We all know what polymorphic malware is: the ability of malware to adapt to current conditions and try to evade security software to do its dirty business on a target computer. This type of malware can easily evade signature-based scanners and other standard means of detection since it is always changing the nature of its attack vectors whenever it executes. But what if we could harness this same behavior and use this defensively, so that we could do good instead of harm?
The idea is for the target computer to appear to be changing, so a piece of malware can’t easily infect it. That seems like a very sophisticated notion and it is gaining traction.
Indeed, polymorphism is just a new way of describing what many academic security researchers have long been calling a “moving target defense,” something that has been under study for quite some time. An Association of Computing Machinery (ACM) conference last November in Arizona covered many ways of implementing such a defense, such as with game theory and other advanced algorithms. Another academic paper goes into lots of implementation detail here.
These research projects have moved into the next stage with a new series of security products from vendors such as JumpSoft, Morphisec, Shape Security (now part of F5) and CyActive, among others. Each of these vendor’s products is still very early, but you can get an idea of what they are trying to do and how quickly this area is evolving.
Certainly, defending Internet-based assets has gotten more complex. Dudu Mimran has blogged about the growing digital gap because “security tools did not evolve at the same pace as IT infrastructure…. Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft.” This is because many attackers rely on knowledge about particular operating systems, devices or applications, and then target their weaknesses with their exploits. Making systems harder to identify makes them harder to attack and thus improves online security. Mimram is the CTO for Morphisec, which plans on announcing its first product at the time of the RSA show in April.
Shape Security calls its ShapeShifter product “the first botwall” and is designed as an appliance to protect the user interface to your web servers. As they explain on their website, “The use of polymorphism lets you preserve the functionality of code while transforming how it is expressed. In this example, a simplified login form has certain attributes replaced with random strings. The resulting code breaks malware, bots, or other attacks programmed to submit that form, but renders identically to the original.” By using this polymorphic defense, you can block DDoS, man-in-the-browser, and account takeover attacks. The appliance is installed behind the load balancer and with a few simple firewall rules to direct traffic to it can be up and running.
One way many websites have been protected in the past is by putting in place rate and volume and IP address limitations to prevent a large series of automated login attempts. Malware actors get around these limits by using a large database of stolen login credentials that are injected using a large-scale distributed botnet running on a huge number of IP addresses. Another popular past method is to use CAPTCHAs to protect logins; this is falling out of fashion as a number of automated or large-scale manual methods have been developed to defeat them.
Shape’s appliance dynamically changes the underlying code of the protected website each time a page is viewed to defeat the types of scripts used in these kinds of login exploits.
“The ‘poly’ part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. With polymorphism in place, attackers cannot build effective repurposable attacks against the protected area, “ says Mimram on his blog. He suggests that all polymorphic defenses share the following four attributes:
- First, you start with some sort of trusted source that controls the dynamic changes to the host.
- Next, you build a solution that isn’t easily identified with the typical attack patterns which makes them much more resilient.
- You integrate the internal code changes in such a way that these changes aren’t readily apparent to external users or software programs.
- On top of this, you harden your code to make reverse engineering and propagation very difficult.
CyActive uses bio-inspired algorithms as training data for a smart detector that can identify and stop future malware variants. Earlier this month PayPal acquired their technology, showing just how serious this market segment is getting.
JumpSoft claimed to protect all layer 7 applications with their code.
Whether these polymorphic defenses will prove vulnerable to even more sophisticated exploits isn’t yet clear. But at least turnabout is fair play, and the bad guys are finally getting a taste of their own evil-tasting medicine.