Recently, we released a whitepaper and source code demonstrating a universal unhooking technique. Removing hooks has been around for quite some time; however, most unhooking techniques are targeted towards specific hooks placed by security software.
Our intent behind releasing this project isn’t to make malware invisible to detection, but to shine a spotlight on the implications of relying on user-mode hooks for monitoring a process for malicious behavior.
Once malware has executed, all bets are off. A targeted piece of malware could lay dormant after execution for hours or even days before removing hooks and then carry out its malicious operation.
For the purposes of demonstration, we downloaded 25 samples of malware and ran them through CylanceV to get their Cylance score, which ranges from [1, -1] with positive scores indicating benign samples and negative scores indicating maliciousness. The samples seen in Figure 1 range anywhere from -0.18 to -1.00.
Figure 1: CylanceV Scoring 25 Samples of Malware as Unsafe
Next, we took the universal unhooking project and used UPX to pack the same samples with the universal unhooking DLL. The filenames were prefixed with 'uu_' to denote they were packed with the universal unhooking DLL. The hashes in the filename were preserved to indicate the original binary – as you can see, the SHA-256 hashes have changed due to the packing process:
Figure 2: CylanceV Scoring the Same Samples Packed With the Universal Unhooking DLL
In figure 2, we can see the scores for all of the packed samples have shifted towards the end of the negative range, with samples ranging from -0.96 to -1.00. Cylance’s mathematical model has scored the universal unhooking packed samples as more malicious than the original samples.
Finally, we turn to CylancePROTECT, which auto-quarantined the universal unhooking packed samples:
Figure 3: CylancePROTECT Auto-quarantines Samples Packed With the Universal Unhooking DLL
Cylance operates on pure pre-execution static analysis of a binary. We decide if a binary is good before letting it run. This means we don’t use userland hooks to try to detect when binaries are bad, and hence our approach is not affected by this. However, most modern Endpoint Detection and Response (EDR), behavioral systems, and runtime 'heuristics' are affected by this process, rendering them effectively blind.
For a deep-dive technical explanation of this attack, including a video showing a live demo from the recent RSA Conference, check out this research piece titled Universal Unhooking: Blinding Security Software.
CylancePROTECT leverages the power of machine learning and artificial intelligence (AI) to detect and prevent malware pre-execution. This means the malware never has a chance to run and perform the unhooking technique.
Using Cylance’s proven AI models, CylancePROTECT blocks over 99% of all malware, pre-execution. Checkout the latest third-party test results to learn more about CylancePROTECT’s efficacy.