Malware in the Wild: Evolving to Evade Detection

Malware in the Wild:
Evolving to Evade Detection
Engin Kirda
Co-Founder and Chief Architect
engin@lastline.com
3/17/2015

Copyright ©2015 Lastline, Inc. All rights reserved.
Engin Kirda, Ph.D.
• Professor at Northeastern University, Boston
– started malware research in about 2004
– Helped build and release popular malware analysis and
detection systems (Anubis, Wepawet, …)
• Co-founder of Lastline, Inc.
– Lastline offers protection against zero-day threats and
advanced malware
– Commercialization of many years of advanced research
2

Key Takeaways
• Traditional malware detection
tech now ineffective
• Security automation and stealthy
analysis critical to protection
• Security professionals in high-
demand
– Need to attract, train and retain
talented people
3

You Will Learn
• How has malware evolved in the last decade?
• How have security technologies changed to
address the threat?
• What are some key characteristics of
advanced malware behaviors?
• Can we stop this threat? Is this a lost war?
4

Cyber-espionage
and Cyber-war
!!!
Cyberattack (R)Evolution
Time
$$ Damage
Millions
Hundreds of
Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!
6

The Nature of the Threat Has Changed
• Intruders are more prepared and organized
• Attack attribution on the Internet is incredibly
difficult
• Intruder tools are increasingly sophisticated yet easy
7

A Little Bit of History…
• End of the 80s, viruses came out
– First form of malware
– Often destructive, but no financial incentive
• In the 90s, worms became popular
– Often destructive, but no financial incentive
8

A Little Bit of History…
• As of 2000, financial incentives became increasingly
dominant
– Phishing, Farming, Banking Trojans, Key-loggers…
• As of 2010, targeted attacks gaining more attention
in media
– Attacks against companies like Google, RSA
– Espionage as a major incentive
9

Excerpts from 2014
• Dairy Queen International
– Backoff, more than 300 stores, credit card infos stolen
• J.P. Morgan Chase
– Customer information for millions of customers compromised
• Home Depot
– Credit card infos stolen for more than 50 million customers
• UPS
– Backoff, 60 stores compromised
• Target
– Millions of credit card infos stolen
10

How Have Security Technologies
Evolved?
Emergence of Signature-Based Detection

Traditional Malware Detection
• Imagine you are identifying people based on
their looks
– Are they wearing a hat?
– What color is their hair?
– How tall are they?
– What is their eye color?
– How old are they?
– Do we have their fingerprint?
12
Walter White

5B 00 00 00 00 pop ebx
8D 4B 42 lea ecx, [ebx + 42h]
51 push ecx
50 push eax
50 push eax
0F 01 4C 24 FE sidt [esp - 02h]
5B pop ebx
83 C3 1C add ebx, 1Ch
FA cli
8B 2B mov ebp, [ebx]
5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B
83 C3 1C FA 8B 2B
Example: Chernobyl (CIH) Virus
SIGNATURE
13

The Problem of Evasion
14
• What if the criminal is wearing
a black hat and sun glasses for
disguise?
• What if the criminal is also
able to change his fingerprints
on the fly, after every crime?
• We’d be in a lot of trouble
at airports. Unfortunately,
we have this situation
happening in the cyber-
world right now
Heisenberg

5B 00 00 00 00 pop ebx
8D 4B 42 lea ecx, [ebx + 42h]
51 push ecx
50 push eax
90 nop
50 push eax
40 inc eax
0F 01 4C 24 FE sidt [esp - 02h]
48 dec eax
5B pop ebx
83 C3 1C add ebx, 1Ch
FA cli
8B 2B mov ebp, [ebx]
5B 00 00 00 00 8D 4B 42 51 50 90 50 40 0F 01 4C 24
FE 48 5B 83 C3 1C FA 8B 2B
Disguising: Chernobyl (CIH) Virus
DIFFERENT
SIGNATURE
15

Malware Uses Disguise
• It does the same
thing, but it looks
different each
time
• Detecting
malware just
based on its
“looks” does not
work anymore
16

Malware is Now a Problem of Scale…
• The number of new
malware out there has
been increasing
exponentially
• It might be the same
malware sample you
are dealing with, but it
looks different to the
naked eye…
17

Summary of traditional approaches:
1998 compared to 2015
18

Lastline Labs: AV Can’t Keep Up
Antivirus systems take months to catch up to highly evasive threats.
19

20
Current State of Affairs
• Anti-virus systems are not enough
– Malware modifies itself to evade detection
• Manual analysis of threats requires an enormous
amount of resources
– Cannot scale, reaction time in the order of days or
weeks
• We need to be leading in the arms-race
20

How Have Security Technologies
Evolved?
Emergence of Behavior-Based Detection

Key Idea
22
• Why not just run or open the suspicious file and
see how it behaves?
• This approach is generally-known as sandboxing
• The sandbox typically uses a virtualized,
instrumented environment
• The system logs the behaviors of the file

Sandbox-Based Detection Is Popular
• There are many security products now
– Sandboxing is often a component that is used for
unknown files
• These sandboxes often vary in quality
– A sandbox can be very simple, or can be more
sophisticated based on its design
23

Evasion of Behavior-Based
Detection
• Bad guys are not stupid
• They have received the
news that behavior-based
detection is what
everyone’s using now
• Just like signature-based
detection systems were
evaded in the past
• Behavioral evasions tricks
have emerged
24

One of The First Tricks That Emerged:
Red Pill (Remember Matrix?)
• A Virtual Machine (VM)
is often used to run the
code during analysis
and detection
• The red pill test allows
you to find out if you’re
running in a VM
• There are many ways
of launching evasions
like that
25

Some Dynamic Evasion Tricks
• Checking for specific artifacts in the virtualized OS
• Checks on CPU features that indicate VM
• Looking for running processes and imitating them
• Waiting for someone to click on something
• Delaying the execution until analysis system gives up
26

An Emerging Trick: Stalling Loops
27
• Simple piece of code
that takes milliseconds
to execute on your
laptop, but hours to
run in a virtualized
detection system

What are some key characteristics of
advanced malware behaviors?
Oh Internet, where are we headed?

Key Characteristics of Malware Today
• The majority of the
malware is “noise”
– 50%-80%
• A smaller portion is
nasty
– 15%-20%
• An even smaller portion
is very nasty
– 1%-5%
29

You’ve Probably Read This:
Recent Payment Breaches
• The last year has seen a dramatic escalation in the number of
breached Point of Sale (PoS) systems
• Many of these PoS payloads, like Backoff, evaded installed
defenses and alarms
• In few cases an early alarm was received, but it was ignored
since indistinguishable from the background noise
30

What is Backoff?
• Malware used in numerous breaches in the last year
• Secret Service estimated 1,000+ U.S. businesses affected
• Targeted to Point of Sale (PoS) systems
• Evades analysis
31

How are the attackers deploying it?
• Scan for Internet facing Remote Desktop applications
• Brute force login credentials
• Often successfully find administrative credentials
• Use admin credentials to deploy Backoff to remote PoS
systems
32

Carbanak Malware
• Bank robbing, raked in as much as 1
billion $
– Banks infiltrated, ATMs were taken
over
– Balances adjusted and funds
transferred remotely
• Most Carbanak samples exhibit
stealthy behavior (90%)
– 17% display evasive behavior
(detecting sandbox)
– Samples are environmentally-aware
– Stealthy sandbox is needed that can
detect evasions
33

In Recent Research…
• We looked at a Non-
Governmental Organization
(NGO)
– Representing the Uyghur
minority in China
– Many suspicious emails were
being sent
– Many targeted hacking attempts
• Key finding
– The attacks were surprisingly
simple
– Malware not very sophisticated
– No unknown vulnerabilities used
34

Can we stop this threat?
Is this war winnable?

The Reality is That the Threat Will
Continue to Exist
• The right question should be:
How can we keep this threat
under check and limit damage?
• Similar to protecting your
home
– Locks can be broken
– But you can use a good lock,
build in alarm systems, and lock
away your valuables
36

Technology plays a crucial role, but…
• Integration is very important
– Whatever solutions we deploy must be easy to
integrate and interoperate with existing systems
• Proposed solutions need to be scalable
– Organizations typically have thousands of users and
multiple nodes that need protection
37

Correlation is the key
• There is no silver
bullet in security!
• You need to correlate
information coming
from different sources
• Network nodes,
domain names used,
connections opened…
• There are is a large attack
surface…
38

• It is not a question of if, but only when you’ll be breached
• Getting breached is not the end of the world if…
1. … you can detect the breach quickly
2. … understand how you were breached
3. … can share this breach knowledge automatically with other
components and business units
Thinking like the attacker
39

It’s Not Only a Technology Problem
• Security systems sometimes
fail because people fail
– Education is a key
component of any security
solution
• We need to educate
students, train employees
– Student hacking contents are
a great example
40

Student Hacking Competitions
• Help educate and train
students
– Hacking contests where
the aim is defense and
offense
– They’re fun! ;) And useful
– 6 years ago, some
companies were against
them… now they’re
organizing their own ;)
41

New Research: Kernel-Level Detection
• Operating system kernel is the
blind-spot for detection
– Kernel-level malware is typically
invisible to sandboxes
• At least one malware component
often executes in kernel-space
– I’m happy to announce novel
techniques to automate the
analysis of such malware today
– http://www.lastline.com/labs
42

Key Takeaways
• Traditional malware detection
tech now ineffective
• Security automation and stealthy
analysis critical to protection
• Security professionals in high-
demand
– Need to attract, train and retain
talented people
43

Malware in the Wild: Evolving to Evade Detection

More Related Content

What's hot

Viewers also liked

Similar to Malware in the Wild: Evolving to Evade Detection

Recently uploaded

Malware in the Wild: Evolving to Evade Detection