Chronicles of Malwares and

Detection SystemsBy:

Amit Malik

Member @ SecurityXploded Research Group

Researcher @ FireEye Labs© SecurityXploded Research Group

Disclaimer

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without

any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are

solely of the mine and nothing to do with the company or the organization in which I am

currently working.

However in no circumstances neither I or SecurityXploded is responsible for any damage or

loss caused due to use or misuse of the information presented here.

Agenda

Phases

The common things

Data Theft

Code protection/obfuscation

Code protection and obfuscation – the view (PE Only)

Detection systems

Final thoughts

PhasesFun

The early stage

Birth of antivirus

Fun and Profit

Second stage

Code obfuscation/evasion – the innovation

The gods – themda, vmprotect etc.

Knowledge sharing

Antivirus heuristics etc. (the failure)

Profit

Current stage

Targeted attacks

Offensive and defensive both are fully commercial

Sophistication in exploits is increased exponentially

Malwares are either sophisticated (duqu, stuxnet etc.) or easy ( rebirth of RAT)

Modules (DLL etc.)

New technologies for detection – execute and detect, machine learning etc.

The common thingsAt problem level, these things are common in malwares

Data theft (real problem)

Code obfuscation/evasion (antivirus failure)

Data theft

This is the problem actually…. Malware itself is not a problem.

Remember “data” is the key thing here.

Code obfuscation/evasion

Real challenge for detection systems

Packing, protectors, encryptors.. Etc etc.

Code protection/evasion – the view

Real challenge to detection technologies

Making true real time protection nearly impossible.

Couple of interesting things about this behavior.

In unpacked binaries the execution will be within the section (ep) boundaries and the address space will be less tense.

Code protection/evasion – the view

In packed binaries the execution can fluctuate across multiple sections and the address space will look more stressed (especially in malwares due to multiple packing layers).

Graph for malicious samples (exmp.)

Graph for malicious samples (exmp.)

Graph AnalysisTwo things are most important:

Origin of call?

Tension in the address space.

Meaning return address and use of “data” are the two most important things.

Actually tracking the use of “data” is not an easy task.

But what if we monitor the user interaction with system instead of monitoring the use of data blindly?

Why a specific event/activity is happening in the system?

What is the scope of interaction of user to start that event.

How the user is using/receiving the event output.

Detection Systems

Antivirus

Actually I don’t want to blame antivirus.. Things at endpoints are very

messy.

A significant enhancement in the model is required.

Home users are in real danger.. No other option.

Execute and Detect:

New technology to detect the malwares – actually it is not new, people

just experimented it recently for detection and it is working?

Infection is ok for customer but data should be protected.

Considering the security problems people are ok even if you detect the

malware after the actual infection.

Detection Systems (cont.)

Execute and Detect:

Pros:

Inspection of malware in a controlled environment.

You don’t have to worry about the user and experience.

You know the state and health of the system so detection is relatively easy. (on endpoint it is an entirely different game – poor antivirus).

Cons:Expensive?

Large infrastructure

Huge maintenance overhead.

Logic bombs – I know I am in sandbox

Oh boy.. First it is really difficult to port this thing or its variations on endpoint.. And even if we can achieve that, it will be extremely expensive for home users.

Final ThoughtsMalware is a problem and will always be.

Security is human + technology breach, we can’t fix both.

Antivirus is failing and right now there is no other solution for its replacement for home users.

Execute and detect is a good new technology for detection but it is expensive and not truly reactive (true real time protection?, post infection alerts.).

THANK YOU!