The war for network security is increasingly coming down to skirmishes fought over endpoints. Most malware authors don’t care about an individual user’s laptop or desktop. It’s just a stepping stone to capture, mine for credentials, and leapfrog deeper into the heart of the network. But if threats can be stopped there, they won’t ever endanger core assets.
The traditional defense placed on almost every endpoint is antivirus. Even freshly-deployed machines running Windows 10 come equipped with Windows Defender as a free form of protection. And the good thing about antivirus is that, so long as the definitions are kept up to date, it can stop 90 percent or more of the most common threats, which are cataloged as signatures as soon as they are discovered anywhere in the world.
Running without antivirus on any endpoint today is practically cyber-suicide. But it’s not perfect. Most advanced and targeted threats are written to allow them to fly under the radar of antivirus, sometimes using previously unknown tactics that may not have been cataloged by antivirus programs.
In this cat and mouse game, which is so heated because endpoints are so important to both attackers and defenders, cybersecurity companies came up with ways to catch malware that tries to avoid traditional antivirus, or other signature-based protection. One of the most popular technologies is sandboxing, which forces suspected programs to run inside a virtualized environment so that their desired behaviors and patterns can be discovered. If malicious intent is found in a program, it can be analyzed, captured and ultimately killed.
But the battle rages on. Many malware programs these days have features that allow them to detect the presence of a sandbox or other protections beyond antivirus. Once any of these advanced defenses are detected, the malware can take steps to cloak itself, basically lying about its true intentions until it’s released back into a real environment, or simply destroying itself to prevent data collection about its creators, who will inevitably try again later.
It is this new breed of environmentally-aware threat that the Minerva Anti-Evasion Platform targets on endpoints. The idea is that most normal threats will be blocked by traditional antivirus and Minerva will stop anything that attempts to get around that protection. In fact, Minerva officials stress that their toolset won’t protect anything without some type of antivirus first installed. It’s designed to work with any antivirus program, including Windows Defender and any of the offerings from companies like Symantec, McAfee, AVG, TrendMicro and others.
The Minerva protection is installed as software, with the main interface and console running locally on a customer’s server or based within the cloud. Our test program was active on a physical server. Once installed, the program pushes agents out to every endpoint that needs to be protected. The agents are very lightweight, with each one taking up about 24 megabytes.
There are several modules within the Minerva toolset including Hostile Environment Simulation, Memory Injection Prevention, Malicious Document Prevention and Ransomware Protection. Two more, Endpoint Vaccination and Critical Application Protection are being worked on and should deploy over the next several months. All of them work together to trick malware about the environment that it’s running within.
Almost all environmentally aware malware knows to look for key indicators to prove that its running inside a sandbox. Minerva feeds it those prompts, convincing it that it has been placed inside a sandbox, thereby signaling it to hide and sleep, or to outright destroy itself. Those types of deceptive commands fed to the malware from Minerva don’t disrupt legitimate programs, which never look for those indicators. Each time that the Minerva Platform successfully interacts with a program, thereby spotlighting it as malware, an alert is sent to the main console, or to an SIEM if the host organization is so equipped.
For example, malware trying to inject code into memory will make an API call to memory. Minerva will intercept that call and can return a bogus response, either access denied or no such asset exists. The malware is blocked at that point from activating, but it also signals environmentally-aware programs that they are running in a sandbox or test environment. That’s not true, but if the malware believes it, it will go into sleep mode or possibly destroy itself.
To test out the software, we equipped an endpoint as a virtual machine (VM) with McAfee Total Protection antivirus and gave it all the latest upgrades and updates. We then threw several new types of malware at it to see if it could get around that protection. We then wiped the machine and set it up again, with both McAfee and the Minerva Anti-Evasion Platform agent installed.
The first type of attack used macros embedded inside a Microsoft Word document. It was designed to secretly open a version of Explorer from the Word file, which could then be used to download malicious payloads. This is a common type of attack these days, and if done correctly, can get around many antivirus programs. When we ran the file, and told it to enable macros, nothing unusual seemed to happen. But looking at memory usage with a special tool called Process Hacker, it was clear that there was a second instance of Explorer running inside of Word, something that should never happen. Had it been a real attack, that endpoint would have been compromised despite its antivirus program.
Trying the same attack again, but this time with Minerva and McAfee in place, the Word file crashed every time we tried to enable macros on the infected document. The malware didn’t know what to do when given the bogus response from Minerva, and the program crashed. Checking memory, it was clear that it never launched the fake Explorer.
Our console flagged the attempts, however, so IT teams could respond and remove the infected document. No notice is sent to users. Minerva customers asked that their users be left out of it, since they wouldn’t know what to do about a malware notice anyway. But they are protected even if they don’t know it.
Our second test used the extremely popular and quite insidious Cryptoluck ransomware, which blew through antivirus, locking down our test system’s files and demanding a ransom for the decryption key. It was delivered by side-loading a valid Google-update process, another popular way malware defeats antivirus on endpoints.
Wiping out the VM and starting again, but this time with the Minerva agent in place to backup the antivirus, got completely different results. The Cryptoluck files could not run and would not install, even when we tried to force it to do so.
A special note on ransomware: Should some type of encryption-based ransomware somehow successfully run on your system, if its protected with Minerva, you should still be okay because of the anti-ransomware module. That module is basically ransomware-triggered backup. When files get encrypted, that module triggers an automatic backup of files that are placed within a local partition. So even if the worst happens, you should still have unencrypted copies of all your files. Relying on a last line of defense probably isn’t a great idea, but it’s nice to know you have one final safety net.
In every case, the Minerva platform used deception to prevent malware from sneaking around antivirus programs, while relying on that same traditional antivirus to stop direct threats from coming in the front door. The two technologies working together can shut down most attacks made against endpoints, whether they be loud and clumsy or sneaky and insidious.