Friday, February 11, 2011

Ineffectiveness of AntiVirus Solutions

Many recent high profile attacks into major software companies, public sector institutions and international organizations.
–Aurora attack on Google and 32 other companies last year
–In all cases: malicious email was sent to victim

Email-borne threats fall into two general categories:
–Mass email attacks
–Targeted attacks
Traditional AV increasingly ineffective and heuristic engine is necessary.

Typical Bredolab/Trojan.Sasfis
Most prolific family of mass-mailed threats using executable attachment.
Social engineering lures:
–Social Media website password reset
–Western Union or UPS invoice
–"You have received an E-Card!"
–Spammed out in very large numbers (Cutwail botnet)
–Many different payloads
–13.3% of all Malware stopped by Skeptic
–Between June 2009 and June 2010 (excluding Phish and links)
–Typically low AV detection (< 10 on VT)
–Good social engineering tactics
–Use of Word or Excel icons
–Spoof prolific companies (Facebook, UPS, Fedex)
–Heavy use of server-side polymorphism (SSP) to evade signature-based AV




Signature-based AV
–Create a "signature" for a piece of Malware
–String(s) of bytes
–Checksum(s)
–Very specific
–Evidence of increased use of SSP
–In 2008, Symantec created 1,691,323 new malicious code signatures
–In 2009, 2,895,802 new signatures were created (71% increase)
–139% increase from 2007 to 2008
–Not sustainable!
–Solution: heuristic-based approach

Signature Development Process


Heuristic-based Approach
–Generic detection
–Features known to exist in Malware
–Decision based on extracted features
–Weighted
–Cloud based
–no reactive signature deployment delays

Polymorphic Viruses
–Big problem for AV
–Many different variants
–Functionally equivalent
–Signatures required for each variant
–Solution: "emulation"
–Emulate past decryptor stub
–Sig the static virus body

Server-side polymorphism (SSP)
–Custom encryption routine
–Decrypt at runtime
–Generated by a polymorphic engine
–Hundreds or perhaps thousands of unique variants
–Random junk instructions
–API calls
–Arithmetic
–EP

Use in mass-email attacks
–Attackers generate a number of unique binaries
–Change the binary being spammed throughout the attack
–Problem for any vendor without proactive protection in place

Bredolab Case Study - 30 March 2010
–Standard Bredolab run:
–Subject: variation of 'UPS Delivery Problem NR 18800'
–Attachment: similarly named 'UPS_invoice_1845.exe'
–relatively small (only 56 observed copies)
–Started at 19:08:33 GMT (time 0)
–Last observed sample at 19:36:31
–Total of 27 min 59s

Case Study - AV Detection & Response Time
–At time 0, AV detection was 0
–Average response time?
–661 minutes (11 hours and 1 minute)
–Remember that the attack only lasted 28 mins
–This is the average response time
–INEFFECTIVE

Aurora and Targeted Attacks (Spear-Phishing)
–Aurora/Hydraq
–Up to 34 different companies compromised in same period using similar techniques
–Email links to malicious web pages
–Flaws in Adobe Acrobat Reader
–Google hackers are back?
–CVE-2010-2883

According to US Department of Defense Cyber Crime Center:
"102 breaches of the Pentagon’s agencies, partners and contractors in a two-year period ending August 2009"




Targeted Attack Case Study - 24 March 2010
–Targeted attack blocked attempting to exploit CVE-2010-0188 (libTiff)
–Single copy sent to an individual in a major international organization
–Co-ordinates governments from around the world
–Trojanized a clean PDF from a World Cup travel site

Case Study - AV Detection & Response Time
–AV detection was 0
–One week later, AV detection at 33%
–Sample sharing, blogged
–Average response time?
–3631 minutes (two and a half days)
–Only takes into account the 33% of vendors that were actually detecting the threat
–INEFFECTIVE