Partner Perspectives  Connecting marketers to our tech communities.
5/15/2015
12:05 PM
John Bambenek
John Bambenek
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Drinking from the Malware Fire Hose

Take a staged approach to processing malware in bulk so that scarce and time-limited resources can be prioritized for only those threats that truly require them.

This past Thursday, Virustotal, a free service that analyzes suspicious files and URLs, said it detected almost 400,000 unique malware instances on that day alone. Keep in mind that number doesn’t include malware that wasn’t sent to Virustotal, or malware that isn’t detected by antivirus engines. The number of truly unique malware families is, of course, lower but each of these samples may have unique configuration items that could be useful for threat intelligence. That leaves a lot of malware to process and not a lot of time or resources -- reverse engineering and sandboxing isn’t cost effective when dealing with this quantity of samples.

The bad news: We’re doomed. The good news: Job security for infosec professionals is unlimited.

The key to dealing with a problem of this scale is taking a staged approach to processing malware in bulk so that scarce resources (reverse engineers) and time-limited resources (sandboxes) can be prioritized for only those threats that cannot be processed other ways.

There are generally three ways to process malware for intelligence: reverse engineering, sandboxing, and static analysis. Reverse engineering, the most expensive and time consuming method, involves a trained analyst going through the code and manually stepping through functions to gain understanding.

Sandboxing is a time-limited process in which malware is sent to a virtual machine to run so the behavior can be observed. Usually it takes some time for each sample to run, and there are many anti-sandboxing techniques that can be used by malware to make this more difficult.

Static analysis is where a sample is run through a static tool that pulls out artifacts from the malware such as its configurations. Of the three, this method is the fastest, but it only works for known threats where a tool can be crafted to pull those pieces of interest out. It also requires ongoing monitoring and maintenance since malware authors can relatively easily change obfuscation or configuration formats to defeat it.

To get an idea of the time-saving involved with static analysis, I currently process almost 200,000 malware samples daily; it takes about three to four hours with an AWS image. With 10 images, I could process a year worth of malware in about a week.

Get Ahead of the Problem

The key to processing malware at the scale needed is getting research to the point where ongoing processing can be fully automated. The good news is there are already tools to help jump start this for commodity threats.

We also need to overcome the problem of sufficiency (where someone analyzes a threat to come up with a block rule and moves on). The reality is that many different actors use the same tools, and there is valuable intelligence that can be gleaned from each specific attempt.

For example, we recently published a list of AlienSpy configs in the Fidelis Threat Advisory on AlienSpy. The obviously useful indicators are hostnames and ports, which can be fed into firewalls and other security devices quickly. However, the fourth field also includes a free form text field that the specific attacker uses called “Campaign ID.” The top item lists “Henry Targets” for this value, which stands out as unique compared to other campaigns. It would be an item that would be interesting to pivot off of to find related malware. Mutexes, registry keys, and filenames can also provide useful info to correlate malware and actors.

Not every threat can be processed this way, but every piece of malware beacons somewhere, even if it is to get to the next stage of malware in the chain or to self-update its configuration. Driving malware processing to the lowest possible level of effort allows for spending scarce resources on those threats that require additional attention.

The solution is to automate everything you can, take a hybrid approach such as sandboxing for everything else, and manually process only what you must. This way you can start to drink from the malware fire hose without drowning and still derive useful intelligence from it.

John Bambenek is a Senior Threat Researcher at Fidelis Cybersecurity. His areas of specialty include digital forensics, global cybercrime investigation, and threat intelligence. He has developed open source feeds of threat intelligence data and works with law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-8656
PUBLISHED: 2018-05-22
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
CVE-2017-2609
PUBLISHED: 2018-05-22
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
CVE-2017-2617
PUBLISHED: 2018-05-22
hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.
CVE-2018-11372
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User Panel ToId parameter.
CVE-2018-11373
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" User Panel ToId parameter.