A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile,...
Transcript of A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile,...
![Page 1: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/1.jpg)
A Deeper Look at MalwareThe Whole Story
By: Bryan Lu
Virus Bulletin Conference 2007September 19-21, 2007Vienna, Austria
![Page 2: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/2.jpg)
Virus Bulletin Conference 2007, Vienna2
Antivirus World
Customer / Biz side
Research & SupportTeams
Customers meet the product- hidden layer and a growing gap
Disclaimer: on data, features and AV names
![Page 3: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/3.jpg)
Virus Bulletin Conference 2007, Vienna3
Agenda
• How good is the detection?• Life span of a Malware• The real detection rate and latest threats’ backlog• Malware prevalence to Undetected file type• Packed vs. Unpacked malware.• Silver in the bags of junk• Unused options
![Page 4: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/4.jpg)
Virus Bulletin Conference 2007, Vienna4
How good is the detection?
“Your ID please!”Simple Enough?• Just like scanning boot
viruses (back in thedays)
• Cross-detection rate based on AV-Test: 60% (lowest)?
![Page 5: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/5.jpg)
Virus Bulletin Conference 2007, Vienna5
Lifespan of a Malware
Lifespan of a Malware is the amount in time that ithas existed in the wild.
Formula:Lifespan = Last Detection Date minus DiscoveredDate
i.e.On Netsky.P, May 2007 – Mar 2004 = 3 Y & 3 MOn Grew.A, May 2007 – Jan 2006 = 1 Y & 5 M
Few known limitations:- gaps, still prevalent, by name
![Page 6: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/6.jpg)
Virus Bulletin Conference 2007, Vienna6
Lifespan of a Malware: data set
• Consists of more than 20,000 prevalent windowsexecutable malware between January 2005 and May2007.
• Based on several thousands of units worldwide thathave been reporting their threat events.
![Page 7: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/7.jpg)
Virus Bulletin Conference 2007, Vienna7
Life span of a malware: by month
*based on Fortinet's malware Prevalence System
• 70% of malware became inactive after 3 months
![Page 8: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/8.jpg)
Virus Bulletin Conference 2007, Vienna8
Life span of a malware: by days
• 60% of malware became inactive after 7 days.
*based on Fortinet's malware Prevalence System
![Page 9: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/9.jpg)
Virus Bulletin Conference 2007, Vienna9
Detection Rate* (since 2005 Q1)
• by excluding the ‘rescanning’ on older than 1 month,it shows the lag in creating a signature.
*based on Fortinet’s malware collection
![Page 10: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/10.jpg)
Virus Bulletin Conference 2007, Vienna10
Latest Threats’ Backlog - 3 MonthsD
etec
tion
Rate
• Highest detection rate on May 2007 - 65%
*based on Fortinet’s malware collection
![Page 11: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/11.jpg)
Virus Bulletin Conference 2007, Vienna11
Malware Prevalence
• 2005Windows Executable (IM-worm, Email-worm,Spyware, Trojan, Windows Virus, Network Worm,File-based exploit): 96% (580 M) Scripts, Macro, Mobile, Linux, Phish: 4%
• 2006Windows Executable (IM-worm, Email-worm,Spyware, Trojan, Windows Virus, Network Worm,File-based exploit): 86% (435 M) Scripts, Macro, Mobile, Linux, Phish: 14%
*based on Fortinet’s malware Prevalence System
X
X
![Page 12: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/12.jpg)
Virus Bulletin Conference 2007, Vienna12
Undetected file type
Based on the top 3 scanners from the previousslide and our malware collection:
• The number of malware in windows executableformat has grown (of course); however, thedetection rate has not improved.
In 2005, 73 % is detected by the top scannersfrom the previous slide.In 2006, 67%.In 2007, 47%.
*based on Fortinet’s malware collection
![Page 13: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/13.jpg)
Virus Bulletin Conference 2007, Vienna13
Is it Packed?
• On less than 1 MB malware, 44% are packed.
*based on Fortinet’s malware collection
![Page 14: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/14.jpg)
Virus Bulletin Conference 2007, Vienna14
And, its file sizes
• 97% of packed or unpacked malware is below 1 Mbyte• 90% of malware is below 400KB
*based on Fortinet’s malware collection
![Page 15: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/15.jpg)
Virus Bulletin Conference 2007, Vienna15
Packed Distribution
• 65% of infected malware is less than 100 KB• 30% of normal files is less than 100 Kb
*based on Fortinet’s malware collection
![Page 16: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/16.jpg)
Virus Bulletin Conference 2007, Vienna16
File Size limiting
• 97% of malware is less than 1,000 KB.
*based on Fortinet’s malware collection
![Page 17: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/17.jpg)
Virus Bulletin Conference 2007, Vienna17
• 32 % of malware is between 100 and 1000 KB
File Size limiting
*based on Fortinet’s malware collection
![Page 18: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/18.jpg)
Virus Bulletin Conference 2007, Vienna18
• 50 percent of malware is between 10 and 100 KB
File Size limiting
*based on Fortinet’s malware collection
![Page 19: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/19.jpg)
Virus Bulletin Conference 2007, Vienna19
Windows Executable, Packed and Filesizes
NormalFile
WindowsExecutab
le
MalwareFile
Packed
WindowsExecutab
le
Unpacked Packed
Lessthan1 MB
Lessthan
100 KB
66%
28%
44%
97%
+90%
65%Lessthan
100 KB
![Page 20: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/20.jpg)
Virus Bulletin Conference 2007, Vienna20
Silver in the bags of junk
• Malware that are note-worthy because their forms arenot supported
• And, they are non-executable.• However, may be used for evading detection.
![Page 21: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/21.jpg)
Virus Bulletin Conference 2007, Vienna21
Simple Obfuscation (XOR)
• Less than 40% supports XOR
![Page 22: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/22.jpg)
Virus Bulletin Conference 2007, Vienna22
E-Mail file type
• Based on scanning an Email file,70% supports ‘MIME’ file type scanning.And, 50% supports ‘base64’ file type scanning.
![Page 23: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/23.jpg)
Virus Bulletin Conference 2007, Vienna23
Assembly file type
• less than 25% supports rebuilding‘assembly’ file type.
How many?• 2005 – 35• 2006 – 40• 2007 – 10 in Q1
![Page 24: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/24.jpg)
Virus Bulletin Conference 2007, Vienna24
BMP + EXE Header
• less than 25% supports pre-pended bitmap header.
First two bytes: “BM”;Ox0036 (54 bytes)
PC bitmap data
![Page 25: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/25.jpg)
Virus Bulletin Conference 2007, Vienna25
PIF/Mac Binary + EXE Header
• Pre-pended with PIF header.
![Page 26: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/26.jpg)
Virus Bulletin Conference 2007, Vienna26
Unused Options?
a ‘file’ attachedin an email or inhttp/ftpdownload
• Source, URL or IP check
• File extension blocking
• File format blocking
• Common obfuscation
• Packed format
• File size blocking
Network/PersonalFirewall
![Page 27: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/27.jpg)
Virus Bulletin Conference 2007, Vienna27
AverageImprovement:
1ST Line: 6%;
2nd Line: 8%
3rd Line: 16%
4th Line: 48%
5th Line: 60%
Current Detection
Improvement
Blocking packed executable files
![Page 28: A Deeper Look at Malware The Whole Story · • The real detection rate and latest ... Mobile, Linux, Phish: 4% • 2006 Windows Executable (IM-worm, Email-worm, Spyware, Trojan,](https://reader031.fdocuments.us/reader031/viewer/2022011800/5abf720d7f8b9add5f8dbbca/html5/thumbnails/28.jpg)
Virus Bulletin Conference 2007, Vienna28
Summary
• Analysis, Detection, Analysis, Detection ...• 1-month Life span
30% Active in the last 2 years15% Active in the last 6 months
• Advance our products with features that are based onstatistical analysis.
Windows Executable, Packed, junk malware, filesizes, file format,