One of the things we have noted is there is a shift away from Anti-Virus products and a move toward better technologies such as network traffic string detection. As we reported earlier this year we are seeing very specific attacks on Anti-Virus technology itself. In fact we have seen some actors targeting the Anti-Virus eco-system by exploiting the fact that Anti-Virus has to run as a privileged process to actually be effective. Because of this hackers are starting to target the actual Anti-Virus itself to escalate attacks to kernel and root level escalation of privileges making the products almost more harmful than helpful on the Windows platform.
Norton Antivirus for awhile has been a very specific target by several hacking groups by way of injecting bad code in the startup procedures of the product ensuring that the bad code gets executed by using the AV to actually launch it.
Windows DLL Targeted
In one recent case we noted that legitimate Windows DLL's are being hacked so that when the AV process starts it executes and loads the Library to farther attacks. We saw this in ATM hacking in the past and now we are seeing more and more of this type of activity on the Windows operating system as well. If you are not aware when Windows starts a program it starts to load all of the supporting DLL's. Hackers are starting to modify DLL's and add additional code to existing DLL's to then cause the DLL to allow other things such as password ex-filtration or resets to give access to protected resources.
Attacking the Load Chain
When Windows boots or when any program starts there is typically a process of loading supporting libraries and configurations. This same series of events can be used itself to load malware or content to circumvent the login process, steal credentials or escalate access on a targeted system. In fact some of the most popular utilities for resetting lost or stolen passwords actually use this method to bypass security.
Antivirus is OK - Also a false sense of security
It is common knowledge that Anti-Virus technology is dated. Most AV products rely on signatures of "known threats". The key point here is the fact that something has to already have been observed to be stopped. Many companies and end users think that as long as they have AV on their systems that they are OK. The fact of the matter is that virus detection with AV is hit or miss. Also AV will not stop custom written or obfuscated malicious content.
How Jigsaw Stops threats without Anvi-Virus
When Jigsaw first started fighting cyber crime and malicious actors, we learned really quickly that AV products were flawed in many ways. The manner in which they run is a vulnerability in and of itself because AV products require low level access to devices to be effective. Attack that low level access and you gain administrator access on the system. In addition to the low level access requirements, Anti-Virus can only stop what it knows about. It's a cat and mouse game in the real world. Jigsaw Security technology monitors and tracks the network activity of these systems to detect the C2 servers, payload download locations and strings in network activity, files and Mutex in the applications. By tracking the characteristics of the malicious content, we can detect that content even as it is changed or obfuscated by threat actors. Also we detect unknown threats by looking at the network communications. For instance if you are based in the US, but are communicating with China hourly (pattern recognition), you are probably infected and communicating with a C2 server. Our software looks for this type of activity and then captures it to determine if it is a threat or a normal process.
For more information on Jigsaw Security solutions or to look at our First Watch sensors, sign up for our mailing list alerts on our website.