Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached US$7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.
Malware creators use multiple tricks in their malware to help them evade detection. Evasion mechanisms have evolved from simple compression and encryption algorithms that obfuscate the code to sophisticated polymorphic designs and self-mutating code that constantly create new variants.
All of these evasion tactics have resulted in “zero day” attacks where malware is undetected until it becomes widespread enough to provoke an update from the vendors. Interestingly, some studies have shown that the antimalware software suites with the lesser market share are often able to detect malware that their more popular competitors miss. It is becoming increasingly evident that malware authors are testing their creations against as many different antimalware suites and versions as they can. The more popular the antimalware system, the more likely malware will be tested against it. This way, malware spreads wider and for longer because it can start off one step ahead of the defenses.
The rogue trader most likely tried to hide a bad trade by throwing money at it. As the hole grew deeper his trading positions became harder and harder to hide. But because this trader had spent a few years working on the audit side of the back office, he knew what an auditor would be looking for. He knew what activities would raise a red flag and how to balance the trades with fake trades so as to hide the hole. An investigation is still under way, but it is likely that the trader used his knowledge of the audit methodologies to suppress any early warning in the hopes of covering the loss. It was only revealed by a market crash that made the financial hole so big it almost swallowed the bank that employed him.
Security systems and security teams are vulnerable to such attacks because they are predictable. Either through repeated trial-and-error or insider knowledge, the attacker is able to predict the behavior of the security system and stay one step ahead. Predictability becomes a weakness of the system. An attacker need not be superbly intelligent or innovative. They only need to think “outside the box”. The “box” being the rather small set of predictable attacks that the system has been designed to defend against.
Perhaps an orderly and well-organized security system is not best. When building a security organization or some security software perhaps you should consider adding a touch of randomness. Chaos may be your friend.