Moving Target Attack Techniques
Polymorphism is commonly used by malware authors in order to evade AV detection. By encrypting the malware’s payload, including its code and data, the attacker gains two main advantages: First, an attacker can easily generate different instances of the same malware by using multiple encryption keys. This renders the signature-based anti-malware facilities ineffective, since new instances have a new and unknown static signature. Second, the malware can bypass even deeper static analysis since its code and data are encrypted – hence not exposed to scanners. Utilizing metamorphism techniques, the malware’s author complicates the detection further by changing the in-memory code at every execution.
While polymorphism and metamorphism aim at evading the automatic file and memory scanning, obfuscation is also effective against manual inspection of the code. Using obfuscation, the malware’s author creates code which is extremely difficult for a human analyst to understand.
This is achieved by creating payload with obscured strings, dummy code and complicated function call graphs which can be regenerated randomly with each instance of the malware.
Anti-VM and anti-sandbox mechanisms are another moving target attack method, since sandboxes and virtual machines are essential tools for malware analysts. These methods detect if the malware is running within a virtualized or sandboxed environment. If a VM or sandbox is detected, the malware alters its behavior and avoids any malicious activity. Once executing on real systems, after being tagged as benign, the malware starts its malicious behavior.
In the same manner, malware can use anti-debugging techniques to avoid debugging and run-time analysis. If, during runtime, the malware detects debugging tools running, it changes its execution flow to perform benign operations. Once the malware is not under runtime inspection, it starts its malicious behavior.
Encrypted and targeted exploits have been used recently as part of exploits delivered through web pages ('exploit kits'). To avoid detection, URL patterns, host servers, encryption keys, and file names are changed on every delivery. These exploits can also evade honeypots by limiting the number of accesses to the exploit from the same IP address. Finally, some types of attacks begin the exploitation phase only after real user interaction (e.g., web-page scrolling). By doing this, the attacker ensures execution on a real machine rather than automated dynamic analysis.
These effective deception methods render traditional defensive mechanisms insufficient, ceding superiority to the attackers. The defender endlessly chases the attacker, investing massive resources and efforts merely to detect and prevent invasions from all angles. Symmetry between defenders and attackers is non-existent. Attackers know whom they are going to attack, when, where and with what weapons, while defenders are in a state of constant uncertainty.