Uncloaking Malware

August 27, 2007

 

I was talking to a risk analyst at a large health insurance company about what she did not want in security solutions.

 

She didn’t want just another signature file based solution.

She didn’t want another traditional anti-virus solution.

She didn’t want to just give a vaccine to a corpse one more time.

She was concerned that there are attacks that use cloaking techniques that hide the presence of malware so that they can slip by her existing defenses. She was more concerned about what she doesn’t know about than what she does know about.

Panda tackles this problem by utilizing uncloaking technologies such as deep code inspection, rootkit heuristics and generic unpacking routines. The purpose of these technologies is to remove the cloaking that is hiding malicious code from the signature based detection or engineers that would normally identify it.  The end goal is to reveal the presence of malicious code to detection technology.

In deep code inspection, the engine looks at the machine code utilizing algorithms to correlate multiple pieces of the files and make assumptions of the actual intention of the code.

With rootkit heuristics – Panda uses heuristics algorithms to locate hidden elements that might be a root kit or part of a root kit. Generic unpacking routines are used to when malware is found to be utilizing compression routines in order to prevent analysis of the code.

With today’s cyber-crime trends of utilizing cloaking techniques, a lot more than signature files detection is needed.

   

Advertisements

Hype or The Matrix Reloaded: Perception VS Reality

August 27, 2007

 

I was at a government agency recently doing an on-line audit of a portion of their network – almost 655 pcs. They had quite a bit of security measures in place including updated resident software, multiple firewalls, limited user privileges and did regular anti-spyware scans with a program that was specialized for this.

 

Needless to say, they were pretty shocked when I found keyloggers, screenloggers, a rootkit and downloader Trojans.  They were also saturated with high danger level adware that made their network vulnerable to additional malware downloads. Almost 100 workstations out of the 655 scanned were infected.

 

Cropped

While I was there doing the malware audit, they were hit by a massive spam attack. The email offered a free Microsoft product download. About a quarter of their 6000 pcs received the spam. Some of the users on the network were savvy enough to think “maybe this is suspicious” and reported it to their help desk but, unfortunately, over a dozen employees did click on the links to find out what great deal they could get.

The resident antivirus software installed on the network workstations did not detect that there was a Trojan embedded in a link in the email. The Trojan embedded is one that is known to download additional malware, often a keylogger.

Cropped2

The IT security professionals who took care of this government agency network were concerned that this spam was a targeted attack at their state government so I sent the information to PandaLabs to check out. It turned out that the Trojan was a general attack and that it has actually been a known malicious code since 2004 but was not included in the signature files of their resident antivirus software.

iedownloader.jpg

You might wonder, like they did, how could a major antivirus software package miss this kind of malicious code?

In several ways.

Every antivirus software program has a capacity of how large a signature file it can handle. It’s in the architectural design of the application. Sometimes older signatures have to be purged to make room for newer signatures.

malwaremodel.jpg

Also, due to the vast volume of malicious code that’s in the wild now (PandaLabs receives more than 3000 unique suspicious samples every day) many of the antivirus labs are overwhelmed and just do not have the manpower to process and create vaccines for all the variations. So what happens is a definite percent of malware never gets analyzed and no vaccines are created to detect or disinfect them.

volume.jpg

Current certification programs of antivirus software test the effectiveness of the software against a “wild list” of known viruses. The testing is rigorous, however, the certification requires that the software is able to detect and clean only several hundred thousand virus samples (usually between 200,000 to 300,000). As a comparison, the collective intelligence at PandaLabs has over 1.5 million signatures of viruses.

Welcome to the real world! Are you really protected? Prehapes not.