[ Pobierz całość w formacie PDF ]
Daniel Bilar, Wellesley College
October 2007
Flyingbelowthe
Radar:Whatmodern
malwaretellsus
Daniel Bilar
Department of Computer Science
Wellesley College
Wellesley (MA), USA
dbilar <at> wellesley dot edu
Talking about engineering and theory challenges for malware to come
Prediction is very hard, especially about the future
Talk HGI at Ruhr-Uni Bochum
1
Daniel Bilar, Wellesley College
October 2007
Overview
ClassicAVpatternmatchingidentification
mayhavereacheditspracticaland
theoreticallimitswithpresentmodernMW
Resultsofauthor’sstructuralMWanalysis
Proposemovingtowardsiterativegames
andblackboxprocessmodeling,as
expressedbyinteractivecomputingmodels
MWtocome?kary,Satan,ICandQuantum
Talk HGI at Ruhr-Uni Bochum
2
Daniel Bilar, Wellesley College
October 2007
Metamorphism/Polymorphism
Polymorphic
malware contain
decryptionroutines
whichdecrypt
encryptedconstant
partsofbody
Metamorphic
malware generallydo
notuseencryption,but
mutatebodyin
subsequentgenerations
Confusing: Sometimes,polymorphismsubsumes
bothterms,especiallyin‘older’ work
Talk HGI at Ruhr-Uni Bochum
3
Daniel Bilar, Wellesley College
October 2007
Metamorphic Detection
InFeb2007,17stateofthe
artAVscannerschecked
against12wellknown,
previouslysubmitted,highly
polymorphicand
metamorphicmalware
samples.
Detection miss rates:
100%to0%,ave of38%.
Metamorphism mutatebody
insubsequentgenerations
Talk HGI at Ruhr-Uni Bochum
4
Daniel Bilar, Wellesley College
October 2007
Today: Highly variable MW
Bagle/Beagle:emailbornworm,firstappeared
in2004
Strategy:
Serversidemetamorphic
High,attimesbursty,intensityrelease
Fewinstances(10s100s)pervariant
Distinctvariantssince Jan 9 07:~30,000
Averagedistinctvariantsperday: 625
Nottheonlyone:Feebs,Warezov ..
From CommtouchÓs Bagle Report: http://commtouch.com/downloads/Bagle-
Worm_MOTR.pdf
The server-side polymorphic technique of writing and releasing large numbers of variants,
each variant distributed via just a few email messages, is used by the malware writers to
enable them to continue to defeat traditional AV solutions that are based on signatures or
heuristic rules. These common anti-virus techniques depend on prior knowledge of malware
to devise tools to block future outbreaks. Since server-side polymorphs like Bagle distribute
each variant in a small number of emails and then switch to new variants, by the time
traditional AV vendors can develop a signature or heuristic appropriate for one variant its
lifecycle has ended and new variants are being propagated. Overwhelmed with a constant
barrage of new variants, traditional AV solutions have difficulty keeping upÑ
Talk HGI at Ruhr-Uni Bochum
5
[ Pobierz całość w formacie PDF ]