Signature-based anti-virus software is losing relevance

Cybercrime is evolving in ways previously deemed impossible. Cyberattacks are increasingly becoming more sophisticated, new attack vectors are opening, and cybercriminals are becoming smarter and more persistent. Asia’s fragile geopolitical situation, prominent role in the global market, and rising technology usage and adoption have turned the region into an attractive cyberattack target. In 2015, Asian companies lost S$81 billion dollars from cybercrime, according to The Financial Times.

Singapore in particular, faces relatively greater cyberattack risk compared to other Asian countries. The ease of doing business in Singapore and the country’s reputation as an international hub have truly made Singapore the apple of the cybercriminal’s eye.

The statistics are alarming: One in five computers in Singapore have witnessed a malware encounter in Q2 2016, according to Microsoft’s findings. Keeping this in mind, Singapore based companies should constantly be updated with the latest malware tactics to safeguard their assets.

However, quickly evolving cyber threats make this a task easier said than done. Malware developers today are modifying their malware to evade detection a little longer than the malware’s known half-life (the length of time malware remains active). One such way is through crypters, sophisticated software tools that make it difficult for anti-virus software to inspect a malware-infested program without running the program first.

Crypters are becoming increasingly popular among hackers utilising ransomware. It works by using custom algorithms to compile and recompile code. This alters their signatures; allowing malware to stay hidden, undetected and unblocked under the very nose of anti-virus technology that rely on these signatures to identify malware.

Mutating Malware Renders Most Anti-Virus Tools Impotent

Today, most anti-virus and anti-malware tools, especially those that utilise signatures, are incapable of blocking malware that have had their signatures altered. And it does not help that crypters can modify the code of the malware it defends multiple times a day, making signature-based detection meaningless as the code changes constantly. The current development in code mutation allows malicious code to undergo slight mutations every two hours and escape the notice of anti-malware and anti-virus software even if they are updated regularly. With a longer half-life, malware becomes a more efficient tool for cybercriminals. For them malware serves as an investment, and prolonging the effective lifespan of their malware translates to more returns on investment.

Aside from ransomware, fileless malware such as Kovter are also gaining prominence in today’s cyber threat landscape: More than half a million of Kovter variants and infections have been discovered over the last 12 months. Instead of residing in the disk and inserting malicious code into the file system, these fileless malware insidiously inject themselves into running processes, bypassing traditional signature-based detection.

There has been a surge in Kovter malware-laden advertisements in recent years. Ad platforms do not have the ability to scan every single ad they encounter due to the sheer number of ads being delivered daily. After all, it is a painstaking task to scan ads in flash, javascript, or other formats for malicious code. It is equally difficult to ascertain the actual ad source, which can range from ad agencies and companies to individuals. Most of the time, those running ad platforms merely upload ads without thoroughly sifting through them, and don’t bother looking at them again until they hear malware complaints from users.

Beyond malvertising, other capabilities of Kovter malware include the ability to access command and control sites and download and install additional malware, not into the file system, but into the memory of the compromised host.  Given the permissions embedded in the system memory, Kovter malware can disable previously enabled security software and reduce protection levels by shutting down security controls once the systems are vulnerable and exploited.

In addition to the mutation of malware itself, malware delivery tactics are likewise evolving. Instead of sending attachments, hackers today compress malware and send emails containing malicious links. Unfortunately, around 70% of email recipients are bound to click on malicious links, especially if the email is from someone they know and trust. Hackers will always try to take advantage of security negligence, which even the best anti-virus solutions cannot safeguard against.

We Need To Layer Up On Security

Ultimately, it is becoming increasingly clear that a single layered approach to fighting viruses that relies on signature-based technology is no longer sufficient. A layered approach is the best bet when it comes to cyber security.

Given the sheer number of malware classifications and the difficulty in ascertaining a malware’s true nature and size, detecting malware infections from the onset is extremely difficult. Proactive protection through layered security is the only way to combat this problem.

IT security experts are beginning to understand the benefits of a layered security model. Instead of employing discrete tools such as anti-virus software, intrusion detection systems, and firewalls, they are looking to take an integrated approach to managing these technologies. An approach augmented with other techniques which include anti-attack software, management of Internet-facing applications built on Java and Flash, anti-malware, anti-ransomware, as well as the management of network infrastructure to ensure fully updated and patched operating system software.

Staying ahead of cybercriminals is truly a continuous uphill battle. Investing in a multi-layered security approach before the occurrence of malware attacks instead of merely focusing on after-attack remedial action can help companies save time and money, enhance productivity, and even prevent issues that can cost companies their own image and reputation in the long run.