Polymorphic Malware. Photo: Cybercrime Magazine.

The Devastating Effect Of Polymorphic Malware

A single successful phishing email can grind an entire system to a halt

Ann Johnson

Seattle, Wash. – Apr. 3, 2020

Polymorphic malware isn’t new; the first polymorphic virus dates back to 1989. But fast-changing polymorphic malware now makes up an overwhelmingly large percentage of the malware organizations are facing. Dealing with that means treating every attack like an advanced persistent threat — even if the attack itself isn’t that sophisticated — because if you do not use the right techniques, you’re not going to be able to get your systems clean and keep them that way.

Polymorphic malware updates itself with new definitions every few days, sometimes even more frequently, mutating faster than traditional security systems can keep up and making previous detection signatures obsolete. What’s more, we’ve seen this become more and more common. In 2010, half of the unknown executables being caught by Microsoft SmartScreen were net new every day; some of those were legitimate files, but a substantial amount was polymorphic malware. By 2017, around 96 percent of all malware files detected and blocked by Windows Defender were detected only once on a single computer and never seen again.

PowerShell scripts and Office macros are popular with attackers not just because PowerShell and VBA (Visual Basic for Applications) have rich capabilities and run with a lot of privileges, but because a malicious payload stored in a script or document is both easy to maintain and easy to alter polymorphically. It is easy to obfuscate JavaScript and create enormous numbers of variants of the same threat that do not look at all similar.

There are hundreds of new malware families every month, but polymorphism means each instance of that malware is unique — so you only have one chance to catch it: in 2018 Webroot detected 500 million “brand new, never-before-seen” portable executable files. Malware construction kits that help commoditize advanced techniques and cram in multiple payloads and attack vectors also make polymorphic attacks easy to create, and extremely damaging.

Polymorphic attacks are hard to block because they keep changing even once they’re inside your network. That means they spread fast: a single successful phishing email can turn into an attack that quickly moves through your entire network, exfiltrating data, consuming resources for cryptomining or even grinding entire systems to a halt.

Emotet has been around since 2014 but this modular Trojan keeps evolving and coming back, disguised as everything from a holiday-themed Word template, to a PDF invitation to hear Greta Thunberg speak, an overdue invoice — and even a Coronavirus warning. The phishing messages are sent out by the thousands, with randomized details often personalized to the country where the attack is taking place, so spam rules are less likely to find it. And then once it infects a machine, as well as dropping other malware onto the system that steals banking information and harvests network credentials, it steals address books and email signatures and scrapes emails and templates to disguise the next set of phishing lures it sends within the organization a few days later, making it even harder to spot. Many organizations don’t even scan internal emails for malware.

As it spreads from system to system, the combination of Emotet and the other trojans it downloads start to impact normal operations, ending up with a distributed denial of service that floods the entire network. Email servers overload, workstations crash; even security camera networks stop working. And when the IT team starts trying to clean up the problem, they’re locked out of their own network accounts and there’s no bandwidth available for connecting to systems they want to diagnose or remediate — but the business keeps on reporting problems and demanding results.

I want to tell you, it does not have to be like that. Because they change so quickly, polymorphic attacks may seem invisible, as if they come out of nowhere — but if you’re looking in the right place, you can spot them as soon as they start. One cannot depend on detecting the malware based solely on a signature. But, by understanding the behavior of the malware, we can detect the malware through other means, and protect ourselves with a bit of planning and best practices. You can observe them as they try to spread across your organization and you can protect yourself from damage with the right security posture. The key is to have a combination of endpoint protection and response (including protection for email and key productivity tools) plus visibility into network activity to spot malicious patterns of behavior wherever they happen.

Polymorphic malware can change a lot of things about itself. However, to be malware, it has to behave like malware: it has to use some form of persistence, it has to corrupt memory, extract data and credentials or encrypt data for ransom — or spawn processes that do those things. The malware may be new but the set and sequence of behaviors will be familiar.

Anti-malware tools on the endpoint won’t have a signature for a newly-evolved polymorphic virus but they can detect that a process has connected to a web server and downloaded an application that it then launches. They can tell whether a file is commonly used or has never been seen before, and they can see which files share behaviors — like having similar network activity that doesn’t match what employees usually do. They can also look for specific malicious behavior like running binaries from websites with poor reputations, running scripts that inject code into other processes, or calling executable classes in Office macros.

Most businesses can block Office macros and apps from injecting code, making win32 API calls and creating executable code to protect themselves from script attacks. Only the most sophisticated organizations are writing and running macros with complex code (and if that’s your organization, digitally signing macros and limiting who can run them while you evaluate more secure approaches for the future should be a priority). Look for endpoint protection tools that use the Windows AntiMalware Scan Interface so that scripts are detonated in a sandbox before executing locally, which will catch malicious behavior, and turn on Office Application Guard for an extra layer of protection. Make sure you’re scanning internal emails as well as external messages.

On the network, both architectural and administrative changes will be required. When you’re cleaning up, looking in logs will help you discover how the malware has spread and what systems are affected. Lock down privileged access and separate high-value assets like domain controllers that need to have administrative privileges by implementing asset controls; that way you can contain the malware and stop it reaching through the network and re-infecting systems you just cleaned while you work to get those systems back online. We know based on experience from our DART team, keeping highly privileged accounts like Domain Admin from logging on to lower tiered systems, such as workstations, helps prevent losing those prized credentials if an attacker gets into a user’s workstation through a phishing document.

The same segmentation and privilege management for protecting assets will help you avoid malware spreading laterally in the first place. MFA will stop — or at least slow down — the use of compromised credentials. Limiting admin access to only the people who really need them, and only for the amount of time they need to use them, will reduce the damage that can be done.

Rooting out polymorphic malware is difficult because you’re chasing a moving target, when your systems are already overloaded. Prevention is always better than cure and this is an area where following best practices now will do a lot to protect you in the future — before you find out just how bad it can get when a single phishing message slips through and lures a busy employee to click.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.

Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.