Feature What’s better, prevention or cure? For a long time the global cybersecurity industry has operated by reacting to attacks and computer viruses. But given that ransomware has continued to escalate, more proactive action is needed.
Malware vaccines were a hot topic of discussion at the recent ONE Conference in The Hague, where Justin Grosfelt, senior manager for the Reversing, Emulation, and Testing team at global cybersecurity firm Recorded Future, presented new research showing it is possible to develop code that makes only cosmetic changes to a Windows PC in order to trick malware into not bothering to infect it.
How malware vaccines work
Typically, when ransomware gets into a Windows machine, it first scans the cached memory, registry keys, file paths, and running processes to see whether the system is already infected, running on a malware analyst’s computer, or trying to run in the sandboxed environment of a virtualized machine.
If it sees any of these signs, it gives up, but if not, the ransomware sends a message back to the cybercriminals’ servers and starts downloading a payload, which then steals data, locks up files, and issues a demand for money.
So far, vaccines have worked by creating “infection markers” on Windows systems to trick malware into giving up, by placing small decoy files on the PC, by editing the registry, or by creating fake mutex objects.
The decoy files are less of an issue because when they execute, they don’t actually do anything, but if the malware looks at the processes currently running on the machine, it will see “mal.exe” or “vmware-vmx.exe” running, for example, and infer that the machine is either already infected, or running popular virtual machine software.
Editing the registry has more serious consequences, but has been used successfully to disable malware, such as when Binary Defense’s researchers created the EmoCrash kill switch in 2020.
Researcher James Quinn used a PowerShell script to create fake registry keys with a “null” data value that caused the banking trojan Emotet to overflow and crash, so it was unable to run.
Another example involves the mutex (mutually exclusive) flag, which governs Windows resources and lets one process take control over the shared resource using a mutex object. When the process ends, only then can another process take over. Malware also needs to use the mutex in order to run its payloads, so if you can convince it that the payload is already running, it quits and stops running before it can access the kernel. This is what Recorded Future did with the Rhadamanthys data-stealing malware.
Vaccines should be targeting malware families
While these vaccines all sound very clever, the problem is that you can never develop enough of them if you’re only targeting one malware at a time, Grosfelt said, and the vaccine files could interfere with legitimate software or system behavior.
Plus the easier the vaccine is to implement, the easier it is for threat actors to bypass it with some minor code changes. Binary Defense said that its kill switch worked for only six months before it was patched by Emotet’s authors.
“The next phase has to be one vaccine that affects multiple malware families,” said Grosfelt. The idea he and another member of his team came up with, as hobbyists, while reverse-engineering malware, was that you could hook commands in PowerShell profiles, so every time you run a command, it returns a specific value. If you could rename that value, you could trick multiple data-stealing strains of malware that all scan PCs in the same way before executing payloads.
For instance, the PowerShell profile could be modified to say “IsVirtualMachine = true.” Nothing actually changes in the PC’s operating system, and there isn’t any virtual machine software running, but the malware doesn’t know that.
As a result of this almost incidental research, which is not part of any commercial solutions Recorded Future is working on, the Massachusetts-headquartered firm is now keen to explore creating an open source community where researchers trade information to help create and deliver malware vaccines to combat families of ransomware.
This is similar to the way Sigma rules – which detect cybersecurity threats in log files for Security Information and Event Management (SIEM) systems to locate malicious activity – are maintained on GitHub by the cybersecurity industry, which is considered to be very successful.
“I’d love to see the future of vaccines not just be tied to these major [cyberattacks],” said Grosfelt. “Just researchers finding these vaccines and putting them out there regardless.”
Why aren’t malware vaccines really a thing?
Malware vaccines are currently few and far between, even though all the experts The Register interviewed acknowledged that they have been around since the 1980s.
In fact, the idea to develop infection markers was published in an IEEE journal in 2012, but nothing has been written about it since. The experts say no one in the cybersecurity industry is working seriously to make vaccines commercially viable.
Grosfelt, whose team has only been considering malware vaccines for a year, told The Register a couple of companies tried to commercialize malware vaccines in 2019, but didn’t seem to have much success.
“The Endpoint Detection and Response (EDR) market is huge and it’s controlled by all the big players in the industry like Google, Microsoft, and CrowdStrike, so to have a new company come up and say, ‘Oh, here’s vaccines too,’ – I could easily see how they could have just been swallowed by the other EDR vendors,” he said.
Professor Alan Woodward, a computer security expert based at the University of Surrey, agreed: “If you talk to Microsoft, they claim Microsoft Defender has been creating vaccines since 2015, but I think what they think of as vaccines are slightly different, they’re not necessarily proactive.
“They’ve been doing things like ‘shadow copies,’ where you can hide data so when the ransomware tries to wipe it, it’s not actually wiping out any backups.”
Creating shadow copies requires registry editing, so Microsoft often includes this in Patch Tuesday updates. But this is the closest thing Woodward has seen to a vaccine, other than those created during critical cyberattacks, when it’s all-hands-on-deck at cybersecurity firms.
Otherwise, it often seems to be every person for themselves in the cybersecurity industry, where each firm is only concerned with their own customers and sending out CVE patches as soon as new vulnerabilities are discovered.
This is quite different to other types of technology, some more emerging than others, where tech companies attempt to play together in consortia to develop standards.
Cross-industry collaboration could be better
“Any sort of standardization for cybersecurity practices is still in its infancy, and this varies country by country and even region by region, but when it comes to cybersecurity, we really do lack a clear standard guidance, especially across different industries,” said Brendan Saltaformaggio, an associate professor at Georgia Tech’s School of Cybersecurity and Privacy.
He heads up a lab that spent the last five years analyzing hundreds of malware-infected Android devices all over the world to develop an automated tool called Echo, which can detect malware strains linked to botnets, automatically generate a vaccine, and immediately distribute it to victim devices over the internet.
Saltaformaggio added that it has been difficult for many years to get enterprises, critical infrastructure providers, or governments to share information about cyberattacks because it is seen as a “black mark” that no one wants to admit to.
“There are definitely mistakes that sometimes lead to cyberattacks, but sometimes there’s not. And we should all be learning from that and building standards around that shared knowledge. We don’t currently have a good quality shared knowledge base,” he said.
Alex Lanstein is chief technology officer at StrikeReady, a Texas-based software company that has developed a unified security operations platform to integrate all the tools relating to threat detection and alert management for cybersecurity analysts.
He said he feels industry collaboration is fine as it is: “There’s a lot of tight collaboration on very specific actors from both companies and cybersecurity vendors that work on North Korean issues or the APT Chinese espionage threats… on the scale of millions of malware samples per day, and those sharing agreements do happen between the major vendors.”
Grosfelt was more nuanced in his response. “Within our community, there are tons of private shared intel groups between government channels, competitor channels and vendors… a lot of intelligence is shared in the background – you have to be in the right group at the right time sometimes, and not everybody is.
“But publicly, there’s very little collaboration between any of the major threat intelligence writers and any intelligence you get from any type of back channel, you have to curate and validate it yourself before you can even talk about it publicly.”
So should cybersecurity research be more proactive?
Woodward said he is in favor of an open source community for developing malware vaccines, but thinks it needs to be “open contribution,” not strictly open source, to prevent cybercriminals from messing with it. And he warned that unless major players are involved, it will likely fail.
“Microsoft has put a kibosh on the antivirus industry because it is now built into Windows. You can get antivirus, but in many cases you don’t really need it now,” he noted. Nevertheless, open source projects have in the past led to good outcomes, like OpenSSL, which provides software applications for encryption and secure communications over computer networks against eavesdropping, as well as managing certificates for web servers.
“I think it is a good idea because the more people you have involved, the more likely you are to catch more variants, but you would still need the big tech companies, almost to be the vehicle for delivering it,” said Woodward.
Georgia Tech’s Saltaformaggio thinks it’s a shame that malware vaccines aren’t currently taken more seriously.
“The science behind malware vaccines is still being proven out. Our research in our lab is just one example where we’re still publishing papers that are proving that this science is there, that it’s possible,” he said. “We should be doing more malware vaccine work.”
Lanstein, however, disagreed with the concept of malware vaccines, because in his experience, they really don’t work well on enterprise networks. “For home users, there’s no downside for doing some of these techniques, or if you’re an organisation with enough resources to have cybersecurity analysts testing out each of these vaccines.
“For enterprises, it’s an interesting approach, but it’s just not solving a large enough percentage of the problem that makes it worth it.”
He added that some of the detection marker research has already made it into the software stacks of big antivirus vendors, it’s just that they don’t want to talk about it, so cybercriminals can’t work out what malware-obfuscation techniques are being used.
Public funding of cybersecurity urgently needed
There’s also a case to be made for more public funding of cybersecurity research and training, according to Saltaformaggio, whose lab is funded by the National Science Foundation (NSF), DARPA, and the Office for Naval Research.
“We are dangerously close to an autocracy of cybersecurity – you don’t want it to be a feature of the rich,” he warned. “There’s real science that underlies cybersecurity, and funding that science to make publicly available discoveries is absolutely critical [as well as] bridging the gap between getting those discoveries out of the lab and into people’s hands.”
Lanstein agreed. He said it’s a “national tragedy” that Gary Warner’s widely acclaimed computer forensics lab at the University of Alabama at Birmingham closed in August after 18 years due to funding cuts.
“Whole industries are being ground to a halt and what we’re doing is reacting. One thing we’ve noticed about the major events this year, like the Co-op, M&S, Harrods, Jaguar Land Rover attacks that have happened this year – people ask why is it taking so long for these companies to recover,” said Woodward.
“We need more funding going into the training of people for cybersecurity. At the moment, recruiters are looking for people to go firefighting, but we still need some people to carry out the fundamental research, and it should be publicly funded, if only because it’s a UK-wide and an international problem.” ®