|
|
|
Malware Defensive Techniques Will Evolve as Security Arms Race Continues
By: Brian Prince
2009-09-19
Article Rating:  / 2
There are 1 user comments on this Network Security & Hardware story.
For security researchers, beating attackers means keeping an eye on what is happening while paying attention for signs of what lies ahead.When
it comes to fighting malware, researchers have to both keep their eyes on the
present and foresee what the future may hold before the next threat is on their
doorstep.
While
the majority of malware attacks stick to tried-and-true methods, malware
authors are getting better at being stealthy and finding ways to fight back
against the security pros trying to thwart them. A
well-known example of this is the Conficker worm disabling antivirus updates by
blocking infected computers from accessing the Websites of security
companies like Symantec.
Looking
ahead, several security pros said they expect some of the defensive mechanisms
of todays malware to be refined and enhanced as cyber-criminals try to sneak
past researchers and network defenses alike. Right now, for example, there
are malicious programs capable of recognizing when they are being run in a virtual environment. By exploiting bugs in
commonly used virtualization software, malware could potentially infect
researchers as they begin their poking and prodding, noted Danny Quist,
CEO
of
Offensive Computing.
There
have been some talks at Black Hat that result in exploiting some of the VMware
drivers used on a system, he said. By doing this, the malware is
theoretically able to infect the root machine that's being used for malware
analysis.
Others
have exploited buffer overflows in reversing tools [like OllyDbg] to gain
control of a system, Quist continued. One new technique uses thread local
storage [TLS] system inside of Windows to
execute code before the expected breakpoint.
TLS
is
being used in the unpacking process, which is typically outside the regular
analysis domain. It's important to realize that reverse engineering is a
cat-and-mouse game. As one side gets better at something, the opposing side
improves too.
The
standard right now is for malware that detects that it is being run in a
virtual environment to cease/exit, explained Patrick Martin, senior manager at
Symantec Security Response. Attackers are also using more advanced cryptography
(Conficker used MD6) as well as so-called "spaghetti code," which
involves a code path that jumps all over the place.
Trojan.Linkoptimizer has a rather unique
anti-antivirus defense, he said. It involves creating an admin privileged
user on the infected system and then leveraging that to encrypt itself and run
at boot time.
The best defense for malware is of course to go undetected.
In
the past, malware would talk as fast and loud as it could over the network to
get its traffic connection, Quist said. Lately, many samples have been using
trickier techniques to hide themselves. The most devious is to not talk unless
necessary. I was dealing with one sample recently that did exactly this. You
would see no communication except for when the user was actively using the
system. At that point, it would call home and do its communication. Any sort of
network forensic analysis was made extremely difficult until the root cause of
the traffic was analyzed.
The one threat multiple experts agreed was the stealthiest is Mebroot, also known as Torpig.
Mebroot has been linked to the theft of mountains of data, including some
10,000 bank accounts and credit card numbers, during a 10-day period.
"The
MBR [Mebroot] rootkit is the most advanced malware in terms of stealth
techniques, said Patrik Runald, formerly of F-Secure but now senior
manager of security research at Websense. Its basically a platform to hide
anything from the operating system. It doesnt store its 'files' as files but
as data in sectors. It loads before Windows does, and it took a pretty long
time before AV vendors were able to detect it while active.
For security vendors, this means its time to
focus on more than signature-based detection, argued Gartner analyst John
Pescatore. That process has already begun via a combination of in-house
development and a spate of security-related acquisitions over the past few
years.
The combination of the uber-whitelists, like the Signacerts
and the Bit9s out there, and some of the more advanced real-time malware
detection techniques that look for these advanced capabilities does a pretty
good job of limiting the success of this stuffbut the standard outbound URL
blocking, signature AV at the desktop has no chance, Pescatore said.
|
|
�������x}kw89�v2��^v�ْ�MۖRI=GK6ErHʎwr[�/=hɏ$s7Ή-Q�
UBPޛ$i9�rsk��j>�? �d[f8m�TEK\ߤ~�Am;t� =4mMFNHB��}@~sf*7��D!H/�ԞT�a@]2d�6�k6!o4ekOh cߨ_X&``1\t�|Tl@!j��:iݑ \شQ�$�1qD�h]
](
Ѽ$pm<&Qyc Q�L$tb9�QY
��9T2X^DP~�DM:玗-4qFwF5{�>Ӏ�ko`V�x8"#5n�CQ��eKFV:6^:�6
�FȅC�z$aRv'nwoR 2�5I2�ZB[
�,�HGmfCc7`pmׇɩT*KTkq3c}f�ݷt�#�Էƀ:S��S�C3Mu��N֟CS�I'��q_-F^o�y�
y��.<:t
�̿{���#ݸ1ܷ_M[!GlR�ۆؼz00!�J&5\_�-E>�7
ؗ#Y͢aE3l˸-:4
XSVSRRW�[Qxo9{�ؖ3lRzEÝ5�_+�U�~ѿ쾿*�GA
G�nG�p[N�^V^�}윟G��r ]���o%&�� j�DTV+Rx&���Rc@G'$�@Bݓ�>o�VS7B-zISc Ԏ40"@K�3zĢJ�9�'SKrй;d9}r!|')ĠV�PAb�ˠWk֟1e`9k<]rt/۽>9]vcGR}Bg#jBcYqeU_[r�<-�/mv
�o?lrG��,���.i�TZxSw:t!�j]}89$7SYn�����;BesY 4ӗ?�gbeQ
S5fh�XӀ�?$eR2Z-8��oX@.@שS 07'hZy۬)M�Z!RB:�ܺk�N��$9�(��ȟ"�i�8�@r5�)6�K .'Wrx N3XE�U��>hi,E[��}N�}�%M��1F|r'�̤"`Q%M�>��
'�LL�lO�yx.zY]U'dauEUiH��zLguMW~�?]tֻ�,qH"0U`I�). 8ǵ:.o:jJ=Q�÷�V)C!TTr{T�Q�ũt�:2h�
bXP7XaQ�ol�B`���g1Ϩig8Ԉ$��Q�}QM�ޣ|o1�@�
T��^a� �v8;�u�#u@^G@�&
1f4���*z$t@ hA'r�kJO�7.[A0?��
;
O`r]��;�hk�=�DykwCGH�@b1,���DM�#ρY���C��2�����t~[>lP��s�٣��q�0y zۢ�dSJJd����4.'H(BHP!�9[h��� ]��99Y�
�łQ^ϞH�X-�r��P.o{*-�qR% 53RYNf=?�n3!U~�G�,_E`z9r,T��.�k
O��6Jԭy�CX�|:ikBg<��0����uu=[IZ�-��*)C
IKX�V�Xwq?7߄xEw;J�h`|XͰ b՜�Ee�5>��dMfB7g��ƩeLIl|��B3}X PM{lz:{mQH鰔�8-uy�k3t\7.m}|Y�ÈR^fЪt|9Ꭴm[_4�@~.!]�\qα�q�B&�k:H(A3�bmy�2D�2m
�֖M31r@@S1�H1gPdz?;V@q?13�WR�tg[�B+>q^i�[�\c˦rkbfTAn^lћA| ^֥�P˥��@�y#� l+�
�ZԵ>�� E�$$"Yu`}.e�O�KL�īdv-:���pR1�Wl(`R5JZ�Ȅm%k�yp�5E&X&`ܲ-
:� �9P���8�S~8���1P!�^GgY�zP?]| }�r3C�]?C�)�x?yz 2DM AB\S
ˀ%\<
MCz��&<�D��2|P\���-�XЁUzwڋgpp3uV7=%
Υ߬8�gם��u+��@o�&:QMe
"6hc�e/6!{ӞWˈ>Z"o@dX)+%UMpH~�6��=2ne"PY.>mR]v1'5Yw�$rFiy�Z2y�8p}r�)n5z6|��j�0AB̋cן�ř�0qqԼeoX~;�5��h;!p[bA*�L>AmdfB
�ߌw;$!UԶ:%E>C�5a��1'xo'@.�̆�O>xY 0{'PȒV`|Yw(p�/5XK 3de`S�yt$�d[0n !h_7`sk'(��b�����6B4�$Ծ)�X�-0` 7yip�
ym?R\0ͨ1��4V��C�7WG�$�?G[ic�
Ma�fFžiJ^+=� (8+^3�b�RT�hƱ{4D WI4R��<8le#-��n�͵^
�7�q���" S\k�?6�PXk}�RV*�h\5@VN �3yˡYF s_�3q:F?UU�{My� UL:T<�F�;Bc`"-٨[2bbϦL_e,���;�Pf�0ީ�V�yX�3?B�:%Vrz�
z,�Icd'�c\kh��2_�},K ��DUPU:jYI�z$pe] �bɨc2M�Jqf�X%${�\
�csI��dЍo)Q뱖J�KX!.-c4ϰ�9x�;z�.b�
h�CY(GVU,mnAyr�`0k�/4N�VŽ]2MdX�$V�J7eVVZ]`MjV$$< ;�(>�dΥ'k�LGI<~�&.rofҿ++ntC��Bw\CT~b�
us�ć�
R#ri 5`jZ)�'0�
L�ƈ��QH�+j�>enr UN7�.�_Tj^�8P���X&O$de,t>�ɏ0�1njJ�,�Shr�CΠ{PH�H�HD�>Wf{y¡�;QT��\|�xqNL�__\}?؇^j�[�
���$:T��!F�nns4��hYtW�%pm��bz�u=tXLX8�@w^U�t{GAt߽�w݇Z%�47{㈔ N~}wpٖ�w�~.%|ˁ�HM $ȅ��X�Mp_��#fN۫Vݽ|']:lQyl�y)0\�==ШIo0]�8�wK%y_7;&ˎu�oл�w�9&hhZwG,�Y#t!BwZ-ͦ
��vpRb�qH�=��
��)�w\sbA%`NZ
�_Ok-Wئ��7��88є��G_aߪ�,$20�)��)Vktv�Z��E9������{B�:�[kY9�h9[��
�`M/ԩ
#a�D�rElFzZF�dvwD"'1��_�oȝ{o%�?ů1Kw�xA�dW(��x,:fkF=Hz��Lp
lwycr!zv�,-D3�_����w J�E5P�ZIR"�9oũ�-pOӖO|^BB�Q�J;)գtL�e~�=m12lC%�<1KL9Ȕ&=_?�z>SB&T
ۓ4-i^�eqj�i�e�ʒ��~iO`' ۡ �ۓ�_.G8+
(OMkzwisy�]ҽxsXROv�IFhE�g��;y--EU-V6Y�ҋ�ڇᕿ�Z�c:ME���i��9"jxXC=VU�Sf�}z@Q,gFW$?Kȸ��Gu*b<9l_�Aݾ0naeq쭿�r0�nw{ft-z{j\^3}A&nL x�V='�49���71{6q=� H��N FP�_>Ưq>P]ʌ,=~!G&zE>rB.Z�ڿw;
e's
CN_I}i^wo�7tLUFᆎx�XJ�~Wj/Mt6�D�jEWegw#9�VȪ̙S.R؋7'2^q�+��&\�%3ތ,�K�ni^d w?GkoDL;*t'�^y�||nƄ60c�Ա٭E|Uyg!ld���a���зFZ*3�)$ƙ��垆J��;�o�ݭn \� ?#B��;FJ���X۴��r�]Ca�?�M�k
,Gi�ƿ�c+ޙU=�>dug#=��e0b2epD�/2$@< mo�KcOa��"W1=ׂwrS:^|Dn��Tm�R�P�R7��EƧa3lwA)A؇y@<�:��O<|�O9p\�<,3al*Z��d76JVlR��k
h-,%< X�f>�
CK�72d@3e ă�tX/��k��9m
R� u�&(`8a
@{I�j�]��D�51|�j�ׄ@���JZ.9�8NyiY첎8A2r$tc�%?,mš;igUq�ZR�h�}tdR��Ya59D=,FLt+n^�%!�0+, e��u�rHg!
�CB��E��"�Y DN(�~c'�d'e,!֊X㱉WٓlP >����qs&I RymL�SS�gYxoѤw�{�ʞ�,���BH
$�蛯;rZN�"N2@^ TtV3�TLj,U���l�x�w�z�_
rnZ#w�J?`o!]Xk}R�CaUQJUYI~ރ�C�H�0$�H"@.�3Dῇ�NҔ\NzP;WY}]`G~�rZ{CasQX˧SjJWK-s�4:L7�C`
�o/�%�/_�_�RVK9�� ��5@�H�]�NM߳c+BS|"iU+mKň�ۦԑ�Jye0R\jyt%N�t�AODI�7Fπ@Sj�=|.d�$܁3�W\H".�À:,N\�jU�s��C1��ހ;z� ' �#nnW�SٖxE<�9c1w;�^DqnԦhU�I�Ix�%KպRWrȉ'1|�'Q!��7Afώ�OOMi_P+Ͼ�S�uO0p�x�!<Ȅe�v(�8�1�g<�N�>�b|�RO�oKg$�p,8�ꋗ$ˑreњz�2V)lI�4a$�Y~�е~,vO}\Y��X55[̉fW����aT
ۉz~@ʦHKwƘ
o��L���mI+Z}iݾ�B%�TDP���A}y�h,ύ�?KU$0��m�+}�2�!1L*]ә�x_ DtӺpDjhk0&p�~ 5O8|3�OR7-��u�1<�Қ�jK:-��zBC?�xn�C;Ԏ�|aeÄ�G�x���o��EK�4�]uKz64ڣ~� u18zzIԶ�=��xm�R��VY�7W_V�$I"�I�(�~CZ"[Z0�k2'YB18
$L�:�h7%���`�$�e#[�<�Cs/\QۡgѲ�{$ZO%=yթ��H�Tw$��Z7�H�+�Qof�7h[p-Mr@�n']͆=_lf@4ZnA6�|&��i#'w(nnnnw+7n<,䱤��^�Íi/7.+�/�ޭ�vFWm��u-�]~�w�l�K�,`7/A�^�ؼ$4T͜'Z0k�T�ŧ�9lN;ݙ�IHUH\{@�V+R#G�
n㈚r^'Y�F
QkܙQ\&�{��ؙ�yjr/;�goW'�5�eК_ʖ֟!,Ԃع;�ZYxa5ӥټrM�_!WrJPY�q- >ѹiRi_x-FܮWoŋP}�̣?̯� �Zo4Nj�6k[ӼWclnWL墨�d&
x��� ``oJه2N-q#'s���0�_S:?fH�^s˂_ڴ&4IQg([�v1�1&8`g�%$q#@H 4D�C䯞&o�3s")ϣ|l͍(RLt={�Y/O��l(}ދ! �V˟2>S w. 5TB+lp؋�`9/ \Oط�T| Qɿ��GWoi�(,D��1!B8^彇6;W@SHvjcc$+㥙t�m[A+>V�4=
mY�[`cX�g��I{_<@VD\[˯#+tѕurY�7VB˭Wjr�,~Jۺ�ؚ�
!�f ʬ��BEQ3
ƹ)�+ngbX1,o gngt80�Vj�p%BDIh�=EOaI�|`u1�_ASp\|@V_Ղ۫Ҟ_VB� oITtP���eȀ{~7;0n9Y�S&p�]?�r�Ec��cs4�62�=�]�^0-7�~Ge��S9g�ި�(�Z@�lmgG�W+H"�,��up��إ�ը,$tG\Iz�-�1^+�V?�@яʟ�*�O2EϯS�GGTV3T4k�`o0I_nY]zuL�ǔ�vT{c:'k~;{s;TXT#�0A&�a�@�)ϲ.�z[œ��$y�x#RI3{!=*a�+�uמS|l:ߚםjm:.�#.ez~MxSw�w@2Cְjj`��vN4�#Jdd <�uPY?\ۦ�Ǐ{XDn�Q�у=)PVô�RsW�F�%3{H�JD�4~CX�^V3"I�b~6Gcu\[SR[.��R-�0ńUj�9��"�'"�KI�H *]Q|�#~4�,2dR�� �
/)/˛i~p\+CNFm.93͒Eˉ^GtC�Ss95zV*uu=b? @�,utIjbYAc�2Ʒ^Z!tOpkB*s�tlMz
ԣ:BMyů�W#j�%��-%֠Oj�l�<)F<�+�&�Lv`;�b/=��ڹ豸rZ+)~lyޜY#(͊NT�pd:|l
1Q��f�9-%)@vqY�k�j|>@"a[�n�� ZC�G\nX|I7O
t$rM!�i�ooF˾RWJƈ^搟�È�Gs�[VXŰDPǴ c� 4F�H[1~s?�3uϸu:�s��Қ ,�;��^C.B' >{wg��II!5�S�"�>KXaM]l;my^
_� q@>WZj��
�!�1�g昱OiX$_�J�B
P"ѫXJ/A�3�,��V2����9C�׆(c~jI)͕$M/�a�3�
s�``yPf0л;�Lo?gqظ/^KɰG3+�g)�u^�n9r:jT�@Lg�>��t9���3��2S¤vtv����H${=9`1A߰|c?뽩e�2'���}x�CИ1�RSJ9JTꚂC�2l�S=Vrꦽ<�wA~u~^&"?`Ӕ\
BI]�t/ (HZ�
�w�Pɾp� tP �c3bq�Luv��OwMZ!�'ՠۻ$'
^¶-J-�uڟN{Wκ<|X(Kym25^�
^�9l]t283M B"r<w;�һ�Jkꋲs _!ל kȿޜ�Jm >��;99�sww9�?l-4w7wۅf��3˜|7�_9 s����ə��E/�E�|E�~/�?�9_�">/>/r�y2g�!cN{7[N�_^%e�\]_��O/G@r�U�}\A@?9Ӈs߇s?����>G�39|ߛ�orڿ�ɡZ'I9�ru�S>�8'9B$^��yOy<ɯC~<(C/nr�ث�O{w8 <0
5q�'+?�w���P�9xZLܸʢpkQ^ �=�"5b�0�=0·�ZqF`�~uw~�e|xza|(O��*8y:R��M���?|QV&ƀ;'QدBhعkj��M7xF
=�s��ބL;͡a[@ �o>*vVZ{_5"� ��= �>BMjJUN��l*J|X��,g��/g�2�l]gۆ�ZCO]3CX.ḇ�n[t%��.�$ �}:fl*V(6of)2^��6T<�'M~
m'��s�,;7LAņoj/ib+F=�}p�)\;��=�2qgjy(}`q0X9+hw `��MzT��z8�JN!�x-&(B:=>|#���.LeUzyu;w08��,^bٴ��\0Z�?q˵�e"�#�tuy5L2��rʃN<��)$]m�8�}iK0_3 ƍ�0��{18X�Y�fLe���_GB��7�0ikЁu4r�
�$'3x7X05:4�đﳍ�Ab�N˙G��M�zW|݅�|�j�ؖ.?���ugk6b�{smWw�.CfA"��,x`SO��Xɘ={F=\n wb/&c�?H�wRax!z'_<#F�Տ`\װn�BaI'L?n{� ��lN�Ԅ�BL
$|�X�Rb��);sH8e�`m�܂:�0t^��\�ɡGXwgY�l@��咄 ذV]&� A_&|Nbh�ZޱRoT˹,HKo��CSh��Ux�f$$VT"E��Wd�ԦuP#vHߵ�=8
�{C݂)Նq�DIɻ:{�#��1ʅ�GJ�:"VF�3nxb"�=�I�Kh<�O[5�b8�gKJ�Ҧwv=鱻¤�$֭(\*g�zܤ;Rjw�1:�oe�@DN_D�z��~%�B+*O��8mC᳠c9"?�#%��#]Ϡb��_7?sԷe^&M��®c��)Hp[;�HdRä_W=$�sDJbE�)۠(,,%����* >�n�X$";�>m�`�~Ou;J:��&,ڍ,Gw��U|ٱs�9cbZ)q�ǯ�FF�}u�UXJٍR��h,8/# �lkw{�w>E-��Dd�xky�j�%3XWZP/J`Vw(̛l+�~HϱQ�5�¶2��ڕ*yD1,�l�p+>C�7Ϗq�`d2[�~�g[�K Ӷcd&�X�I@
IKl"�Mn4Mb5��"[ݑ'^IYdž�a\�v�5��,@a+5ZBOs�P�+0RO |�-\`�s;X\e,8LDxZ�bKf�|�|:
|
Network Security & Hardware 
