Unknown Malware

What is unknown malware?

Unknown malware is never-before-seen malware. Due to its “unknown” nature, this malware is extremely difficult to detect and prevent.

The number of unknown malware is constantly increasing, posing an ever-present risk for organizations and the cybersecurity professionals charged with protecting environments from breach. It has become more common that new malware families are created (based on open-source malware or on leaked source codes - intentionally and unintentionally), new versions of current malware families are released (with new features or new sophisticated evasion techniques in parallel with the improvement of the detection capabilities) or just new mutations of known malware (that have already been signed) are released into the wild. Most of these new variants have been designed to bypass current existing signatures, evading defenses, and creating opportunities for cyberattacks.

How is unknown malware created?

There are a few different ways for creating mutations:

  1. Changing the Hash: A small change in the file itself, even by appending a byte will change the hash of a file. Endpoint security solutions that rely on hash blacklisting (cloud reputation services in most of the cases) are vulnerable to such “mutations” because their existing hashing signatures will not match those new mutations’ hashes.
  2. Packing: Binary files can be packed with a packer (also known as a “compressor”, “crypter”, “protector”, or even “SFX” - selfextractors) that basically provide a generic layer on the original file, a “mask” so while running itts stub will start the unpacking process that will be revealed and run later in the original code.
  3. New Variants - Modifications of the Malware Binary: New variants are usually created by the modifications of the original malware binary itself. This is done on the features that security vendors might sign, starting from hardcoded strings, IP/domain names of C&C servers, registry keys, file paths, metadata, or even mutexes, certificates, offsets, as well as file extensions that are correlated to the encrypted files by ransomware. It can also be on the code itself, with techniques such as polymorphism, in which the opcodes are changed into other ones while keeping the original functionality; or metamorphism, in which useless parts of code are added to confuse and change the order of the structures.
  4. New Malware Families: Apart from the above mentioned methods that attackers might use to create such mutations and other variants of the same malware or new malware families can be generated for the same purpose of evasion. A new version of an existing malware can be defined with new features that the malware provides, to make its business logic different. Another way can be applying new attack vectors or evasion techniquest to bypass the current signatures of the endpoint security solutions. Additionally, a new malware family can be written from scratch, or be based on a source code of another malware.

There are many different ways that unknown malwares come into being, and their detection is tricky.

How does Deep Instinct Detect Unknown Malware?

Deep Instinct provides unmatched detection and prevention of any type of malware, known or unknown, using deep learning to leverage its detection and prevention capabilities. Since we do not use any type of signatures, Deep Instinct is immune to hash modifications. We also successfully classify packed files - whether using simple and known ones or even FUDs.

During the training phase, we add “noise” which changes the raw data from the files we feed into our algorithm, in order to automatically generate slight “mutations”, which are fed in each training cycle during our training phase. This concept immunes Deep Instinct against the modifications that are applied to the different unknown malware variants, such as strings or even polymorphism.

Regarding new and unknown malware, those are usually developed based on other malware source code, or at least based on some malicious piece of code, providing the ability to detect them as well.

Further Reading