, but it does increase the number of threats we are exposed to.