Encryption is the “good stuff” which protects information
across an untrusted line of communication, and ensures confidentiality. Encryption
has many positive applications and is used widely to protect critical data and
information every day without any user awareness. Secure websites using HTTPS
encrypt all communication between the end user’s browser and the website; this
protects visitors to the website, and stops snoopers from stealing confidential
information e.g. internet banking.
If we take a look at the other side of the coin, encryption
can be a real problem for people and organizations that legitimately need access
to the encrypted data. For example, anti-virus vendors can detect a normal
virus typically through a known signature or a more advance heuristics method,
and this works great provided the anti-virus agent installed on the machine is
updated regularly. However, if an encrypted virus infiltrates an information
system, it can be a nightmare to detect.
A small number of clever virus writers are utilizing
encryption in an attempt to bypass perimeter and endpoint protection software.
How it works is simple, and a number of methods can be used to achieve this, some
complicated and others not so “smart”. To put this into simple terms, if a man
were to walk into a building with a semi-automatic assault rifle – the likelihood
that someone would spot the dangerous man and alert the authorities is high,
now if he were to walk in with the weapon concealed the chances of detecting
the danger are significantly dropped. To juxtapose this with IT security, anti-virus
software is the detection mechanism or security check point which X-RAYS
everything entering the system.
Encrypted viruses are normal viruses with the exception that
the payload is garbled and unreadable; as a result increase the difficulty to
detect the threat. The virus is effectively useless until it can be decrypted
(or unpackaged).
Early virus writers had used a self-decrypting method embedded
into the infected file, each line of code execution would subsequently decrypt the
next line of execution. Anti-virus vendors caught onto this very quickly, and
threats have evolved significantly since. One method first seen in the
RDA.Fighter virus, the virus writer did not include the decryption key; instead
the virus was designed to brute force itself. Encryption is tightly controlled
by the US government, and the use of unknown encryption algorithms can result
in serious gaol time,
which is one of the reasons encrypted viruses are not as heavily developed,
apart from the most obvious fact that developing such viruses/malware takes significantly
longer.
An advance method named ‘Polymorphic
code’ adds complexity to the virus structure and increases the difficulty
in detection. It basically means “self-changing”, and requires little to no
human intervention to perform the change. Think of it as the seasonal flu that
most people catch each year. It’s not something that starts at a certain place
or time; it’s more than likely to be same flu from last year just slightly
mutated. The mutation occurs when the flu is passed from person to person eventually
completing a full circle. Polymorphic code works in a similar method and has
been utilized by virus writers since the beginning of information systems. Typical
polymorphic behavior involves a virus or worm infiltrating a system, mutating
and propagating itself. Coupled with encryption technology, it can pose a serious
threat to any business, as samples are made redundant quickly and could send a
vendor into a wild goose hunt.
It’s important to invest with a reputable and knowledgeable
vendor who can provide the triage of defense: perimeter defense, cloud & endpoint. Providing protection
before it hits the gateway, while at the gateway and after it enters the
gateway. I genuinely believe that virus writers are only on the tip of the ice
berg, and as programming languages evolve – so will the threat landscape. The
best method to stay protected is to ensure technology is patched and updated to
the latest vendor specification. It’s not possible to remove all chances of an
attack, and there is no better means of protection than defense in depth.
