In any cyber attack, the longer an attacker can remain undetected, the more pervasive, intrusive, and destructive they can be. So, the search is constantly on for new ways to compromise and take over an endpoint – but do so completely in stealth.
Early attack methods involved spawning malicious processes that either performed the attack actions or downloaded a file-based payload that contained the malicious code. In either case, these methods were not designed to evade detection, allowing endpoint detection and response (EDR) solutions (which focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints) to quickly identify file downloads and new malicious processes.
So, modern cyber attacks focus on using various forms of evasion to avoid detection. One of these methods involves injecting malicious code into memory of legitimate applications to avoid being spotted by baseline antivirus products.
Microsoft recently published an excellent write-up about two memory injection techniques that are very effective at evading anti-malware tools – process hollowing, and atom bombing. These techniques utilize common methods of accessing, manipulating, storing, and retrieving code within memory. They then leverage legitimate processes to avoid detection by modern EDR solutions.
Based on the sentiment we observed in the community, some IT organizations may assume, after reading Microsoft’s write-up on memory injection techniques, that Microsoft’s tools mentioned in the blog post are designed to prevent malware that uses these evasive techniques. It’s important to point out that’s a misconception.
Part of the confusion may come from the way Microsoft names its products. Microsoft’s Windows Defender, is their free antivirus tool for both personal and commercial use and is a great solution for stopping non-evasive malware. Microsoft’s commercial EDR solution, Windows Defender ATP, does provide detection and visibility into successful injections, but it’s important to recognize this based on after-the-fact analysis.
In other words, successful injection has already occurred before detection occurs and any protective measures are taken. So, even Windows Defender ATP focuses on detection rather than prevention.
So, is it possible to actually prevent malware that employs memory injection in the first place?
This is a valid question since EDR solutions like Windows Defender ATP do not detect evasive techniques until after a successful infection, if at all. What’s needed is an effective approach that moves past the use of prior known or predicted patterns – such as rich security data, advanced behavioral analytics, and machine learning – since your still left with detecting attacks after the infection, a race against the clock until it is identified, investigated, contained and eradicated.
It’s worth quickly covering this feature of many anti-malware solutions, as the use of the term Memory Protection may further cause confusion. While it sounds like memory protection would help in the wake of evasive memory injection techniques, it’s important to know that memory protection is usually used in reference to exploit mitigation – in which restrictions are placed on where processes can execute code. It’s a technology designed to thwart exploits like buffer overflows from executing code in vulnerable applications. In contrast, blocking threats that use memory injection involves preventing malicious software from misusing capabilities of the operating system even without relying on exploits or vulnerabilities.
To effectively stop evasive malware – like those mentioned in this article designed to avoid detection – requires a true preventative method of protection that keeps evasive malware from ever running in the first place.
Minerva’s Anti-Evasion Platform focuses on creating an environment in which the evasive malware itself believes is either hostile in which to run (as in the case of a virtual sandbox designed to detonate malware), or is not able to run (e.g. by telling malware looking for Java that it is not installed). By approaching malware protection from this angle, Minerva is uniquely effective at truly blocking any and all evasive malware, leaving traditional EDR solutions to provide protection for all known and non-evasive malware.
The highly technical (and nasty) techniques mentioned in this article are just two examples of the innovative approaches criminal organizations are taking today. While EDR solutions are taking appropriate strides to identify and stop known infection methods, the malicious intent to evade detection can outsmart detection methods based on prior knowledge – especially when the evasive method is brand new. It’s only by using both traditional EDR to detect known attack methods, and solutions like Minerva’s, that are specifically designed to block evasive malware, that you enhance the security stance you have in place with traditional EDR solutions, and block every instance of malware, no matter the technique used.