John Stevenson by John Stevenson | | Blog

The Toxic Trojan

With Emotet continuing to dominate the malware charts, Deep Secure’s John Stevenson examines whether an anti-malware defence based on document transformation can vaccinate organisations from one of the most notorious and active pieces of malware ever created – for good.

Banking trojans are once again topping the malware charts. Amid all the exotic trojan names, variants and mutations, from BackSwap and Ursnif to Zeus and Dridex, one stands out head and shoulders above all others. It’s Emotet.

Concealed in Office Documents

Emotet is a banking trojan designed to be hard to detect and to steal bank account and credit card details. It is concealed in Microsoft Office documents and delivered either as an attachment to an email or as a download link in the body of an email. Emotet is one of the most active pieces of malware ever seen and the attackers work full time ensuring that defences are always playing catch up.

Evading Detection

A good indicator of the effectiveness of a piece of malware, is to run it by a website that hosts all the major anti-malware technologies on the market and see how it fares in evading detection. When Deep Secure researchers did this with a sample of Emotet comprising a malicious macro embedded inside a Word 97 .doc file, around 75% of the anti-malware technologies on the site correctly identified it as a threat.

So far, so good. Except even the slightest change to the Emotet sample saw the success rate plummet. Adding a simple HELLO WORLD comment line to the macro script saw the percentage of anti-malware technologies correctly identifying the sample as malicious falls to 34%. Taking this modified version of Emotet and copying and pasting it into a different Word document with different body content saw the success rate fall to a mere 20%.

The changes are trivial but the fact that the resulting sample is declared safe by so many of the anti-malware technologies we all rely on, highlights a problem. All the anti-malware technologies hosted on the aforementioned website rely on detection and detection simply can’t keep pace with a piece of malware like Emotet that is constantly changing and being refined.

Transforming Security

At Deep Secure we’ve developed a Content Threat Removal to deal with APTs like Emotet. Content Threat Removal works on the premise that because you cannot be certain whether you have or haven’t detected the presence of something like Emotet in a document, the only sensible approach is not to trust any document, but to guarantee all documents are safe by transforming them.

The transformation process involves extracting the useful business information from a document, discarding the original (along with any active content, malformed structures or un-necessary features) and creating a new one with the information in it to give to the user. This type of content threat removal 100% guarantees threat-free documents because none of the original digital file is ever delivered to the endpoint.

A Vaccine for Emotet

Content Threat Removal has benefits across the organization from risk mitigation to user productivity. Most important of all, deployed along the organizational perimeter it finally offers a permanent vaccine against the threat of Emotet.

For more information, why not try a FREE TRIAL and see document transformation in action for yourself.

# -

John Stevenson is Head of Content and Communications at Deep Secure.



View all posts

Are you ready to talk to Deep Secure?