Threat Research

CyberCapture: Protection against zero-second attacks [infographic]

Ondrej Vlcek, 23 June 2016

CyberCapture isolates unknown files in a safe environment and establishes a 2-way communication channel with you and Avast’s team of expert security analysts.

This week we released a new version of our core PC antivirus product, which we refer to as the Avast Antivirus Nitro Update. The update’s name is Nitro, because it is filled with innovative, new ways to increase speed and increase protection.

One of the new ways we are increasing protection is with a cool new proprietary technology called CyberCapture. CyberCapture dramatically raises the bar when it comes to protection against zero-second attacks.

nitro_cyber_capture_infographics_EN.png

The threat landscape has significantly evolved in recent years and malware has become a lucrative business for cybercriminals. Threats are becoming more sophisticated and the life span of malware has drastically changed with the heavy use of server polymorphisms and targeted attacks. Server polymorphism is where one malware sample targets a single user before the code morphs into a new sample and attacks the next user, enabling zero-second attacks that are very difficult to prevent using traditional protection methods. Since samples constantly morph, their life spans are radically shortened, allowing cybercriminals to focus on big and quick campaigns to hit the maximum number of victims within the shortest time frame possible. CyberCapture detects morphed, yet-unknown files in real time and thus protects you from zero-second attacks.

In a nutshell, CyberCapture is a cloud-based smart file scanner. Rather than relying on the latest definition updates, CyberCapture isolates suspicious files in a safe environment and automatically establishes a two-way communication channel with the Avast Threat Labs for immediate analysis. This allows us to clear away all the false code, misdirection, and other stuff malware creators use to mask malware’s true intentions. By peeling away layers of obfuscated code in the cleanroom environment of our cloud, CyberCapture is able to fully dissect the file and observe the binary level commands inside the malware and fully understand the instructions hidden there.

IMAGE_nitro_cyber_capture_infographics_600x500px.jpg

CyberCapture evolved from our DeepScreen technology, which used to analyze unknown files locally, in a virtualized “sandbox” environment. DeepScreen had two major problems, though. First, it relied on the NG virtualization component, which wasn’t compatible with all systems (it required certain settings to be enabled in the system BIOS etc.). And second, it allowed the suspicious file to run in the sandbox for only a very short time (typically 10-15 seconds), dramatically reducing the precision of the decision-making algorithm. By moving the technology to the Cloud, and taking all the time needed to properly analyze the file, we are now adding an additional layer of protection that will be extremely difficult for attackers to beat.

While developing CyberCapture, we put a great deal of effort into shortening the time between malware discovery and the deployment of a detection. We moved the technology to the cloud, so that we can leverage all of our heavy weapons to analyze samples in a controlled environment. Additionally, running our powerful detection engines on our backend means the cybercriminals have to touch our cloud to test our products abilities, which not only makes their lives harder, but also lets us see them.

Typically, the automated analysis will need up to two hours to make a reliable decision about the file. In certain cases, it will not be possible for our engines to make that decision, which is where our experienced analysts will step in to manually analyze the file. During that time, the file is still contained in the “capture” and hence cannot cause any harm. Once the analysis is complete, the user is notified about the result and the file is either quarantined or released from the capture and allowed to run.

CyberCapture is a new system and will take a bit of time to become fully tuned and productive. Because of the nature of its operations, CyberCapture continually gathers intelligence on new viruses. This means it will organically improve as it is used and, therefore, it will continue to iterate increased performance.

Take An in-depth look at the technology behind CyberCapture.

Here at Avast we are all excited about the technology and are big believers in its potential. Our team has been working very hard to keep our users around the world safe and secure, and CyberCapture is going to be a critical part of this effort.

Make sure you keep your computer protected from malware and zero-day threats with Avast Free Antivirus or one of our premium products.

FREE DOWNLOAD

 

 

Check 15 comments or write your comment

Discussion (15)