Deep Secure - Polymorphic Scenario

Scenario: Polymorphic - One file two views

OVERVIEW: Polymorphism is used to evade pattern-matching detection relied on by security solutions like antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same.

For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new signature, signature-based detection solutions will not recognize the file as malicious. Even if the new signature is identified and added to antivirus solutions’ signature database, polymorphic malware can continue to change signatures and carry out attacks without being detected.

BUSINESS PROBLEM: Employees may receive a file that claims to be "clean" because the polymorphic nature of the content has bypassed detection platforms.

THREAT: Polymorphism is hard to detect. Confused defences will allow files into a network.

SAMPLE 1:

Picture of two cats (redirects to website)

TEST USING GX PLATFORM:

With CTR DISABLED
(i.e. the ICAP profile is disabled on the Web Proxy / or the browser is set to bypass)

Download the file to your local drive

Open the file and view the picture - it should open as normal

Next rename the filename extension FROM .jpg to .html

Now open the file - it should connect to an external website (BBC in this example)

With CTR ENABLED

Download the file

Repeat the rename process FROM .jpg to .html

ADVANCED

Using Notepad/Notepad++ open the original image file. Notice that you CAN see the script appended to the file.

Repeat this process with the file transformed by the GX, note the the script has been left behind during the content transform.

OUTCOME

Deep Secure assume all data is hostile - regardless

The image downloads are subject to Content Transforms

A polymorphic file can only be transformed into one content type

Without the need to detect the script, the polymorphic data does not reach the recipient