Achute Sharma
R&D Engineer 2
Blog

Creating ATI Polymorphic Malware

March 16, 2020 by Achute Sharma

This is the second blog in a series describing Ixia’s Application and Threat Intelligence (ATI) Polymorphic Malware offering. In the first blog, we talked about polymorphic malware and how BreakingPoint now plays an important role in testing and validating network security controls for this threat vector.

The ATI team is committed to helping customers create, improve, and invest in better security protection. Adding Polymorphic Malware to the standard ATI subscription is the latest example of this.

In this blog, we will delve a bit more into the details of the content that ATI is offering in terms of polymorphic malware.

Enterprise endpoint protection and firewall products frequently employ a blacklist of malicious file hashes as the first line of defense. Malware authors have long used various techniques to evade and morph their malware to avoid detection. While the malware authors do have the source code to alter and morph the file to take on a new form, we wanted to see how much we could change the malware by modifying the binary directly, while keeping its malicious dynamic behavior the same. 

How We Do It 

The entire process of polymorphic malware may be categorized in two broad steps.

Step 1: Generation of Morphs

1

Malware is delivered in various formats that range from PE files to ELF files to macros in documents. For this initial set of samples, we are focusing on PE file format binaries and have carried out various morphs in the PE file format. Some examples of these morphs include updating the timestamp in the header field to packing them with packers like UPX. We also have identified the relevant MITRE ATT&CK techniques like Binary Padding, which is used by various APTs as documented in MITRE ATT&CK framework here.

Once we have the generated samples, we then proceed to validate them.

Step 2: Validation of the morphs

2

In this step, we take the malware executables and pass them through a sandbox. This lets us observe the dynamic behavior of the malware. Cuckoo Sandbox is used as the ATI detonation tool of choice. 

3

Snapshot of cuckoo analysis

We begin by running the parent malware and observing its behavior. Next, we analyze our generated morphed versions of the “second-generation” malware and note down the various specific behaviors. We also make sure that the executables do not crash in any unexpected way that doesn’t align with the behavior of the base malware sample. Once we have gathered the data from the parent malware and the morphed second-gen malware, we perform certain filtering and similarity analysis to decide if the morphed malware samples are the same as the parents.

Finally, we collect all the valid malware with the same behavior as the parent and package them together along with various metadata. 

How to Use ATI Polymorphic Malware

Polymorphic Malware samples are released with the February 2020 Monthly Malware package. So now, it’s time to learn how they might be effectively used.

Steps:

  1. Install Monthly Malware
  2. Create StrikeList using a subset of a keyword “polymorphic” which just add the second-generation samples
    Optional: Restrict the samples to the month that they were released “Feb-2020”
  3. Create a Test 
  4. Add Malware Component, apply Strikelist
  5. Run tests

We have confidence in saying that the polymorphic malware samples are indeed the same as their base malware sample files due to what was just described. When executed, they exhibit the same behavior in the sandboxed environment; the only difference is that there will be a little extra or fewer data in the malicious file—making the hash different. 

If the firewall or device under test (DUT) can block only the parent file and not its morphed versions, then the DUT is most likely only performing hash-based analysis, and this alone is not powerful enough to stop all the future variations of the malware that can easily be generated by the attackers.

On the other hand, if the DUT can block both the parent file and its various morphed second-gen malware samples, then we can conclude that the DUT is in a better position to detect and prevent such kinds of morphed malware in the future.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides daily updates of the latest application protocols and attacks for use with Ixia test platforms.