A testament to the superiority of deep learning in the cybersecurity warfare
Over the past few years, we have seen various ways of spreading malicious code, one main infrastructure of spreading malware being the dark web.
Lately, there has been a highly complicated botnet (number of internet-connected devices, where the owner can control them using command and control servers), which was detected and prevented by Deep Instinct’s deep learning cybersecurity solution.
Dubbed “Mylobot”, this new highly sophisticated botnet presents three different layers of evasion techniques, including usage of command and control servers to download the final payload. The combination and complexity of these techniques have never been seen in the wild before.
Aria Solomon, VP of research and development at Deep Instinct, explains that Mylobot incorporates different malicious techniques, some of them include Anti VM, anti-sandbox, anti-debugging, and code injection.
Another method is process hollowing – a technique where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden.
Mylobot also executes EXE files directly from memory, without having them on disk. This kind of reflection is not very common and was first published by Deep Instinct in Blackhat USA 2016, according to Solomon.
Mylobot also has a delaying mechanism of 14 days before accessing its command and control servers.
“The fact that everything takes place in memory, while executing the main business logic of the botnet in an external process using code injection, makes it even harder to detect and trace,” said Solomon.
“Tracing the command and control server reveals that it is linked to other malware as well (using the same servers), which is a big indication for common spreading infrastructure, which is common in the dark web.”
What makes Mylobot so deadly?
Botnets can theoretically perform anything – depending on the payload, according to Solomon. The payload can vary from DDoS attacks, stealing of data, and even ransomware installation which can cause tremendous damage.
Solomon further explains that once Mylobot is installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause loss of data. The main functionality of the botnet enables an attacker to take complete control of the user’s system – it behaves as a gate to download additional payloads from the command and control servers.
The expected damage here depends on the payload the attacker decides to distribute. It can vary from downloading and executing ransomware and banking trojans, among others. This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises.
“The fact that the botnet behaves as a gate for additional payloads, puts the enterprise at risk for leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” said Solomon.
Solomon notes that one of the most unique and interesting features of this highly sophisticated botnet is how it terminates and deletes instances of other malwares. It checks for known folders that the malware “lives” in (“Application Data” folder), and if a certain file is running, it immediately terminates and deletes the file. It even aims for specific folders of other botnets such as DorkBot.
“We estimate this rare and unique behavior is because of money-making within the Dark web. Attackers compete against each other to have as many “zombie computers” as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures. The more computers the malware affects, the more money the attacker makes. This is something we’re seeing here with Mylobot,” remarked Solomon.
A testament to the superiority of deep learning
Although this kind of complexity in the malware’s structure is extremely rare, Deep Instinct’s deep learning cybersecurity solution was able to detect and prevent it on the company’s client’s production environment, thus saving the company millions of dollars in potential IT damages and loss of data, claims Solomon.
“Once again, this is a testament to the superiority of deep learning-based solutions in the cybersecurity warfare,” said Solomon. “There is no end-game in cybersecurity. New and more complex types of malwares are only going to continue to emerge. Security systems that simply rely on patches to detect viruses and threats aren’t going to be enough. By the time this happens, you are already compromised. Thus, it’s critical that businesses have solutions in place that not only prevent threats but are also able to detect and isolate them way before they even spread or escalate.”
Solomon says that applying deep learning technology – also known as “deep neural networks” and currently the most advanced branch of AI/machine learning – is one way to do this. “By continuously training ‘the brain’ of the system, organisations can be rest assured that they will always be several steps ahead of any future threats and that as the attacks become more sophisticated, so does the technology.”
What enterprises can do to combat new malware
Enterprises need to have a range of cybersecurity measures in place to keep their company’s IT network, customers and data safe. This includes conducting auto-checks and software updates; ready back-ups and insurance; and raising employee education and awareness around good cyber behavior and hygiene practices.
Employees who are constantly on the move or traveling as well, and have access to the company’s digital resources and IT networks through their mobile devices, need to also practice good mobile cyber behavior such as being more discerning when browsing through emails or websites, accessing unsecured WiFi networks, securing your devices with unique pass locks such as fingerprints and facial recognition systems, and limiting the types of mobile applications that they download to just work-related ones.
For businesses with a shortage of cybersecurity professionals, these steps while simple, may still prove to be a challenge – and still, with these measures in place, there are no guarantees that a company won’t fall victim to cyber threats.
As cyber threats become increasingly sophisticated, security is going to be an ongoing challenge for all businesses at all times. A company can’t afford to let its guard down for even a split second.
Therefore, it’s critical that businesses have automated cybersecurity solutions that provide them with additional layers of protection and round-the-clock surveillance.
Applying artificial intelligence (AI) is one way to do this – specifically the most advanced branch of AI, deep learning.
“Deep Instinct’s deep learning cybersecurity solution, also known as “deep neural networks”, takes inspiration from the human brain. By continuously training ‘the brain’ of the system, companies can be rest assured that they will always be several steps ahead of any future threats and that as the attacks become more sophisticated, so does the ‘brain’. Furthermore, it does not require the interface of an expert (i.e. a human) to help it understand the significance of each new input, giving you that extra layer of support and round-the-clock surveillance that companies seek,” said Solomon.