Forensic analysis by SophosLabs to determine where malware has been written has revealed some interesting differences in the motives and tactics used by different hacking groups around the globe. For instance, 21 percent of all malware is written in China. This is a smaller proportion than in 2006 when the republic’s hackers accounted for 30 percent of the malicious code seen.
China, % of malware written: 21.0%
Brazil, % of malware written: 12.5%
Russia, % of malware written: 9.2%
Most of the Chinese malware takes the form of backdoors, but there is also a proportion of Chinese malicious software whose motive is to steal passwords from online gamers.
Brazil accounts for 12.5 percent of the malware that has been analyzed by SophosLabs. The majority of the code written in the South American country is Trojan horses, designed to steal information from online banks. Russian hackers, meanwhile, are responsible for 9.2 percent of
the malware seen, mostly creating backdoors that allow cybercriminals to gain access to compromised computers.
Rootkits
SophosLabs estimates that threats from rootkit technology account for about 7 percent of all malware, including highprofile malware, such as Pushdo and Dorf.
There is a renewed interest in rootkits, thanks to hardwareassisted virtualization technologies available in both Intel and AMD processors. Proof-of-concept source code of a hardware virtualization rootkit known as Blue Pill was made publicly available at the Black Hat conference in Las Vegas in August 2006. Virtualization rootkits are supposed to sit deviously between the host hardware and the virtualized subsystem (the guest) to make malware hard or impossible
to detect.
In spite of this, SophosLabs does not anticipate that hardware-assisted virtualization-based rootkits will become a significant threat in the near future as they are very complex and rely heavily on hardware extensions that vary from processor to processor. Standard detection techniques, such as on-access scanning, are well suited for detection of malicious hypervisors before install (as the malware arrives on the system).
Detection evasion
There is an arsenal of techniques that can be used to try to evade detection by anti-malware products. One of the most common techniques is server-side polymorphism.
Viruses have used polymorphic technology since the early 1990s to mutate their appearance on each infection, in effect making each sample of the malware unique. Server-side polymorphism, however, uses code on the webserver to generate mutated malware. In the past, anti-malware
vendors could detect polymorphic viruses by identifying the mutation engine’s code. However, with server-side polymorphism, the code which mutates the malware is left on the web server, making it impossible to identify the mutation engine as it is not present in the brand new oneoff
variant of the malware.
Other techniques often used by malware include encryption, obfuscation and rapidly changing code with potentially automated builds. Obfuscation is particularly frequently used in script-based malware.
These techniques are often used to prevent generic detection techniques. For example, the author of Pushdo – a hacker who spent much of 2007 attempting to infect unwary computer users with the promise of naked pictures of Angelina Jolie15 – often adds junk (do nothing) instructions, changes the first few bytes of the code, uses encryption of strings commonly present in malicious software and reorders the sequence and the way of calling Windows
system functions.
Detection techniques
Alongside the growing amount of new malware which tries to bypass security measures, there have also been significant technological advances in detection techniques.
To combat the threat of zero-day attacks, and new malware and spyware attacks, security leaders have been looking at behavioral or proactive protection as a method to stop unknown malware from running on a victim machine. This type of protection looks at what a piece of code wants to do, decides whether the action is legitimate or malicious, and acts accordingly.
Unfortunately the implementation of this technology is not trivial and the different approaches taken by some of the industry leaders had varying degrees of success, as can be seen in the results of tests performed by independent testing laboratories, such as AV-Test.org.
Proactive detection rates of new in-the-wild malware, Source: AV-Test.org test, July–September 2007:
- Sophos 86%
- Kaspersky 69%
- Trend Micro 68%
- F-Secure 67%
- Symantec 66%
- McAfee 55%
- Microsoft 48%
- ClamAV 42%
Sophos.com
No comments:
Post a Comment