The Evolution of Malware Identification

January 11, 2019 in Ask a Security Pro, Malware

Code is what allows website owners to customize their websites and make it unique. However, sometimes malware can sneak into that code, resulting in a potentially harmful impact to unsuspecting users. Using today’s techniques, how would you distinguish which code is good and which code is bad? And what will that identification look like in the future? In this article, we will discuss current malware detection methods and the future of malware identification. Plus, provide insight into the role machine learning can play moving forward.

Why Do People Use Malware?

Let’s first look into the purpose of malware and the benefits the authors (or cybercriminals) receive by spreading their ill-intended code. Any code that works towards an unintended purpose and goes against the wishes of the website/computer owner in a harmful way is malware. There are three reasons why most malware is created: money, spite, or simply because hackers can (i.e. the 14-year-old programming prodigy tired of video games and would rather play with your website or computer). The objective of most malware is to infect a website or computer without being discovered. To accomplish this, the malicious code will be made to look legitimate. This forces cybersecurity experts to create new and effective ways to differentiate between good and malicious code.

Current Malware Detection Methods

Currently, the most used methods of malware detection are anti-malware signatures, heuristic analysis and runtime behavioral audits.

An anti-malware signature, or commonly called signature or definition, is an algorithm or hash that is used to uniquely identify malware. Signatures are representations of either complete files or pieces of code that have already been discovered as malicious. This is the most commonly used way to identify and take action against malware today.

Heuristic analysis is the process of analyzing how the code is written and determining if it is malicious or not based on assumptions of the code’s intended purpose. Heuristics take commonly-known indicators into account to land on a final conclusion. This approach can, however, lead to many false positives, which is why heuristic analysis is almost always used in combination with another method of identification.

Behavioral audits of malware consist of executing code and observing its interactions with the computer or server at runtime in order to fully understand the code’s intent. These audits are usually performed by a person within a virtual or sandboxed environment. These environments shield the person performing the audit from any potential harm the malware may cause while allowing them to see the effects of the code being ran.

These detection methods are tried and true approaches to discovering and classifying malware. Each of these methods are used in combination to understand newly discovered malware and pinpoint attack trends. Web security professionals are then able to devise the best ways to protect against these attacks.

At SiteLock, we primarily use anti-malware signatures to identify and remove malware automatically from the websites we protect. We manually perform heuristic and behavioral audits to ensure our signatures are accurate and that they do not remove legitimate code.

So where do we go from here? With these three ways of identifying malware, we are safe… right? Not exactly.

The Evolution of Malware

Though the mentioned techniques work and are the current standard for malware identification, new malware is created every day and evolves at a rapid pace. Cybercriminals are becoming cleverer and taking bolder risks to achieve their goals. For example, some attackers are using polymorphic malware, which combines known exploits with the newest programming methods, then adds layers of obfuscation that can dynamically change the code each time it is executed. Also, psychological tricks used to manipulate online users into offering their personal data or executing malware, called social engineering, are becoming more convincing and complex. Cybercriminals’ ingenuity continues to cause the industry of cybersecurity to have paradigm shifts, such as in the discovery of computer worms Nimda or Code Red. In the aforementioned cases, the industry had to adjust to malware that performed multiple malicious tasks and spread more rapidly than previous attacks.

The Future and Beyond

These ever-changing threats fuel the necessity for an always evolving defense, and though there are many smart cybersecurity professionals working to keep up, it is just not enough. The AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) daily, making it difficult for the cybersecurity industry to update fast enough. In order to fill in the gaps left by human limitation, technologies like machine learning are becoming increasingly important.

Machine learning is a way to teach a computer program new information through supplied data. It is a subset of artificial intelligence that allows current models of data and the actions it takes to respond to change with the supply of new data. Teaching a program is called “training” and its responses are called “predictions.” You may already see how this can be helpful against new cyber threats. Machine learning can be trained to find known malware threats and the commonalities they share, then use that training to discover new unidentified malware. We can then specify certain predictions a program needs to satisfy in order to identify if any given code is malware without the need for human intervention. This helps the cybersecurity industry keep up with the new types of malware created daily.

Malware detection methods like signature creation, heuristic analysis and behavioral audits will still need human interaction, but essentially only to double check findings. And though we will always need to, at some level, supervise and verify our methods for stopping malware, we are fighting a battle based on the speed of comprehension and response. For the future of malware identification, we need systems smart enough—and fast enough—to evolve with the threats. Machine learning looks to be the best way to tackle these advancing threats. This is because it can assess and adapt faster than a human, giving cybersecurity experts the edge needed to combat new malware.

In English, Please

Simply put, malicious software is a consistent problem across the web and applications alike. Finding and classifying code as bad or good is the starting gun to taking action against any potential attack, but effective cybersecurity relies on being able to catch these threats as quickly as they are created. Even though we cannot be completely certain of what the future holds, machine learning looks to be the best technological approach in defending against known and new cyberthreats. This means a faster response to attacks, and ultimately, a safer experience for users on the web. New information on this topic is produced daily. We at SiteLock urge you to look into this further and find out even more ways the cybersecurity industry is adapting to the emerging threats of the future.

Want to learn more about malware? Check out these additional resources from SiteLock:

Latest Articles
Follow SiteLock