In a rapidly changing threat landscape, heuristics aren't enough. Rob Collins, WatchGuard Technologies senior systems engineer, APAC, explains why behavioural analysis is the next frontier.
In the security industry we talk about viruses ‘mutating’ and being ‘polymorphic’, but what does it mean and how many mutations can there possibly be?
Recently I sent a fresh sample to Kaspersky and they came back (one minute later) calling my new virus ‘Trojan-Spy.Win32.Zbot.tppt’. Zbot is the Zeus Trojan that has been around since 2008 and still going strong. It was the letters on the end that caught my attention: tppt.
In the old days of Melissa and Blaster, there might have been the initial release, let’s call it ‘Virus.Win32.Melissa.a’. Then a few weeks or months later, the writers made a better version and it was detected as ‘Virus.Win32.Melissa.b’. A third variant might also have been released. By this time, antivirus companies had a ‘heuristic’ signature for Melissa and could detect new variants automatically, by comparing the static part of the malware code against the heuristic signatures.
Then along came tools to automate packaging, create custom encryption wrappers and even totally change the code but maintain functionality. So Zeus version 1, would be called Zeus.a. Zeus version 27 would be called Zeus.aa. Version 703 would be called Zeus.aaa. Zeus 18,278 would be called Zeus.aaaa. So Zeus.tppt is, um, somewhere north of 100,000.
So, 100,000+ variations in six years means roughly a new mutation every 30 minutes. However, mutation speed hasn’t been constant. It is mutating faster every day, more like a log curve than a straight line.
Last year I tracked the Tepfer information stealing Trojan and uploaded a few samples. It said Tepfer.fldj on 07 February 2013, Tepfer.fmjm on 08 February. Both were submitted around 11.00am. If my maths is right, that is around 7260 mutations in 24 hours. It’s no surprise that the traditional antivirus companies couldn’t keep up and even their heuristics were no longer effective.
A modern detective
A new kind of detection method was required. Imagine being a police officer with a photo of a crook. The crook however can change their height, hair colour, clothes, eyes, skin colour, gender, race – like a T-1000 from Terminator 2! The officer wouldn’t stand a chance, unless they happen to see the crook doing bad things, carrying bad stuff and talking to other bad people. Of course, a good crook would see the police officer and behave themselves, so the officer needs to not alert the crook to their presence.
In the malware world the ability to spot a crook based on what they are doing, not what they look like, while at the same time being invisible, is a new class of solution based on behavioural analysis. Companies like Anubis and LastLine have pioneered the technology of secretly emulating a real computer (because good malware contains virtualisation detection and can pretend to do nothing), observing the behaviour and communications of a file in accelerated time and deriving a threat level.
It is simply not enough in today’s environment to know the extent of the threat landscape as businesses rely more and more on partners to build robust defence systems to protect their data and networks.
This provides enormous opportunities to resellers by opening up a potentially larger, lucrative, market for them to tap into and truly differentiate themselves. In doing this they will be able to provide New Zealand businesses with the most up-to-date and sound security advice and consulting services available.
By Rob Collins, WatchGuard Technologies senior systems engineer