Yep, I’m still chasing leads on what — if anything — can be done about self-encrypting malware. I arranged to interview Mario Vuksan, a security expert with ties to many of the major antivirus houses. My plan? Ask Mario what will happen if it’s no longer possible to create the all-important signature file needed to detect malware.

After introductions, Mario deftly disarmed me, mentioning how he enjoyed reading my two earlier articles about traditional antivirus. “Well, thanks, Mario.”

“But, you got some things wrong,” he mentioned, abruptly ending any thought of my acting cool. “And, there’s more going on than you’re aware of.”

All I could muster was, “Well, like what?”

Who is this guy?

Mario has been intimately involved in the technical side of digital security for many years, most notably at Bit9, where Mario was Director of Research. Four years ago, Mario decided a change was in order, so he started ReversingLabs.

Truth be told, the name ReversingLabs is what initially captured my attention. My last piece focused on the inability to deconstruct malcode, so my radar was still tuned to anything regarding reverse engineering.

Now let’s look at what I got wrong.

Lesson one

Mario started by explaining that I’m too worried about malware that uses Host Identity-based Encryption (HIE) to prevent analysts from deciphering the malcode. HIE has been around for at least ten years and after all that time, still not a significant player — may never become one.

Mario explained that even with its effectiveness not in question, the lack of popularity is due entirely to the complexity of integrating HIE into malware. Complexity then adds cost, almost to the point of where it’s too expensive for most (hint hint) to put into play.

What Mario says makes sense, but then I’m at a loss as to what’s causing the epidemic of successful malware infestations. Mario already had an answer for that.

Lesson two

Mario began by pointing out that the bad guys couldn’t care less on how it gets there. They just want a low-cost and simple way to install their malware package on the victim’s computer, and have it remain unnoticed for as long as possible.

The “cheaper and simpler” method employs malware packers. According to Mario, Ultimate Packer for eXecutables (UPX) is the malware packer of choice. UPX is free, fast, simple to use, and open source.

Open source is by far the operative word. It allows malware developers to quickly create a new version when they suspect the current version has been isolated by analysts and added to signature databases.

Lesson three

Mario mentioned that these “simple and cheap” packer variants make up a significant portion of the 50,000 new pieces of malware appearing each day, not 50,000 different types of malcode, I had assumed.

So the trick is how to quickly deconstruct the malware packer so the antivirus house can determine if it has a signature file of the malicious code in its database or not.

What I didn’t know

The above lessons were what I had wrong, now I’d like to discuss what I didn’t know.

As Mario just mentioned, there are 50,000 new malicious samples every day and that number is increasing. This has antivirus houses overwhelmed, plain and simple. Sure, there are automated methods to analyze potential malware, but they aren’t foolproof. And, word gets around fast when a certain piece of malcode infects a major company’s workstations because their antivirus application missed it.

A solution

Mario feels he has a solution. ReversingLabs is positioned to intercede, decode the malware packer, and prepare the compiled information in a manner that can be used by the antivirus industry — and do it quickly.

Mario calls the solution Automated Static Decomposition.

Here’s how he describes it:

This technology automatically unpacks unknown files to expose their underlying object structure (e.g. embedded executables, libraries, documents, icons), extracts internal metadata statically, and verifies the internal structure.

The extracted files are repaired to enable further analysis with a sandbox, de-compiler, or debugger. The metadata and file can also be stored in a database for subsequent data correlation. This information aids practitioners in determining whether a sample is malicious or not.

ReversingLabs has done this type of analysis on over one billion clean and malicious files and has results available through web services.

Mario mentioned that customers generally prefer a detailed XML report that is compatible with their backend systems and databases.

File Disinfection Framework

A strong suit of ReversingLabs is knowing how to return files to their pre-infection state. To that end, with the backing of DARPA, ReversingLabs just released File Disinfection Framework as an open-source tool:

“File Disinfection Framework will simplify and speed development of the targeted routines required to disinfect attacks and prevent frequent re-infection due to the usage of poorly written or generic disinfection routines.”

I like the idea of fighting open-source malware packers with open-source tools.

The million-dollar question

I had one more question for Mario — a kind of philosophical one. I asked what it would take to fix this in one fell swoop. He divided his answer into two parts, which I found interesting. The first involves a do-over:

The number one pre-requisite would be a new operating system. Apple’s iOS is a good example:

  • Sporting a controlled app release (really a controlled trust chain).
  • A shackled application rights model.
  • Implementing both blacklisting and whitelisting to handle any exceptions.

There would still be a need for manual research and platform improvements as response to latest incidents.

Next, Mario offered a more pragmatic view:

In the existing environment, e.g. Windows, we need to do better static analysis in order to:

  • Reduce the number of unnecessary signatures.
  • Expand detection to more polymorphic malware samples.
  • Increase performance.

Detection needs to evolve from pattern matching into a complex threat classification system that combines static analysis, controlled emulation, dynamic behavior, network reputation, and trust validation.

Many products will claim certain aspects, but this system has to work as one engine with best of the breed functionality specs (unlike what customers tolerate today) on all known malicious and non-malicious samples at the same time.

Final thoughts

I still see trouble ahead for traditional antivirus applications. But if people like Mario can get an industry that can’t standardize on what to call a new piece of malware to use common databases and frameworks, there may be hope.

I’d also like to thank Mario Vuksan for patiently explaining the intricacies of antivirus technology.