Techniques for Detecting Malware & Malicious Ad Code
A well-established economy has evolved for cybercriminals surrounding malvertising and unfortunately as malware insertion techniques become more widely known, the criminal element continues to make these indicators harder to identify.
This guide reveals different techniques and methods used by professionals to identify and isolate insidious codes and offers some best practices to defend against malvertising attacks.
For starters, being able to detect malvertising requires expertise and a keen eye that can review reams of data, requiring security researchers to strike an optimal balance that offers maximum speed and minimum memory usage for the detection of malicious codes. There are a few main methods malware researchers utilize:
- Signature-based – This method was (and remains) one of the first methods used to detect malware. The malware researcher will scan and analyze feeds of suspicious files (received from a particular company or third-party source) looking for certain pieces of code or data also known as “signatures.” A code that repeats or a signature match on a file serves as red flags to the expert and they would mark it as suspicious.
- Checksumming – This is a modification of signature analysis and is method based on calculating CRC (Cyclic Redundancy Check) checksums. This method was developed to compensate for a main disadvantage of the signature method, which is that there ends up being an incredibly large database and frequent false alarms.
Mutating Malware: The Polymorphic Plague
To circumvent the above identifying tactics, hackers often make their malicious ad campaigns polymorphic – which makes them more difficult to detect.
A polymorphic virus means that their “body” is self-changing during replication and avoids the presence of any constant search strings. Imagine a virus or malicious entity that can adapt and change over time. This shapeshifter camouflages itself by altering its genetic makeup or it’s code to hide from researchers who seek to destroy it.
Regardless of the type, what makes this malware so effective is its complexity and speed. Polymorphic malware uses polymorphic code to change as frequently as every 20-30 seconds.
So, as fast as security teams can identify a signature, this kind of malware has no constant fragment of virus-specific code to find.
Typically, polymorphism is achieved when non-constant keys containing random sets of decryption commands are encrypted into the main code of the virus – or by changing the executable virus code.
This is not to be confused with metamorphic malware which completely re-writes its code so that each newly propagated version of itself no longer matches its previous form. Polymorphic malware is a jaguar that changes its spots while metamorphic malware is a jaguar that that becomes a lion.
Since a variable code has no signature, other techniques must be used to detect the malicious code.
Malvertising Detection Techniques
- Reduced masks – By using elements within the encrypted body of the virus, the researcher can “take” the encryption key out of the equation to obtain a static code. Then the signature, or mask, will be revealed in the resulting static code.
- Known plaintext cryptanalysis – This method uses a system of equations to decode an encrypted virus body, in a way similar to the classical cryptographic problem, where one would decode an encoded text without keys (with a couple of differences). In cryptanalysis, the system reconstructs the keys and the algorithm of the decrypting program. Then, it decodes the encrypted virus body by applying this algorithm to the encoded fragment.
- Statistical analysis – The system can analyze the frequency of the processor commands used and will use this information to make a decision on whether the file is infected or not.
- Heuristics – The malware researcher will scan and analyze reams of data looking for suspicious activity and behavior. This method requires the researcher to look for malicious code served with suspicious behavior; for example, to a thousand people in the space of five minutes. The researcher would note this and inspect further.
Identifying and Confirming Suspicions
Once the anti-malvertising expert has identified code that is deemed suspicious, there are a few primary methods to confirm that suspicion.
- First off, there are hubs of data where major security companies list the malicious codes they have detected. This library is a powerful resource for every security expert. Malware researchers can access these lists and run lookups for malicious codes. If they are within the system already, then they can tick it off their suspicion as confirmed.
- If the malicious code the expert found is not listed in the main hub, then the researcher will use a technique called “Emulation,” a way to execute the file in a “virtual environment.”The system emulates not only processor opcodes (operation codes), but also operating system calls. This mimicry allows the researcher to identify if the code is indeed malicious. When an emulator is used, the actions of every command must be constantly controlled. The researcher must prevent the program from executing its malicious intent.
In practice, the security researcher is looking to detect the malicious code as efficiently as possible, this boils down to whichever method can be implemented with maximum speed and minimum memory usage.
The Cybersecurity Arms Race
The fight against malware is a race between hackers and cybersecurity experts — with each side doing their very best get ahead of the other. As cybersecurity researchers create new detection methods, malicious actors are already scheming up new evasive and invasive methods to sprinkle their malicious code into legitimate-looking ads— putting both small and larger publishers alike at risk.
Curious how GeoEdge’s anti-malvertising solution can protect your site from malicious actors? Drop us a line!