Story image

Watchguard - From malware and ransomware to mobile threats

03 Oct 14

In a rapidly changing threat landscape, heuristics aren't enough. Rob Collins, WatchGuard Technologies senior systems engineer, APAC, explains why behavioural analysis is the next frontier.

In the security industry we talk about viruses ‘mutating’ and being ‘polymorphic’, but what does it mean and how many mutations can there possibly be?

Recently I sent a fresh sample to Kaspersky and they came back (one minute later) calling my new virus ‘Trojan-Spy.Win32.Zbot.tppt’. Zbot is the Zeus Trojan that has been around since 2008 and still going strong. It was the letters on the end that caught my attention: tppt.

In the old days of Melissa and Blaster, there might have been the initial release, let’s call it ‘Virus.Win32.Melissa.a’. Then a few weeks or months later, the writers made a better version and it was detected as ‘Virus.Win32.Melissa.b’. A third variant might also have been released. By this time, antivirus companies had a ‘heuristic’ signature for Melissa and could detect new variants automatically, by comparing the static part of the malware code against the heuristic signatures.

Then along came tools to automate packaging, create custom encryption wrappers and even totally change the code but maintain functionality. So Zeus version 1, would be called Zeus.a. Zeus version 27 would be called Zeus.aa. Version 703 would be called Zeus 18,278 would be called Zeus.aaaa. So Zeus.tppt is, um, somewhere north of 100,000.

So, 100,000+ variations in six years means roughly a new mutation every 30 minutes. However,  mutation speed hasn’t been constant. It is mutating faster every day, more like a log curve than a straight line.

Last year I tracked the Tepfer information stealing Trojan and uploaded a few samples. It said Tepfer.fldj on 07 February 2013, Tepfer.fmjm on 08 February. Both were submitted around 11.00am. If my maths is right, that is around 7260 mutations in 24 hours. It’s no surprise that the traditional antivirus companies couldn’t keep up and even their heuristics were no longer effective.

A modern detective
A new kind of detection method was required. Imagine being a police officer with a photo of a crook. The crook however can change their height, hair colour, clothes, eyes, skin colour, gender, race – like a T-1000 from Terminator 2! The officer wouldn’t stand a chance, unless they happen to see the crook doing bad things, carrying bad stuff and talking to other bad people. Of course, a good crook would see the police officer and behave themselves, so the officer needs to not alert the crook to their presence.

In the malware world the ability to spot a crook based on what they are doing, not what they look like, while at the same time being invisible, is a new class of solution based on behavioural analysis. Companies like Anubis and LastLine have pioneered the technology of secretly emulating a real computer (because good malware contains virtualisation detection and can pretend to do nothing), observing the behaviour and communications of a file in accelerated time and deriving a threat level.

It is simply not enough in today’s environment to know the extent of the threat landscape as businesses rely more and more on partners to build robust defence systems to protect their data and networks.

This provides enormous opportunities to resellers by opening up a potentially larger, lucrative, market for them to tap into and truly differentiate themselves. In doing this they will be able to provide New Zealand businesses with the most up-to-date and sound security advice and consulting services available.

By Rob Collins, WatchGuard Technologies senior systems engineer

Lenovo invests in ePaper company in bid to revive tablets
As the tablet market declines, Lenovo is making an investment in CLEARlink in order to create a low-power, colour, outdoor-ready display.
OutSystems three APAC Partners of the Year
Of the seven companies named in the OutSystems recent partner awards, three have a strong APAC presence.
Hands-on Review: Nvidia GeForce RTX 2080 Ti FE
The lack of games taking advantage of the GeForce RTX 2080 Ti makes reviewing the card rather challenging
IDC: NZ IT services market will near $4B in 2023
As cloud adoption grows with every company seeking the competitive advantage it can provide, the opportunities in IT services are expanding in kind.
HPE invests in services with new A/NZ execs 
With IT services spend growing in Australia and New Zealand, HPE is appointing execs for software and technology services in the South Pacific.
NZ’s $3.45bil IT services market fueled by competitive advantage
"With regards to cloud adoption, organisations are prioritising innovation and security over cost and scalability.”
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.