Malware in the Wild: Evolving to Evade Detection

Malware in the Wild:Evolving to Evade Detection

Engin KirdaCo-Founder and Chief Architect

[email protected]

3/17/2015

Copyright ©2015 Lastline, Inc. All rights reserved.

Engin Kirda, Ph.D.

• Professor at Northeastern University, Boston

– started malware research in about 2004

– Helped build and release popular malware analysis and detection systems (Anubis, Wepawet, …)

• Co-founder of Lastline, Inc.

– Lastline offers protection against zero-day threats and advanced malware

– Commercialization of many years of advanced research

2


Key Takeaways

• Traditional malware detection tech now ineffective

• Security automation and stealthy analysis critical to protection

• Security professionals in high-demand

– Need to attract, train and retain talented people

3


You Will Learn

• How has malware evolved in the last decade?

• How have security technologies changed to address the threat?

• What are some key characteristics of advanced malware behaviors?

• Can we stop this threat? Is this a lost war?

4

How Has Malware Evolved?

Cyber-espionageand Cyber-war

!!!

Cyberattack (R)Evolution

Time

$$ Damage

Millions

Hundreds of Thousands

Thousands

Hundreds

Billions

Cybercrime

$$$Cybervandalism

#@!

6


The Nature of the Threat Has Changed

• Intruders are more prepared and organized

• Attack attribution on the Internet is incredibly difficult

• Intruder tools are increasingly sophisticated yet easy

7


A Little Bit of History…

• End of the 80s, viruses came out

– First form of malware

– Often destructive, but no financial incentive

• In the 90s, worms became popular

– Often destructive, but no financial incentive

8


A Little Bit of History…• As of 2000, financial incentives became increasingly

dominant

– Phishing, Farming, Banking Trojans, Key-loggers…

• As of 2010, targeted attacks gaining more attention in media

– Attacks against companies like Google, RSA

– Espionage as a major incentive

9


Excerpts from 2014• Dairy Queen International

– Backoff, more than 300 stores, credit card infos stolen

• J.P. Morgan Chase– Customer information for millions of customers compromised

• Home Depot– Credit card infos stolen for more than 50 million customers

• UPS– Backoff, 60 stores compromised

• Target– Millions of credit card infos stolen

10

How Have Security Technologies Evolved?

Emergence of Signature-Based Detection


Traditional Malware Detection

• Imagine you are identifying people based on their looks

– Are they wearing a hat?

– What color is their hair?

– How tall are they?

– What is their eye color?

– How old are they?

– Do we have their fingerprint?

12

Walter White


5B 00 00 00 00 pop ebx

8D 4B 42 lea ecx, [ebx + 42h]

51 push ecx

50 push eax

50 push eax

0F 01 4C 24 FE sidt [esp - 02h]

5B pop ebx

83 C3 1C add ebx, 1Ch

FA cli

8B 2B mov ebp, [ebx]

5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B

83 C3 1C FA 8B 2B

Example: Chernobyl (CIH) Virus

SIGNATURE

13


The Problem of Evasion

14

• What if the criminal is wearing a black hat and sun glasses for disguise?

• What if the criminal is also able to change his fingerprints on the fly, after every crime?

• We’d be in a lot of trouble at airports. Unfortunately, we have this situationhappening in the cyber-world right now

Heisenberg


5B 00 00 00 00 pop ebx

8D 4B 42 lea ecx, [ebx + 42h]

51 push ecx

50 push eax

90 nop

50 push eax

40 inc eax

0F 01 4C 24 FE sidt [esp - 02h]

48 dec eax

5B pop ebx

83 C3 1C add ebx, 1Ch

FA cli

8B 2B mov ebp, [ebx]

5B 00 00 00 00 8D 4B 42 51 50 90 50 40 0F 01 4C 24

FE 48 5B 83 C3 1C FA 8B 2B

Disguising: Chernobyl (CIH) Virus

DIFFERENTSIGNATURE

15


Malware Uses Disguise• It does the same

thing, but it looks different each time

• Detecting malware just based on its “looks” does not work anymore

16

Malware is Now a Problem of Scale…• The number of new

malware out there has been increasing exponentially

• It might be the same malware sample you are dealing with, but it looks different to the naked eye…

17

Summary of traditional approaches:1998 compared to 2015

18

Lastline Labs: AV Can’t Keep UpAntivirus systems take months to catch up to highly evasive threats.

19

Copyright ©2015 Lastline, Inc. All rights reserved.20

Current State of Affairs• Anti-virus systems are not enough

– Malware modifies itself to evade detection

• Manual analysis of threats requires an enormous amount of resources

– Cannot scale, reaction time in the order of days or weeks

• We need to be leading in the arms-race

20

How Have Security Technologies Evolved?

Emergence of Behavior-Based Detection


Key Idea

22

• Why not just run or open the suspicious file and see how it behaves?

• This approach is generally-known as sandboxing• The sandbox typically uses a virtualized,

instrumented environment• The system logs the behaviors of the file


Sandbox-Based Detection Is Popular

• There are many security products now

– Sandboxing is often a component that is used for unknown files

• These sandboxes often vary in quality

– A sandbox can be very simple, or can be more sophisticated based on its design

23


Evasion of Behavior-Based

Detection• Bad guys are not stupid

• They have received the news that behavior-baseddetection is what everyone’s using now

• Just like signature-based detection systems were evaded in the past

• Behavioral evasions tricks have emerged

24


One of The First Tricks That Emerged: Red Pill (Remember Matrix?)

• A Virtual Machine (VM) is often used to run the code during analysis and detection

• The red pill test allows you to find out if you’re running in a VM

• There are many ways of launching evasions like that

25


Some Dynamic Evasion Tricks• Checking for specific artifacts in the virtualized OS

• Checks on CPU features that indicate VM

• Looking for running processes and imitating them

• Waiting for someone to click on something

• Delaying the execution until analysis system gives up

26


An Emerging Trick: Stalling Loops

27

• Simple piece of code that takes milliseconds to execute on your laptop, but hours to run in a virtualized detection system

What are some key characteristics of advanced malware behaviors?

Oh Internet, where are we headed?


Key Characteristics of Malware Today

• The majority of the malware is “noise”– 50%-80%

• A smaller portion is nasty– 15%-20%

• An even smaller portion is very nasty– 1%-5%

29


You’ve Probably Read This:Recent Payment Breaches

• The last year has seen a dramatic escalation in the number of

breached Point of Sale (PoS) systems

• Many of these PoS payloads, like Backoff, evaded installed

defenses and alarms

• In few cases an early alarm was received, but it was ignored

since indistinguishable from the background noise

30


What is Backoff?

• Malware used in numerous breaches in the last year

• Secret Service estimated 1,000+ U.S. businesses affected

• Targeted to Point of Sale (PoS) systems

• Evades analysis

31


How are the attackers deploying it?

• Scan for Internet facing Remote Desktop applications

• Brute force login credentials

• Often successfully find administrative credentials

• Use admin credentials to deploy Backoff to remote PoS

systems

32


Carbanak Malware

• Bank robbing, raked in as much as 1 billion $– Banks infiltrated, ATMs were taken

over– Balances adjusted and funds

transferred remotely

• Most Carbanak samples exhibit stealthy behavior (90%)– 17% display evasive behavior

(detecting sandbox)– Samples are environmentally-aware– Stealthy sandbox is needed that can

detect evasions

33


In Recent Research…

• We looked at a Non-Governmental Organization (NGO)– Representing the Uyghur

minority in China– Many suspicious emails were

being sent– Many targeted hacking attempts

• Key finding– The attacks were surprisingly

simple– Malware not very sophisticated– No unknown vulnerabilities used

34

Can we stop this threat?

Is this war winnable?


The Reality is That the Threat Will Continue to Exist

• The right question should be: How can we keep this threat under check and limit damage?

• Similar to protecting your home

– Locks can be broken

– But you can use a good lock, build in alarm systems, and lock away your valuables

36


Technology plays a crucial role, but…

• Integration is very important– Whatever solutions we deploy must be easy to

integrate and interoperate with existing systems• Proposed solutions need to be scalable

– Organizations typically have thousands of users and multiple nodes that need protection

37


Correlation is the key

• There is no silver bullet in security!

• You need to correlate information coming from different sources• Network nodes,

domain names used, connections opened…

• There are is a large attack surface…

38


• It is not a question of if, but only when you’ll be breached• Getting breached is not the end of the world if…

1. … you can detect the breach quickly2. … understand how you were breached3. … can share this breach knowledge automatically with other

components and business units

Thinking like the attacker

39


It’s Not Only a Technology Problem

• Security systems sometimes fail because people fail

– Education is a key component of any security solution

• We need to educate students, train employees

– Student hacking contents are a great example

40


Student Hacking Competitions

• Help educate and train students– Hacking contests where

the aim is defense and offense

– They’re fun! ;) And useful

– 6 years ago, some companies were against them… now they’re organizing their own ;)

41


New Research: Kernel-Level Detection

• Operating system kernel is the blind-spot for detection

– Kernel-level malware is typically invisible to sandboxes

• At least one malware component often executes in kernel-space

– I’m happy to announce novel techniques to automate the analysis of such malware today

– http://www.lastline.com/labs

42


Key Takeaways

• Traditional malware detection tech now ineffective

• Security automation and stealthy analysis critical to protection

• Security professionals in high-demand

– Need to attract, train and retain talented people

43

Copyright ©2015 Lastline, Inc. All rights reserved. 44

THANK YOU!For more information visit www.lastline.com

or contact us at [email protected].

https://www.facebook.com/LastlineInc

https://www.facebook.com/LastlineInc

https://www.linkedin.com/company/lastline-inc-

https://www.linkedin.com/company/lastline-inc-

https://twitter.com/lastlineinc

https://twitter.com/lastlineinc

https://www.youtube.com/channel/UC8FtlLRLdYTUz0hsv6iMGqw

https://www.youtube.com/channel/UC8FtlLRLdYTUz0hsv6iMGqw

https://plus.google.com/u/0/b/112541223317389095026/+Lastlineinc/posts

https://plus.google.com/u/0/b/112541223317389095026/+Lastlineinc/posts

Malware in the Wild: Evolving to Evade Detection

Software

Transcript of Malware in the Wild: Evolving to Evade Detection