Vulnerabilities / Threats
12/20/2012
08:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Automated Malware Analysis Under Attack

Malware writers go low-tech in their latest attempt to escape detection, waiting for human input -- a mouse click -- before running their code

The world suddenly changed for antivirus companies in 2004.

During the previous two years, malware writers had kept up a steady stream -- a trickle, in retrospect -- of viruses, Trojan horses, and worms. Security firm Symantec, for example, added approximately 20,000 new signatures each year to its Norton antivirus software to keep up with the malware flow. But in 2004, the number of new malware variants skyrocketed, forcing Symantec to add 75,000 signatures that year, 169,000 signatures in 2006, and 1.7 million signatures in 2008. This year, its software carries 21.5 million signatures, according to the firm's latest data.

Without automating the analysis of pernicious programs, antivirus firms would be overwhelmed.

But increasingly, malware writers are finding ways to attack antivirus firms' ability to cope with the flood of malicious binaries, and that could stress the entire system for triaging and analyzing malware.

"If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may not be able to figure out that it is malicious," Symantec researcher Hiroshi Shinotsuka said in an October blog post. "Therefore, both malware and packer program authors attempt to utilize techniques to hide malicious files from automated threat analysis systems."

The average antivirus firm sifts through hundreds of thousands of binaries every day to identify tens of thousands of new variants that may be targeting customers. And those estimates may be low: Symantec's systems had to wade through an ocean of 403 million unique variants of malware in 2011, a 41 percent increase over the previous year, the company said in its Internet Security Threat Report released in April.

Meanwhile, attackers have slowly escalated their methods. The first attempts merely aimed to overwhelm antivirus firms processes, using packers and obfuscation to turn a single piece of malware into multiple, dissimilar binaries. Then, attackers built their malware to look for signs that it was running inside an analysis environment, most commonly a virtual machine.

"We have seen threats that will check 50 different attributes of the environment before they start running," said Liam O Murchu, a researcher with Symantec's security response team.

More technical attacks have emerged, however. The Flashback Trojan, which infected both Windows and Mac OS X systems, locked itself to a system using an encryption algorithm based on a key derived from the specific system's properties. Gauss took the technique even further.

[Malicious programs continually evolved in 2012, whether using new technical approaches to infection, novel business models, or demonstrating the vulnerability of areas thought unrelated to cybersecurity. See Slide Show: Top 10 Malware Advances In 2012.]

A new Trojan has taken a much simpler approach. The program, known as UpClicker, looks for evidence that it's running on a human-controlled machine. Because automated malware analysis platforms typically run for only a few minutes with no human interaction, UpClicker waits for the left mouse button to be released. Only then does the malware run its main process.

In an analysis of the UpClicker Trojan, threat-protection firm FireEye found that the simple technique works well.

"They went for a very specific thing, where, unless the mouse button is released, it won't do anything," says Abhishek Singh, a senior malware research engineer with the company. "So it provides a bit of a challenge for the sandboxed systems."

When it infects the system, UpClicker takes an innocuous first step, binding itself to the mouse. The malware then hibernates until a user clicks the left mouse button and then releases it. Unless security researchers emulate the button press, automated analysis systems will stop observing the malware before its actually does any malicious activity, and the code will not be flagged for further investigation.

"When you are dealing with malware that requires a certain level of interaction, or a certain level of activity, or looking for things that exist on the host, or things that should not exist on the host, that's when these systems start having difficulty, and the playing field changes substantially," says Dean De Beer, chief technology officer with ThreatGRID, a provider of malware analysis services.

To fight against techniques designed to prevent malware from giving itself away to analysts, ThreatGRID's engineers will review any samples that did not run in their environment to ascertain why, he says. Many times the problem may be a bug in the system, but quite often the failure is due to malware designed to stymie analysis.

The arms race between malware authors and security firms will continue, Symantec's O Murchu says. The vast majority of malware developers are unlikely to code their malware to evade analysis, but the researcher does expect to see the increasing -- albeit slow -- adoption of the techniques.

"If there were a huge change in the techniques, we [the security firm] are all watching out for that, and we would all change our systems to deal with it," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.