Analytics // Threat Intelligence
7/11/2013
07:55 PM
Connect Directly
RSS
E-Mail
50%
50%

How Attackers Thwart Malware Investigation

A researcher at Black Hat USA this month will dissect a recent attack, showing off attackers' techniques for making malware analysis harder and intelligence gathering more time consuming

Black-hat budgeting -- attempting to skew the economics of hacking against attackers by raising the cost of compromise -- has become a common defensive strategy for companies.

Click here for more of Dark Reading's Black Hat articles.

Yet attackers have also focused on making defenders pay dearly for gathering digital intelligence on their attacks: From domain-name generation to more subtle code obfuscation, attackers are adopting techniques to raise the cost to defenders of detecting attacks, analyzing malware, and gathering intelligence.

In a presentation at the Black Hat Security Briefings in Las Vegas, Jason Geffner, a senior security researcher with security-services firm CrowdStrike, plans to perform an end-to-end analysis of a recent malware sample showing off some of the latest techniques that attackers use to make malware analysis and identification more difficult. As part of the presentation, Geffner plans to release a tool to help analysts remove the junk code used by attackers to camouflage the inner workings of malware.

"When it comes to obfuscation -- whether for obfuscating malware or for DRM purposes -- it is always going to be a cat-and-mouse game," Geffner says. "The people who apply obfuscation know that, given enough time, a researcher will be able to get around the techniques."

The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization, aimed at stealing money and information from corporate victims. The attack used a domain-generation algorithm -- a method for making malware communications difficult to cut off -- and padded parts of the program with junk code to make analysis more difficult.

The general level of obfuscation is getting better, Geffner says. Encrypting or packing too much of a program can tip off automated systems that the software is likely malicious. Instead, judicious obfuscation can avoid setting alarms and still make reverse engineering the code much more difficult. Such techniques are part of the movement on the part of attackers toward making analysis harder to do, which then raises the time and cost required by the defenders to respond to attack, said Dean De Beer, chief technology officer for ThreatGRID, which provides a cloud service for aiding malware analysis.

"The attackers are making it as hard as possible," he says. "If you have obfuscated code and it is a custom packer or encryptor, you have to load it into the debugger, set the break points, and try and figure out the encryption code. And not every organization has someone that can reverse engineer, who has the time to run the analysis and pull out what needs to be blocked each day."

[Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code. See Automated Malware Analysis Under Attack.]

The malware analyzed by CrowdStrike used five times as much junk code in some sections of the program as legitimate code to hide functionality, CrowdStrike's Geffner says. The tool to be released by CrowdStrike will automatically remove the junk code from malware that uses this particular obfuscation technique.

While attackers will likely quickly modify their tools and malware to make automated deobfuscation more difficult, forcing attackers to change their habits is another way to raise the cost to attackers, Geffner says.

"If attackers have to keep changing their ways, then that increases the effort that they have to put in," he says. "So if you can't reduce the reward, at least you are able to increase the risk -- in terms of time and effort -- that the attackers put in."

Yet if the attackers find better ways of hiding their code and making analysis more difficult for defenders, it could result is less intelligence on attackers tools and techniques, ThreatGRID's De Beer says.

"Ultimately, all of these things can be decoded and decrypted and figured out over time, whether it be through dynamic or static means, but the goal on the attackers' side is to increase the workload to the extent where it becomes a very difficult thing to scale," De Beer says. "If you can't scale your analysis and you can't scale your ability to produce actionable content and threat intelligence, then they have an advantage over you at any point in time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.