Malware Vaccination for the Enterprise, Brought to You by Minerva

September 13, 2017


Lenny Zeltser

We can immunize computer systems against some infections by deploying vaccines that fool malware into believing the endpoint is already infected. This premise has been lingering in my mind for several years. But it wasn’t until I joined the Minerva team that I gained access to a framework that could implement this defensive technique in a manner suitable for real-world enterprise deployments. We just announced the commercial release of our Endpoint Malware Vaccination module as an add-on to the Minerva Anti-Evasion Platform. This capability allows Minerva’s customers to specify the infection markers they’d like to simulate on endpoints to prevent malware outbreaks and contain incidents.

Infection Markers as Vaccines Against Malware

Many malicious programs take measures to avoid infecting the system more than once as a way of maintaining operational stability. Such samples generate a marker when infecting the endpoint. If malware locates its marker, it will terminate. By preemptively deploying infection markers, organizations can turn them into vaccines against the associated malicious programs.

Infection markers can take the form of registry keys, files, processes, mutex (sometimes called mutant) objects and other OS artifacts. Incident responders, malware analysts, and threat hunters often have access to such details. However, security professionals have treated them solely as indicators of compromise (IOCs), employing them to detect malware after an infection. Armed with the right tools, enterprises can turn some of these indicators into vaccines to prevent infections in the first place.

Immunization During Major Outbreaks

Consider a scenario where a particular malware strain threatens many systems on the internet at large or in your industry. If threat intelligence about this malicious software reveals the presence of an infection marker, by preemptively deploying the vaccine you can prevent the infection even if it manages to get past your other defenses.

For instance, this was possible with the WannaCry worm, which used a mutex as its infection marker. In another outbreak, the NotPetya worm relied on a specific file as its infection marker, refusing to infect a system if the file was present. As an industry-specific example, consider BlackPOS malware that infiltrated many point-of-sale (POS) systems in its heyday. It would terminate itself if it discovered its marker, in the form of a mutex, present on the endpoint.

In the scenarios above, information about the use of infection markers was available to members of the security community. Enterprises with the ability to deploy the corresponding vaccines could have immunized their systems against these threats at least as a temporary measure, until they investigated the malicious software and its threat actor to address the underlying vulnerabilities or attack tactics. Now, Minerva customers have the power to do this in a production setting in moments without interfering with other security measures or business activities.

Containing Malware During Incident Response

On a more localized scale, consider a high severity incident at your organization where a malicious program was discovered on one of your endpoints. One example might be the relatively-known RevetRAT. It was not widespread; however, it was certainly a source of great concern to the enterprises where it was implanted.

If you were infected with such malware, you’d want to know how this malware found its way past your defenses. What risks does it pose? What are the adversary’s objectives? Answering these questions can take a lot of time. However, if the initial analysis of the sample reveals that it utilizes an infection marker, you can vaccinate your endpoints against the threat quickly. It’s possible to derive infection markers quickly and in many cases using automated tools. Your AV vendor can also provide such information sometimes, as was the case with RevetRAT, which relied on a mutex as an infection marker.

I’ve seen incident responders generate vaccine artifacts by hand or with the help of custom scripts to contain an intrusion. These tactics achieved the objective of slowing down the adversary’s progress. Yet, deploying the infection markers this way was time-consuming, costly, and not scalable.

In the context of an active incident, Minerva can deploy vaccines in moments. Not only will our solution inform the enterprise what systems have been infected, it will neutralize the malicious software on those systems and prevent the specimen from affecting additional endpoints. This gives incident responders a way of containing malware quickly in a manner that’s more granular and less disruptive than, for instance, taking the full network offline.

Vaccination Beyond the Lab

Security professionals have been talking about the idea of malware vaccination for a while, and have released proof-of-concept tools to generate infection markers. However, actually creating these artifacts in a production setting outside the lab is often impractical. As Minerva’s CTO Erez Breiman explained, the challenges include:

  • Creating the artifacts consumes resources that could affect performance, especially on weaker systems.
  • Creating the artifacts makes it difficult to monitor access to them to detect potential infections.
  • Creating the artifacts in a way that matches how they would have been generated by malware across all OS sessions is technologically challenging.
  • Creating the artifacts and later removing them across multiple enterprise systems is time-consuming and often impractical.

Moreover, once created, the artifacts can distract end-users and even fool anti-malware tools into believing that the endpoint is actually infected.

Instead of creating infection markers, Minerva uses its patented Minerva VR™ platform to simulate their presence in a highly-selective way that doesn’t have a performance impact, that doesn’t interfere with end-users’ experience and that doesn’t confuse existing security tools. This is the same underlying technology that is used by the other modules of Minerva’s Anti-Evasion Platform to control how malware perceives its runtime environment, causing the malicious program to terminate itself. This is the framework to which I referred in the beginning of the post, which makes it possible to implement malware vaccination across organizations large and small.

Not all malicious software uses infection markers, therefore the ability to deploy vaccines is not a “silver bullet” for endpoint defense. However, it is a new and powerful addition to the defender’s toolkit, going beyond baseline anti-malware protection and blocking additional threats before the need to engage in post-incident activities. And we’re just getting started. Minerva’s newly-minted Endpoint Malware Vaccination capability now offers a way of creating mutex-based vaccines, with the goal of supporting other types of infection markers in the upcoming releases.

I will be conducting a webinar to dig deeper into this topic on September 27th. Sign up to attend.  Also, consider requesting a demo of Minerva’s Anti-Evasion Platform to see our capabilities in action.