Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/22/2017
10:30 AM
Paul Shomo
Paul Shomo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why We Need To Reinvent How We Catalogue Malware

One obvious trend: crimeware technologies that come with simple user consoles and functionality to create unique binaries at the click of a button.

To understand how the bad guys have become so adept at producing the flood of uniquely hashed malware, we need to look at what our adversaries have been doing the past few years.

Why go back in history? Because software takes years to spread through society according to an "adoption curve." Despite its unconventional path from programmer to user, malware follows this same multi-year curve before it pops up on our radar. Take today’s ransomware headlines, Mario Vuksan, CEO of ReversingLabs points out, "Ransomware has been around for a long time, and it's just exploded the last two years."

No Magic in Building Zero Days
A black hat programmer in possession of malware's source code always has the option to make slight alterations and build new binaries with unique hash values. The variants created through custom builds are referred to as part of a malware family, because they come from common source code. Many times cybercriminals adept at programming make their living selling these builds in online crime markets.

To really see the decline of file hashing, we need to step back in time to look at tools that have lowered the bar for those lacking source code and programming savvy to create polymorphic malware. A simple example would be packing tools.

Packers allow the insertion of malware into existing binaries, creating a distinct executable with a unique hash that runs malicious code. Anyone who can run a command line utility can pack executables even without owning any source code.

New Malware "Families" Produce Unique Children, Lots of Children
Possibly the most obvious trend leading to the proliferation of zero-day binaries are those crimeware technologies which come with simple user consoles, and include builder functionality that create unique binaries at the click of a button.

Our industry loves to come up with creative names for malware categories. Remote Access Trojans (RATs), or C2 Trojans (Command and Control Trojan) as they're more commonly called now, caused a lot of trouble for government agencies in 2014 and 2015. The PlugX RAT, for example, lead to the historic theft of 18 million classified identities from OPM. To give you a little feel for the C2 Trojan adoption curve, PlugX was first discovered six years prior, in 2008.

While PlugX's UI is Chinese, the Gh0st RAT console pictured below is another Trojan which caused havoc. It has a UI remarkably similar to PlugX, except in English. Gh0st includes everything a novice needs to own their enemy including a "Create" button that produces unique Trojan files in about a second. Using this console, it's actually impossible to create a Trojan binary with a known hash; building zero days is the standard workflow within the UI.

With malware this easy to use, why would your adversaries ever reuse malware files with a known fingerprint?  Image Source: Paul Shomo

With malware this easy to use, why would your adversaries ever reuse malware files with a known fingerprint?
Image Source: Paul Shomo

Why We Should Identify Malware Families
In days past an analyst could look through threat intel to see overlapping intelligence where a given hacking crew hit their organization and other victims using the same malware hashes. Today, how do you track your malware sample back to a crew of bad actors who work off a common code base, or use common builders if they use uniquely hashed malware against all their victims? With all the zero-day malware, URLs and network communications are probably better used for attribution.

Malware reverse-engineers can manually deconstruct binaries back to their source code to identify familial DNA. But while rapid hashing of binary instances have been a mainstay of malware identification, no automated method to classify familial DNA has emerged.

Recognizing Polymorphic Malware
Builds of variants may morph their file hashes with small changes. Yet since a malware family centers around source code which defines common capabilities, sections of binaries holding this functionality remain constant across all their children.

Some vendors are able to recognize malware by noticing sections of binary files implementing functionality rather than hashing the entire file. As Tomislav Pericin, chief software architect at ReversingLabs noted, polymorphic malware can’t be correlated "based on hashing all the bits of the file anymore, that's why we developed our own algorithms to say these files are functionally similar" and thus part of a malicious family.

We're seeing examples of companies innovating new ways to detect polymorphic variants with partial hashing algorithms. Maybe in the future vendors will extend these approaches to cataloging families for threat intelligence, and as aides to attribution.

It won't happen overnight, this task is bigger than just the threat intelligence vendors. We’d have to see the industry as a whole move towards standardized ways to classify malware's familial DNA.

This is the second in a two-part series on the slow death of malware fingerprinting. You can click on What To Do When All Malware Is Zero-Day? to read the first installment.

Related Content:

 

 

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Survivalindeed
100%
0%
Survivalindeed,
User Rank: Apprentice
2/23/2017 | 9:04:50 AM
All this free info here...
Thanks Mate What  A Great Information God Bless
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10694
PUBLISHED: 2019-12-12
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1....
CVE-2019-10695
PUBLISHED: 2019-12-12
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user�s username and password were exposed in the job�s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the ...
CVE-2019-5085
PUBLISHED: 2019-12-12
An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.
CVE-2019-5090
PUBLISHED: 2019-12-12
An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An attacker can send a packet to trigger this vulner...
CVE-2019-5091
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an infinite loop, resulting in a denial of service. An attacker can send a packet to trigger this vulnerability.