Achute Sharma
R&D Engineer 2
Blog

Introducing Polymorphic Malware Testing with BreakingPoint

March 13, 2020 by Achute Sharma

One of the most advanced weapons that cyber attackers use to evade detection is to employ mechanisms that mutate malicious codebases and derive new never-seen-before malware samples while retaining the original malicious functionality. This is commonly known as polymorphic malware.

Given their evasive characteristics, polymorphic malware prevalence already reached alarming levels and, according to research conducted by Webroot, “94% of malicious executables are polymorphic”. 

These shapeshifting threats pose a real challenge to security defenses, especially to traditional security controls using signature-based detection mechanisms. This is because they rely on static “fingerprints” to identify malware content, but in the case of polymorphic malware this changes frequently—so frequently that it is extremely difficult to generate and distribute a signature each time a new morphed variant is seen in the wild. 

In this realm, it is of paramount importance to have the right security defenses protecting against these evolved threats. Such defenses can include detection mechanisms based on heuristic analysis, behavior analysis, and machine learning techniques. Similarly, sandboxing and email security gateways are additional layers of protection that can be enforced.

Keysight’s Application and Threat Intelligence (ATI) Research Center team is on a constant lookout for ways to help our customers stay better prepared and protected in the mist of cybersecurity threats. 

Testing and validating network security controls for polymorphic malware has been very difficult due to the high technical complexity that the testing tool would need to deal with. Only sporadic and limited, point test options have been available for this major threat category.

Given the increased need for such testing capabilities and the increasing prevalence of polymorphic malware, the ATI Research Center accepted the challenge of proposing a solution in this area. 

Now, we are happy to announce that ATI Research Center just released an extension to the Monthly Malware package that incorporates custom-generated polymorphic malware samples. These samples can be found starting with the February 2020 Monthly Malware package (i.e., malware_2_2020) and is available to all BreakingPoint customers with an active standard ATI subscription. No extra license is needed.

The new test content and capabilities will empower customers to validate if their network security protection is able to catch known, established malware families that have unique, never-before-seen hash values.

WHAT IS BEING DELIVERED?

Each package will vary slightly, but for the first release (February 2020 Monthly Malware package (i.e., malware_2_2020) there are 11, second-generation samples created by the ATI generation process. These are derived from 4 different first-generation samples. 

The below screenshot shows all of the polymorphic, second-generation samples installed on BreakingPoint, found by using the keyword "polymorphic" to filter through the available strikes.

1

Fig 1. Derived Polymorphic Malware Samples

WHAT ARE THE DETAILS OF THE MALWARE?

What is also important in the testing process are the details accompanying each strike. The below screenshot is an example of the details that are shown by expanding the Strike Panel.

2
 
Fig 2. Polymorphic Sample – Gancrab+766f771f details 

The interesting parts here are:

  • The description includes how it is different from its first-generation sample. This particular one has had "the checksum removed in the PE file format."
  • The "parentID" is included for detailed lookup of its first-generation.
  • The ssdeep provides a more nuanced version of a hash that is quickly becoming an industry standard to bunch and correlate related malware samples.  

We highly encourage our customers to use the new content and would love to get any feedback or comments. This blog is the first in an informative blog series describing the new ATI Polymorphic Malware offering. Stay tuned and check (or subscribe) our blog page for the next blog in this series.

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides daily updates of the latest application protocols and attacks for use with Ixia test platforms.