The Malware Cloaking Device and How to Beat It
Remember the original Star Trek series from the 60’s? One of the interesting concepts introduced there was an adversarial alien race, the Romulans, with their active stealth technology in the form of what they called the cloaking device. The cloaking device was used to render a starship effectively invisible to enemy detection and targeting systems, but unlike most of our stealth technology was an active electronic device, not passive design or RF absorbent material . For those wanting a quick review of the cloaking device in action, here’s a snippet from The Enterprise Incident.
Just like the conflict between the Federation good guys and the Romulan bad guys, enterprise IT, when dealing with malware, is dealing with a resourceful and cunning adversary, one which is prone to using technological one-upmanship in order to win the next battle.
One of the strategies malware has successfully exploited is obfuscation. Remember, the AV and other security vendors first used virus signature files to detect viruses – they would in essence pattern match against a list of known malware. One obvious way around this was for the malware to disguise itself by changing its own code.
There are a few different ways this can be done, but most of them involve making changes to the code without changing the overall function, which can be done in the following ways (courtesy of Mike Schiffman):
Register Swapping: As discussed with the Win95/Regswap virus above, while all x86 CPU registers were designed with specific instructions in mind and resultant optimizations, they can also be used interchangeably.
- Code Substitution: Switching instructions for equivalent variants that result in different binary code but accomplish the same task (xor / sub and test / or instructions can be easily interchanged).
- Branch Condition Reversing: Stateless reordering of branch conditionals.
- Garbage Insertion: nop and clc instructions are commonly inserted to change the appearance of code but not its function
- Subroutine Reordering: Moving the order of subroutines such that they are called in a random order, adding a layer of complexity equal to n!, where n denotes the number of routines reordered.
- Code Insertion: One of the most complex methods, the malware will actually weave itself into the binary code of its host.
Obviously we are up against a sophisticated opponent, but there is another approach to obfuscation – encryption. Instead of wearing a different hat or hoodie, why not just become invisible?
Cascade, from the late 80’s, was one of the first encrypted PC viruses, introducing the use of what was in effect a cloaking device against security software, preventing AV and other applications from seeing inside the malware.
Which brings us to the present day where Ixia can help organizations use powerful SSL/TLS decryption capabilities to help secure the enterprise (small e). If you are serious about both security and getting the most out of your internal network, you are going to want to have some network visibility capabilities via network packet broker(s), bypass switch(es) and tap(s). The good news here is that with Ixia not only do you get the visibility into normal traffic, but you can also use the NPB to offload decryption from your expensive NGFW and other security tools. In fact, you may find that adding a visibility network may not cost much if any more than adding decryption on its own.
Here's a network diagram of how a fintech customer deployed Ixia in their network:
I invite you to learn more in the case study, Band Reduces Security Threats by Using SSL Decryption.
May the force be with you.
Oh, oops, wrong universe.
Let try that again. Live long and prosper.