Experts Comments On Dexphot Polymorphic Malware Detection

According to this link: (https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/,) A Dexphot campaign was first spotted in October 2018 affecting thousands of computers, with attackers upgrading the malware over the following months to a level that left little to analyse. The threat had a surge in mid-June this year, when it landed on tens of thousands of computers. Towards the end of the month the attacks subsided, less than 20,000 machines exhibiting Dexphot activity. By the end of July, the malware was seen on less than 10,000 machines every day.

For about a year, security researchers at Microsoft tracked the malware observing the combination of methods that let it slip through the cracks. Hackers used code obfuscation, encryption, randomised file names, and deploying malicious code in memory were some of the methods used to avoid detection.


EXPERTS COMMENTS
Dan Pitman, Principal Security Architect,  Alert Logic
November 28, 2019
Starting with educating users is the first protection, treating the root cause of infection being the best plan of attack.
"Detection of polymorphic malware and other threats that avoid traditional signature detection relies on a more behavioural analysis based approach on the endpoint and network. By monitoring for suspicious activity, such as contacting known command and control infrastructure or making requests on the network that are abnormal, the activity of a breach can be detected and the polymorphic malware found – monitoring the behaviour of the computers themselves helps to; by building a model of the normal behaviour of a system activities that abnormally use resources can be lead threat hunters to the source of infection. Starting with educating users is the first protection, treating the root cause of infection being the best plan of attack – Equally important is putting in solutions backed by trusted experts that can detect behaviour of infections beyond traditional signature detection is a must in today’s complex threat landscape. Attackers and defenders are fighting it out with more intelligent evasion and detection techniques so the expertise and ability to evolve detection techniques is critical."
Alfie George, eryjerjye,  rhthrseh
November 28, 2019
Black Friday Deal
PureVPN Hot Black Friday Deal! PureVPN: - 5 Devices - 5 Years USD $1.32/mo Get a 5 years subscription to the world's most trusted VPN service. True peace of mind for at USD $1.32 a month. Source: https://www.purevpn.com/order Note: After you purchase, all needed information will be sent via email.
Javvad Malik, Security Awareness Advocate,  KnowBe4
November 28, 2019
The main issue with any form of attack is learning how the attack actually makes it into the organisation and blocking it at the root.
"Comprehensive detection controls need to be in place throughout the organisation. This should be enforced with reliable and up to date threat intelligence data that can be used to identify indicators of compromise (IoCs) and ideally have an orchestrated response. The main issue with any form of attack is learning how the attack actually makes it into the organisation and blocking it at the root. In many cases, attacks are usually successful due to social engineering, unpatched software, or a supply chain compromise. If organisations can work to address these biggest avenues, they can usually prevent most malware from being successful. Other than threat detection and response controls, having behavioural monitoring capabilities can also help in detecting such attacks which do not follow one pattern of behaviour."
David Kennefick, Product Architect,  edgescan
November 28, 2019
Exploit a user or resource for the benefit of the attacker. This is why behaviour-based blocking is particularly successful here.
"There are additional complexities in detecting polymorphic threats. Its ability to change and adapt based on scenarios makes a formidable foe. Think of ED-209 vs T-1000, one is a blunt instrument and one can adapt to its scenarios. Dexphot is the T-1000 in this scenario. In order to protect from such threats, up to date signatures in your anti-malware technology are the first step. This, combined with multi-layer checks provide a greater chance of catching this type of malware, as well as a multi-engine approach. The aim of malware is always the same, however. Exploit a user or resource for the benefit of the attacker. This is why behaviour-based blocking is particularly successful here. If attackers wish to steal data, they'll have to get it out of the network, and this is a repetitive behaviour that can be analysed and addressed, leading to it ultimately being blocked at the source."
Hugo van den Toorn, Manager, Offensive Security,  Outpost24
November 28, 2019
Chances are the malware would execute itself again, change its appearances and persist on its host system.
"Even for end-points the defense in-depth method applies. Such polymorphic threats are, although a technical masterpiece, hard to eradicate from your systems. In this case the sudden increase in processing utilization cause by Dexphot should be a give-away that something is wrong with an infected host. However, also on the endpoints you want to be able to prevent and/or detect the malware at any of its stages. The best thing would be to prevent the host of becoming infected. Either by having an Internet proxy, or local ‘safe-browsing’ solution the prevents the user from downloading anything from malicious locations. Should the installer still make its way onto the system, the antivirus solution on the device should detect it. If due to its polymorphic nature the initial installer not be detected, then throughout the malware’s various stages one of the executables or system calls utilized should raise an alert. If all would fail, which is realistic when facing a newly developed malware threat. The endpoint should, once the malware is executed and goes into its ‘operational state’ detect the unusual behavior. If a user always uses a browser and Word processor, and all of a sudden the user start mining virtual currencies, the system would alert or even quarantine the involved processes and files. However, should such polymorphic malware make its way through your lines of defenses the effective remediation is often very difficult. You can compare it to a three-headed hydra, if you cut off one head it grows back multiple others. In this case, if your anti-virus would remove one of the files because it thinks its malicious but does not remove the others. Chances are the malware would execute itself again, change its appearances and persist on its host system."

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article