Security

Is the death knell sounding for traditional antivirus?

Antivirus developers need to run malcode in their labs in order to create malware-identifying signatures. What happens if they can't?

Developers of traditional antivirus depend on:

  • The ability to run malware in their labs.
  • The ability to automatically analyze malware.

What if they couldn't do either?

Why the dependence?

The traditional antivirus client constantly refers to a database containing signatures of identified malware. Creating an entry for the signature database requires analyzing a copy of the malware. If that's not possible, malware is free to do its dirty work and the antivirus client is none the wiser.

Next problem. Nefarious types create more than 50,000 new malware strains each day. Analyzing malware is labor-intensive, so antivirus companies have automated the analysis process in order to keep their databases reasonably up to date.

If it was no longer possible to analyze malware samples automatically, the sheer number of new malware strains would quickly render the signature database hopelessly out of date.

The bad news

"We demonstrate techniques that, if widely adopted by the criminal underground, would permanently disadvantage automated malware analysis by making it ineffective and unscalable."

The above quote is from the introduction to a research paper by Chengyu Song and Paul Royal, researchers at Georgia Tech's Information Security Center. To drive the point home, the researchers ended their paper with this:

"Flashback's use of an infected system's hardware UUID as a decryption key demonstrates that malware authors have already begun using protections like those described in this paper."

Flashback, you may remember caused quite a stir. It was the first real threat to Mac operating systems. More importantly, it employed groundbreaking encryption techniques.

This paper by Daryl Ashley of University of Texas describes in detail how portions of Flashback's malcode were encrypted using the computer's Universally Unique Identifier. That's not unheard of, but using encryption techniques to make the obfuscated code uniquely licensed to a specific computer is.

Host Identity-based Encryption

You may recognize the new obfuscation technique called Host Identity-based Encryption (HIE). It's similar to what movie and music industries use to prevent copying. Let's take a look at how it works.

Using any one of a number of techniques, the malware loader gains a foothold on a vulnerable computer. Once entrenched, the malware loader collects information specific to the computer under attack. Using the collected information, the malware loader then creates an encryption key that will encrypt key portions of the malware payload.

Next step is to load the malware payload.

The malware loader proceeds to collect the very same information and derive the exact same key. Now here is where it gets a bit weird. The malware loader then uses the key to decrypt the malcode, which then installs and goes about its dirty work.

I say weird, as it seems silly to first encrypt, then turn around and decrypt. After some head scratching, I realized it's not silly at all; gathering information, creating the key, and encrypting the malcode does not trip any alarms. And more importantly, during installation, if an antivirus program catches the malcode, it's no big deal.

All that was captured is malcode specific to the victim computer. The malcode will not execute anywhere else, because decryption fails. Meaning, the expert who is stuck reverse-engineering this type of malware must first figure out how to decrypt the code. Song and Royal's paper expands on the advantages afforded by HIE:

  • It uses modern cryptography. Knowledge of how a key is derived does not affect the integrity of the protection. Unless the defender can guess the same decryption key, they cannot unlock the sample.
  • Any two samples of malware will possess different decryption keys, meaning the intelligence gathered from successfully analyzing one malware instance provides no advantage in analyzing the second.

What information is used to create keys?

The researchers realized information gathered to create the encryption key is up to the malware developer. To prove their theory, they used the following identifiers in their tests:

  • Environment Block: When a process is created, Windows stores environment information in the process' address space. In our design we use the process owner's username, computer name, and CPU identifier. As the environment block is directly accessible by code that executes inside a given process, this information can be easily obtained.
  • MAC address: The MAC address of the NIC can be obtained from the GetAdaptersInfo API.
  • Graphics Processing Unit (GPU) info: GPU information can be obtained from the GetAdapterIdentifier method of IDirect3D9Ex interface. In our design, we use the device description.
  • User Security Identifier (SID): Using the token of a process, the GetTokenInformation API can be used to obtain the SID of the process' owner. This identifier is unique across a Windows domain.

More bad news

If that's not bad enough, earlier this year Dancho Danchev penned an interesting blog for WebRoot, pointing out when it comes to obfuscating malcode, malware developers are hard at work. Here are two examples:

  • Fully Undetectable cryptors: Tools designed to mask malware, preventing computer security programs from discovering the malware. The idea is to keep changing the cryptor until the malware becomes unrecognizable to antivirus scans.
  • Server-side polymorphism: Malware that morphs its appearance each time it runs. And remote servers control the mutations, preventing any examination by security companies.

Countermeasures

As I read through the paper, I began wondering if the two researchers provided a solution. They did offer the following suggestions:

  • Analyze the malware in the original environment such as honeypots.
  • Collect host and network environmental information and duplicate it on a controlled computer.

The researchers seem to talk themselves out of any other solutions as they presented them -- not a good sign.

Final thoughts

I didn't have any intention of turning the issues surrounding traditional malware into a series. But, this is information all of us need to be aware of. HIE-based malware, like Flashback and now Gauss, is out there and knocking at the door.

Also, my alluding to the best defense being user education in the first post is now more relevant than ever. We can't let malware gain that initial foothold...period.

I'd like to thank Chengyu Song, Paul Royal, Dancho Danchev, and their respective organizations for shedding light on the failings of traditional antivirus.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

55 comments
JCitizen
JCitizen

I was moving in August and just now realized I missed this good article. No one will see my post but I just have to ask. Has anyone thought about programs that act like Steady State? I own one called Drive Vaccine but haven't had time to test it since I moved! Supposedly it acts just like a Live CD but puts heavy duty drive controller protections on the hard drive. When you reboot everything goes back to where it was. Supposedly it is easy to update the OS, applications, and drivers; but there again I haven't used it yet. All data that needs to be saved can be put on a network drive, extra internal drive, or extra partition on the same drive, where malware's influences will be reduced. Another thing about this new malware technique is how noticeable would all this activity be to my HIPS - it catches anything that behaves differently and swats it like a bug. Some times it does it when I'm not looking and I have to look at the panel to see what got put under its thumb - it is a serous spy catcher made by Emisoft. However now days malware don't need too many permission to do their nefarious deeds, or at least the preliminary work to prepare for the attack - they can sit their in the CPU processes un-noticed, and the temp files for a while without triggering my HIPS. I wished I could get a hold of one of these sample to try it on my honey pot. It would be extremely interesting to see if my defenses survived - this without Drive Vaccine on the machine - that is. Thanks for the great article as usual Michael.

flhtc
flhtc

After reading this... My next computer will be and Etch-a-sketch.

AnsuGisalas
AnsuGisalas

- Imagine telling your children or grandchildren some day, about the Internet, a massive network that could potentially make all knowledge instantly available to everybody ... and then having to tell them that criminals destroyed it for a few measly bucks. Sounds like the start of a religion, doesn't it? Which sort of adds insult to injury.

ITSecurityGuy
ITSecurityGuy

if BLADE ever escapes the test lab. http://www.blade-defender.org/ However, I'm getting noncommittal replies from Dr. Wenke Lee of Georgia Tech, and the U.S. Army Research Office. Despite direct contact from me, and a forward from Dr. Lee to Phil Porras at SRI, I have yet to hear from him, or the Office of Naval Research. I'm much more interested in what Phil Porras and SRI have to say, particularly because Dr. Lee has indicated that "I will let Phil address you since SRI owns the IP." I've been anxiously awaiting word of progress toward a release, ever since February 2010 and I notice that someone named Michael wrote on this topic here at TR in October of that year.

downtoearthman
downtoearthman

I'm surprised the black hackers didn't think of this before. It's conceptually easy idea. I wonder how much is going on they they havn't detected yet.

opcom
opcom

Not good for the work environment. Tme to run obscure hardware for connectivity at home, and isolate the productivity PC from it. sick.

pgit
pgit

Forgive me if this is way off base but is the key the malware generates based on unique IDs of components on the motherboard? (an on buses thereupon?) Sorry, been bat-s#!t busy and can't dig into your links atm... If that's the case, then maybe the fix is to make something simple like a south bridge chip easily replaceable. Remember the 'peel-n-eat' BIOS chips of yore? Maybe even have a programmable/replaceable component that is part of the overall UUID of the system readily available to the admin. Of course this would only make sense with high end, high availability servers. Rather than have to reinstall NOW, just change the hash so the malware can't decode. You could take care of the software problem at your leisure. Some day we will have some sort of device that contains our personal systems, that can make any hardware available "your personal computer," your phone, whatever. It's be platform agnostic, and easily rolled back if something goes awry. I'll go so far as to announce my trademark of such a system: "me." (and contextual derivatives such "mine," "my" etc) :)

tdrane
tdrane

Makes me want to run from a live CD only, never update, never install. Maybe even make my own ISO, and use that.

PhilippeV
PhilippeV

The real Host UUID should always be hidden on the Internet and should remain closed and secret within that host, accessible only to the OS kernel and not to application programs (so that downloaded malwares won't have access to it to generate the decryption key). But this host UUID can be leaked easily, by the OS itself, or using another software which has previously collected that local UUID and transmitted it to a third party (on my opinion, it should only be transmissible by the OS itself, not even by one of its hardware drivers, unless the driver is provided by the OS itself and signed by its manufacturer ; this is hard to ensure : lots of things will allow the user to know that UUID, and the user could be requested to provide this UUID, only to provide a security identity to a licence provider). We could think about something else : using the global UUID provided by the network provider: this UUID should be inaccessible from the local host. But here again, the host may use a third party online service to have the global network UUID returned by its online query. So what is the problem ? It is the host UUID. It should not have a long lifetime. It should expire very soon and should be renewed, discarding the old one completely. The remote malware that would have collected that UUID would only collect an expired UUID that souls no longer be usable to generate an encryption key that the malware running on the attacked host would be able to use. Let's ban the permanent UUIDs from out computers : this includes the hardware MAC address of hardware network interfaces, which should be replaced by a software MAC address; it also includes the UUID stored in processors : accessible only by the BIOS, but NOT when the OS is running : the OS should generate its own local UUIDs with a short lifetime. But now comes the challenge : permanent UUIDs are used to validate licences of media contents. What would happen if there was no permanent way to revalidate that licence ? Let's say that the host is now storing a licence owned by a online user account : nothing limits the user from using the same licence on multiple host installations, unless there are some checks made online to make sure that multiple hosts are reusing the same licence, when they attempt to revalidate them in alternating times. But online licence validation has a severe impact on content usability: those revalidation cannot occur too often, not more than once each month. This would mean that the local host UUID associated to that licence would have to be kept valid for one month : much enough time for allowing a malware to transmiit that UUID to some location online, then waiting for a new malware being downloaded encypted with that UUID. What is the best solution ? Simply drop completely the local host UUID as a secure identification mechanism for validating every software/media licences. Licences per hosts are the problem. What users want is licences per user. Licences that are valid and can be reused when the user changes or repairs his device. Let's ban the permanent UUIDs from all hardwares/softwares/medias and licencing mechanisms.

Craig_B
Craig_B

How many encrypted files does a system normally have? Could you just scan for encrypted files and then you would have a list of files to analyze. You could even quarantine them and make a decision later. This should at least help control the use of them in an attack. Ultimately it seems we need the OS core to be either invulernable or replaceable, so that attacks to it can be stopped or a simply reboot press F4 reinstalls the core from a read only device. Basically sandboxing the core, so it can come up clean and allow tools to clean any applications or data. Do we need a hypervisor that runs multiple componets one focused just on security for example?

a1an
a1an

What about having antivirus software to target the loaders themselves? Maybe hooking into decryption functions to intercept the decrypted malware before it executes? Also an execve (or similar call) after some decryption call occurred should be closely monitored and detectable as suspicious, shouldn't it? My five cents. Alan

HAL 9000
HAL 9000

On the same Make & Model system that's an Off the Shelf bog standard Home system? Even the best Random Number Generators are not really all that Random so with the bulk of the Consumer Systems bought as an Appliance from the different OEM Vendors the Key is very likely to be repeated quite often. Might be different in a Work Environment with Static Addressing or something along those lines but with the multitude of Domestic units being connected to Domestic Internet from a limited number of ISP's there is going to be a lot of very similar Encryption Keys used by this type of attack. What I mean is lots of Computer Model whatever connected to the same Modem supplied by their ISP as most ISP's only have 1 or 2 Modem Types there would be a lot of duplication of data when the system searches for the associated Hardware wouldn't there? I'm just wondering how it gets Encrypted in the first place though wouldn't that process be what any AV company would be blocking? Not the Payload but the process. Col

Michael Kassner
Michael Kassner

If I understand correctly, the code does not encrypt itself, it encrypts the malware payload. As to the details of how it executes, I suspect that depends on the vulnerability the malware loader is trying to exploit. I'll pass your questions along to the researchers. Hopefully they will have the time to answer.

Michael Kassner
Michael Kassner

I loved mine. So did my parents, as it kept me occupied for hours.

Michael Kassner
Michael Kassner

I have met many wonderful friends and learned many amazing things. It would be tragic if that was lost.

Slayer_
Slayer_

To infect XP was almost effortless by comparison. The hackers may have already had the means, but it may not have been needed at the time. Even Win7 can be easily hacked, just think about the backdoor that is used by applications like Symantec to "push" themselves onto workstations. I tested this once on a machine that was not part of the domain, had the firewall on and was logged in as a limited user, Symantec still managed to install itself over the network, that's clearly exploiting a vulnerably that has been deliberately added by Microsoft. Belarc is another one that can install itself. Just think, all of the places Windows can be adjusted to add a new startup application. Pretty much all viruses need to add themselves to one of these places, otherwise the infection would stop when you restart your computer.

Michael Kassner
Michael Kassner

All my sources say the nefarious types are way ahead.

Michael Kassner
Michael Kassner

I wasn't able to get a good idea as to how complicated this process is. If it's simple, then it's going to get popular real quick.

AnsuGisalas
AnsuGisalas

Wouldn't that be something, the computer hiding from the software it runs. Sadly, that might be only a temporary reprieve. Would it be possible to make heuristics look for "asks too many questions"? Computing Noir.

Michael Kassner
Michael Kassner

Meaning, I believe it's up to the developer or malware cryptor developer as to what is used for key stock.

Michael Kassner
Michael Kassner

It's a pain, but I'd rather have that then my financial information stolen.

pgit
pgit

I used Slax on a mini CD with a USB stick for data, settings and extra apps. Any computer could be my totally customized system (eg with email client set up) in a matter of a couple of minutes. All unique settings are stored in a single file at shut down, easy to confirm nothing untoward has happened to it.

dogknees
dogknees

How would you do this? They don't have a flag or particular format that can be identified.

Michael Kassner
Michael Kassner

I'm rereading the Flashback paper to see how it accomplishes the install. The other concern I was trying to address is that no matter what we come up with the nefarious types are able to circumvent or are already onto something bigger and badder.

dogknees
dogknees

There is an id number on every cpu that is unique and unchangeable making it a perfect key.

flhtc
flhtc

Now if they could only make them with a color display! LOL Seriously though, what ever happened to reversing the logic, I.E. using lists of verified software, or the digital signature for software. I remember something about the latter being too expensive to be practical, but think about it. What is all this noxious software costing us now??? Someone just needs to evert "the box".

Michael Kassner
Michael Kassner

I was curious if the computers were on an AD network? If so then Symantec had admin rights which override local rights. If not, then Symantec has something sneaky going on.

opcom
opcom

I think it's complicated as to how it really works, and is (or will be made) simple to implement. I'm a hardware hack so things like this bug the heck out of me because I don't understand the programming. IIRC various reports say it's possible to buy black market malware and even rent time on the computers from which malware can be launched. I get the impression that this kind of virus could turn the Corporate world (where CPU types and O/S's are uniform off the shelf commodities) into a global zombie farm with organized crime administrating it but bearing none of the IT costs for the service.

dogknees
dogknees

Would one hook into decryption functions when they are not OS components or any other identifiable object?

Michael Kassner
Michael Kassner

Is that ID readily accessible to queries from any source?

HAL 9000
HAL 9000

I read that lot on the screen and an observation or two before I print it out and reread. The weak point of this Problem Child is it needs to be installed or at least accepted as needed by the user. That is it's weakness because once it's on the system in it's encrypted state it's going to be very difficult to find let alone actually catch and kill. It also leaves next to no traces of itself on the system in any manner that is easy to track. It's Strength is that it needs to be installed by the user most of which are click happy and will do anything asked of them when they see something wants to be installed, they just figure that they need to give the installer Added Privileges so they enter their Root Password and then they infect their own systems. [b]Very Clever.[/b] ;) After posting above I thought about the uniqueness of the Encryption Key and I suppose if the CPU's Serial Number was part of the Hardware Looked at that would truly generate a Unique Key that would be next to impossible to find let alone crack. Though personally I would be setting any AV product to stop any Encryption to begin with and hence ask for user input before anything could be decrypted/encrypted though to be perfectly honest with most users that would only add an extra layer where Privilege Escalation would be required and most likely most would just click away to their hearts content. The problem here isn't so much finding the Malware but stopping Users from clicking away to their hearts content to begin with and the Social Engineering involved here to get this installed is really the weakest point in every system. Apples BSD is fairly secure and this is what is being played on here the users thinking that they are safe so that they continue to click away thinking anything that they do can not hurt the OS and the writers are playing on that [b]False Sense of Security.[/b] Now I'll have to go and have a long think on this one after printing it out and highlighting what I want to better understand, but it's most defiantly not something that I like very much. Though I may of completely misunderstood the article and be completely wrong. ;) Col

dogknees
dogknees

Briefly, it says that "in general" it's not possible to determine if a given program will ever reach an end point, or halt. Since you can write your "analyser" so that it inspects the given code, returns a number to indicate whether it's safe, then stops, you can apply this principle to the problem at hand. Note that this is the "general" case. A lot of code can be analysed and it can be determined whether it will work as specified. The problem is that once you get over a certain level of complexity, you will hit this issue. With an OS, an application and the net involved, we're way past this point. There's been a lot of work done on provably correct programming over the last 30 years, but it's still mainly an academic technique and is difficult to apply to large scale systems. One significant problem is that you have to accurately define your requirements before you can analyse your code, and writing the spec can be more complex than writing the code you're trying to test. If you've used assertions in programming, you'll understand a little of how this works. Imagine having to create a set of assertions that will "completely" verify the correct operation of an entire OS. I don't pretend to be an expert on this stuff, but I've always been interested in the more esoteric/formal side of programming and computation. Any errors are mine!

Michael Kassner
Michael Kassner

Could you give me a simple explanation of the Turing Halting Problem and how it would know what to allow and what to disallow?

dogknees
dogknees

In the general case, verification isn't possible. Its related to Turings Halting Problem. Beyond that, the biggest hurdle would be verification of the OS and all online code it interacts with. Then it would be the big apps turn...

Michael Kassner
Michael Kassner

"Evert the box" I like that. Two fond memories, it's going to be a good day in the neighborhood.

Slayer_
Slayer_

Belarc managed to install as well, though Spybots Teatimer threw a fit.

Michael Kassner
Michael Kassner

I profess not to be an expert. All I know is that Flashback works and I get about 30 percent of the paper's explanation. I am wondering if it uses a server-side component for that?

HAL 9000
HAL 9000

It's available in BIOS and by default turned on so I would assume that if it's on then everything can ask to see it. Not sure about AMD CPU's though as I don't generally speaking have much to do with them. Col

AnsuGisalas
AnsuGisalas

can one detect if a website or app is gathering this information?

dogknees
dogknees

I'm not sure how you could trap "encryption" with a virus scanner or any other software. It's not a special system call or a built in cpu instruction that can be identified. There are a vast array of possible encryption algorithms and an infinite number of ways of coding each one. I suspect this would be as hard as finding virus code the usual way.

Michael Kassner
Michael Kassner

I also understand that this technique eliminates automated analysis. That in of itself will increase costs significantly.

AnsuGisalas
AnsuGisalas

Even a measly 90% uniqueness will cut the AV companies signature collection rate to 10% for each "instance", making them slower to update, and will make each signature only one tenth as effective as now... meaning that signature files would need to grow to ten times the size if all the bad stuff used that. Economics can break the back of the AV solutions, even if each single instance is still "breakable".

Slayer_
Slayer_

So that's a good thing.

Michael Kassner
Michael Kassner

You are usually spot on. I have heard about malware that is able to change the UAC and or install without needing user permission. I know no further about it though. Will check into it.

Editor's Picks