If Your Network Gets Breached, Will You Even Know?

Viruses are getting trickier to spot.

Microsoft has been tracking one specific type of malware (malicious software) for some time now. For more than a year Microsoft has been hunting down numerous techniques hackers are using to evade detection on its platforms.

Some of these methods include techniques common in ransomware viruses that have been attacking businesses extremely hard during Q4 of 2019.  Many hackers are using techniques such as random file name insertion, fileless installation and polymorphism.

Random file name insertion— just as it sounds, hackers insert some randomly named file with an uncommon extension onto your computer—something that antivirus software will not recognize.

Fileless installation— a technique by which hackers can exploit other applications on your machine without having to actually install a file with viral code.

Polymorphism— the ability for a virus or malicious software to change its behavior over time as updates to antivirus or other software may prohibit the virus on its original course of action.

Today I want to get into a little more detail on polymorphic malware, as many experts predict this is where hackers are going to stay undetected on business networks.

Polymorphic malware has already been found on thousands of business computers. It runs code directly on your computer’s memory and hijacks legitimate system processes to evade detection. In fact it is so good at exploiting a variety of your computer’s standard processes that it has gone undetected on many networks for quite some time (think hundreds of days collecting your sensitive information).

One clear example of polymorphic malware in action is with a virus Microsoft has coined Dexphot.

When you or one of your users inadvertently (and very unsuspectingly) downloads a file containing Dexphot onto a machine on your network, the virus starts by writing five files to your machine (normally a virus simply will be written to one file). Those files include an installer with two URLS, an MSI file (an installer file that windows needs to install software), a password-protected ZIP file, an extraction file and an encrypted data file containing three additional executables.

When Dexphot is running on your machine, it will use a variety of processes, some observed have been msiexec.exe, unzip.exe, svchost.exe, tracert.exe, and setup.exe.

When Dexphot is first installed on your machine, it will check for up-to-date antivirus products being used—for instance, from Avast, Windows Defender and Symantec. If Dexphot finds an antivirus, the infection is halted.

Note: many organizations we assess do NOT have updated antivirus running, have antivirus software that has failed to update, or do not even have software running at all.

While it’s hard to check the currency of your antivirus on every single machine—especially if you have a large or complex network, experts recommend to avoid running into problems with polymorphic viruses, to get a network security assessment to identify specifically where your antivirus issues lie (nearly 78% of organizations have some sort of problem with currency of their antivirus platform).

Once past a machine with dated antivirus, the virus suspends two processes on your system and replaces their contents (the instructions for the computer to do something) with the contents of two malicious executable files. Once the files are installed, the virus releases those processes from suspension and allows them to act normally.

This tactic of targeting processes on your computer then happens a second time—allowing Dexphot to install monitoring services on your machine. If the virus finds that any of its executables are not working properly or functioning on your machine, it terminates and begins re-infection.

Once Dexphot is running properly, it schedules fail-safe tasks on your machine—mainly to allow Dexphot to update its components if needed (this is another form of polymorphism—updating as detection methods may have updated).

Dexphot is one of countless malware campaigns actively trying to get into your network.

Why focus on Dexphot?

It exemplifies the rate at which viruses today are evolving. It also shows that hackers are intent on evading any protections you put in place on your network and underscores why you need to protect your network from having viruses install themselves in the first place.

How to do this?

Update your systems— make sure your systems are patched, your antivirus is updated and your IT support is keeping maintenance a priority.

Configure your firewalls— if a proper firewall is set up, configured correctly and updated regularly, even polymorphic viruses would have an extremely hard time getting in and infecting machines on your network.

Train your users— truth be told, phishing attacks still make up the largest cause of malware infections in business networks (nearly 90% of attacks stem from some sort of phishing campaign).

Get a second opinion— it’s hard to track down what is being done and what isn’t. Cybersecurity experts recommend getting some sort of assessment of your environment just to double check everything is being done to protect your organization as you expect it done.

Scroll to Top