Skip Navigation
BlackBerry Blog

The Truth on Broken Samples

NEWS / 04.18.17 / Jon Miller

Let me start with a clear statement. Cylance is not distributing broken samples to game the system. We are trying to help security professionals to test for themselves, in their real-world environments. Let me explain how this particular instance of malware was distributed and how we had fixed this issue months ago.

We had an internal process that would download via an API known samples of malware from a well-known virus aggregation site, based on 10+ antivirus detections (I can't mention their name), and then send them through an automated packing system to alter the hash of the malware ("creating a new piece of malware from an AV perspective") so we could test efficacy of our own product as well as others, against "unknown samples," as well as the un-mutated original sample. The goal here is to help us stop future attacks, as well as previous attacks.

After a couple months of being operational samples, both un-mutated and mutated began to get shared with partners and prospects because it’s almost impossible to test the efficacy of a security product with known malware, so our "unknown malware" eventually got handed out.

Once malware reaches the aggregation site that we were pulling from, the API lookups allow each Tier1 AV to crowdsource their detection, and by pulling "known malware" the AVs would already stop it due to the cryptographic hash. Since attackers are constantly crypting or packing their malware to evade hash based detection, you have to do the same, to test real world efficacy. It's the reason that you see Tier 1 AVs getting 100% in antivirus tests, but you still get infected by malware when running it - everyone does, it's not a secret that AV is dead, and everyday enterprises with fully patched and cloud connected AV's are getting owned by malware left and right. The problem is everyone is testing with malware that they sourced by an antivirus program calling it malware.

Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution. 

In response we built a new process, by starting with a known working piece of malware, then crypting it with the same underground tools that are being used right now to evade AV, and testing it for function before we share it, ensuring that we get a unique sample that would evade signature AV the exact same way the underground attackers are doing it. 

When testing malware samples, you have to run them on an unprotected system to figure out what works and what doesn't. Many pieces of malware have protection to protect them from being emulated or run in a virtual machine. It means they won't run, but are still active malware. Take those samples that ran, and then alter them and test again for a product’s ability to detect a net new sample.

In conclusion, have we distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken; if the sample doesn't run, you can’t use it to test efficacy. We have built automation to ensure that it doesn't happen anymore, but you must always test for yourself using some form of the scientific process. Source samples from all different places, make sure they run, and test them in a lab. That's exactly what we are trying to get customers to do at Cylance: test for yourself, and make your own opinion.

If anyone would like to see a live test and have the ability to ask questions, check for our upcoming 'Underworld Tour Demo', coming to cities in over 60 international destinations. We will do a live demo right in front of you, and if you bring a flash drive we'll even let the malware go home with you for your own analysis.

We aren't trying to hide anything, but we are disrupting the industry in a major way. Antivirus companies have never distributed samples before to allow customers to test for themselves and that's all we are trying to do. Don't believe a report that was written or paid for by a marketing department - you are a technical decision maker, make your own decision, don't let someone else do it for you.

Cylance uses a completely new approach to antivirus, by using a machine learning AI to analyze each file and determine its statistical probability of being malicious. It's not a traditional AV that uses a hash or byte matching signature to detect an individual sample.

Jon Miller

About Jon Miller

Advisory Board Member at Cylance

Jon Miller is an Advisory Board Member at Cylance.