The evolution of Network antivirus - Gunter Ollmann, Vp research
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
w h i t epap er The Evolution of Network Antivirus Gunter Ollmann, VP Research
w h i t e pap e r
The Evolution of Network Antivirus
The last two decades have seen substantial advances in both malware and the antivirus technologies used to
mitigate them. Operating at both the host and network level, protection solutions have been developed to counter
multiple aspects of the evolving threat and the malware lifecycle. As can be expected with a technical field that
similarly has (and continues to) evolve, there are a great many technological approaches to countering the threat.
This can cause much confusion to organizations as they reevaluate their Internet defenses and seek commercial
solutions to address both mainstream and targeted attacks.
This paper examines the evolution of solutions designed to counter the malware threat by looking at how each
major antivirus technology is related to one another. Attention is paid to the dynamics of their deployment,
examination of their strengths relative to earlier antivirus approaches, and the ways in which professional cyber
criminals and hackers sought to evade them.
Vulnerability Detection
HOST IDS
Heuristics Behavioral Cloud
Host Analysis Host Sharing Host
Signature
Host
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Vulnerability Detection
NETWORK IDS
Figure 1: The evolution of corporate antivirus detection technologies.
Host-based Antivirus Evolution
While the focus of this paper is upon network-based antivirus solution evolution, it is important to understand how
host-based antivirus solutions have evolved.
Host antivirus products are obviously focused on detecting malicious files that have made it down to the “desktop”
of the user’s environment. In almost all cases, host-based antivirus solutions primary mission it to detect malware
prior to them being executed by the operating system or opened by some application; and is accomplished by either
intercepting all “file open” commands initiated by the operating system or user, or through the asynchronous
scanning of the base file system.
The figure below depicts the evolution and relationship between major antivirus technological approaches. In
many cases the current generation of commercial host-based antivirus solutions has incorporated each of these
technologies – making it impossible to differentiate their component parts.
2w h i t e pap e r
The Evolution of Network Antivirus
Vulnerability Detection
HOST IDS
Heuristics Behavioral Cloud
Host Analysis Host Sharing Host
Signature
Host
Figure 2: The evolutional relationship of key host-based antivirus technologies
Host-based Detection Technologies
The antivirus technologies deployed in host-based defenses evolved in the way they did primarily due to two
reasons: filling-in weaknesses and evasions of the earlier generation of antivirus technology, and restrictions
related to “playing nice” with the other software on the host.
The primary host-based antivirus technologies and approaches can be described as the following:
• Signature Detection
• Heuristic Detection
• Behavioral Analysis
• Cloud Sharing
Special mention must also be made of:
• Vulnerability Detection
Signature Detection
Signature detection was, and continues to be, the backbone of all host-based antivirus solutions. In essence the
product vendor remotely analyzes malware samples they have gathered from around the world and creates a
signature for each malicious file. That signature may be as simple as a unique file hash (e.g. MD5 or SHA1), or a
complex regular expression that searches for specific data sequences within a file. Each signature is associated
with a threat label (e.g. Win32/Conficker.C).
Signature Host Heuristics Host Behavioral Analysis Host Cloud Sharing Host
3w h i t e pap e r
The Evolution of Network Antivirus
Top-3 Strengths Top-3 Evasion Techniques
1. Extremely fast file classification, with minimal load upon the 1. “Just-in-time malware” releases. It takes time for vendors to
host, using simple file hash value comparisons. Fast analysis of receive and analyze files, to generate new signatures, and to
files using simple analysis signatures. deploy them to customers. The attacker only needs to release
or update malware more frequently than the vendors can push
new signatures.
2. Low false positive rates. 2. Employment of polymorphic techniques that “randomize”
malicious binaries with every installation, creating a
one-of-a-kind file. Since each file is unique, signatures
dependent upon known file hash values are defeated.
3. Identification of legitimate files and applications that have been 3. The use of exploits and malware installation processes that dis-
injected with known malicious code. able host-based defenses, ensuring that the malicious content
will not be detected.
Heuristic Detection
Heuristic detection represents an extension of classical signature based detection. Moving beyond standard
signatures, heuristic detection focuses upon the statistical features of the file being analyzed. These statistical
features are often derived from a number of rudimentary signatures that ordinarily would result in high false
positive rates but, when combined with many such signatures, allows the antivirus detection system to reach a
conclusion as to the maliciousness. Specific decision rules and weightings are employed to determine the threat.
Signature Host Heuristics Host Behavioral Analysis Host Cloud Sharing Host
Fill which detection gap?
Heuristic detection techniques are employed to fill the gaps in signature based detection systems relating to
common code-level obfuscation techniques and propagation techniques.
Top-3 Strengths Top-3 Evasion Techniques
1. Detection of worm and code distribution techniques used to 1. Employment of file-level encryption & compression (e.g.
propagate the malware. packers) to obfuscate sections of malicious binary.
2. Identification of common techniques employed by 2. Leveraging existing file dependencies and APIs of software
polymorphic, oligomorphic and metamorphic malware. already present within the operating system (which are deemed
“safe” to the antivirus engine) to initiate
propagation and malicious functions.
3. Detection and classification of some popular families of 3. Malware automatic detection of emulator presence (e.g.
malware without requiring a specific signature or file missing APIs, debugger hooking, etc.) and acting benign.
hash values.
4w h i t e pap e r
The Evolution of Network Antivirus
Behavioral Analysis
Behavioral analysis of malware is typically achieved by using a couple of popular techniques. The first (and simplest)
way can be thought of as an extension to Heuristic Detection techniques where an extended set of loose signatures
are assigned to common malicious behaviors or sequences of behaviors (e.g. overwriting key operating system
files, adding auto-start registry commands, and initiating a low port connection) and are detected by scanning
through the malicious binary. The second technique requires access to an optimized emulator or virtual machine in
which the malicious binary can be dynamically executed in a contained way and its sequence of actions scrutinized
for known malicious behaviors.
Signature Host Heuristics Host Behavioral Analysis Host Cloud Sharing Host
Behavioral analysis engines tend to have high performance overheads upon the host they are being run within.
Antivirus vendors must reach a compromise between the performance and impact of the dynamic analysis engine
upon the desktop, and the depth and breadth of behaviors the analysis engine is capable of observing. Emulators
tend to have the least impact on the desktop system, but are limited to specific behavior observations. Virtual
machines may be capable of observing the widest range of malware behaviors, but consume considerable
resources of the desktop system.
Fill which detection gap?
Behavioral analysis techniques are essentially an expanded set of heuristic signatures. They encompass a series
of observed (or probable) behaviors that can be classified as malicious and tied to a category of threat (e.g.
rootkit, password stealer, etc.). By using an emulator or virtual machine, it becomes possible to overcome
several popular file obfuscation techniques designed to thwart static analysis approaches.
Top-3 Strengths Top-3 Evasion Techniques
1. Categorization of malware based upon threat type (e.g. 1. Improved “off-the-shelf” binary file packers, cryptors and armor-
rootkit, banking Trojan, etc.) ing techniques.
2. Improved heuristics approach. Lowering false positives and 2. Just-in-time unpacking and repacking of malware routines in
increasing detection of newly released malware. memory to bypass file hooking and debugging analysis tech-
niques.
3. Overcoming several popular file obfuscation techniques 3. Auto identification of emulator and virtual machine analysis
designed to thwart static analysis of malicious binaries. platforms, resulting in benign behavior of the malware sample.
Cloud Sharing
Many antivirus products now incorporate the automatic sharing of malware intelligence between the software
vendor and the desktop suite via a centralized “cloud” platform. This “Cloud Sharing” arrangement is designed
to enable new malware samples intercepted and classified at the desktop-level (using existing heuristic and
behavioral engines) to be shared with the vendor. In return, the vendor is able to develop signatures for a
broader distribution of malware threats and, ideally, push new signatures and threat classifications down to
the desktop faster.
5w h i t e pap e r
The Evolution of Network Antivirus
Signature Host Heuristics Host Behavioral Analysis Host Cloud Sharing Host
Cloud sharing systems allow the antivirus vendor to use a lighter-weight agent at the user’s desktop, and utilize
more resource intensive detection and analysis engines from their remote location. It is assumed that the
more people who run the desktop protection suite and contribute malware samples to the cloud, the more
comprehensive and refined the signatures will become.
Fill which detection gap?
Cloud sharing systems are not necessarily designed to fill a particular protection gap. Rather, they are designed
to increase the speed at which new malware are collected and signatures can be generated as a counter
mechanism to the pace in which criminals release new updates.
Top-3 Strengths Top-3 Evasion Techniques
1. Broader visibility of threats from around the world. 1. Malware “locked” to a specific device such that it will only
execute upon the targeted machine and cannot be analyzed on
a remote vendor system.
2. Faster signature distribution than traditional signature 2. Multi-stage malware infections that separate the “installer”
update mechanisms. from the malware agent. The “installer” is pushed to the cloud
for analysis, but the malware agent is not accessible due to
blacklists and other filtering imposed by the attacker.
3. Smaller and less resource intensive agents present on the 3. Multi-part malware that relies upon other shared libraries,
desktop system being protected. DLLs or agents being present upon the targeted device for
the malicious activities to execute. The cloud analysis system
must be identical to the target system – with the same installed
applications – for the malware to be operational.
Vulnerability Detection
While not specifically a malware detection technique, vulnerability detection capabilities have been added to antivirus
products in the form of host-based intrusion detection system (IDS). An IDS is used to detect the vectors used to
infect and distribute the malware agent, rather than performing any analysis of the actual malicious binary.
HOST IDS
Signature Host Heuristics Host Behavioral Analysis Host Cloud Sharing Host
Fill which detection gap?
The incorporation of IDS functionality allows antivirus products to detect actions on the host that would likely
allow any malicious file to bypass the malware detection systems. For example, detection of exploits related to
vulnerabilities that would allow the attacker to disable the antivirus scanning technology.
6w h i t e pap e r
The Evolution of Network Antivirus
Network-based Antivirus Evolution
While antivirus technologies initially required installation on each device that needed protection, it was recognized
early on that certain efficiencies could be achieved by providing antivirus capabilities at the network level. Today
network-based antivirus functions as the frontline against malware, while host-based antivirus represents the last
line of defense.
Network antivirus technologies have evolved at a faster pace that their host-based cousins. While they shared
many of the same capabilities early on in their evolution, the ability to separate the automated analysis of
malicious binaries from the operation of an infected system (which is trying to share resources with the user
and all their applications) has meant that more sophisticated, dedicated, detection engines are more practical
when deployed at the network-level.
A number of advantages are gained by deploying antivirus technologies at the network-level. The primary advantage
lies with the efficiency of analyzing and detecting larger volumes of malware as they are downloaded by the
targeted device over the network. Subject to whether the network-based antivirus technology is deployed in an
inline or out-of-band capacity, the objective of this analysis step is to identify and label binaries as malware so that
incident responders know which computers are likely to have been infected and which will likely require host-based
remediation actions. In some instances, inline network-based antivirus technologies intentionally add a “bump in
the wire” and block some types of malware from being fully downloaded by the victim device.
The figure below depicts the evolution and relationship between major network-based antivirus technological
approaches. In many cases the current generation of commercial network-based antivirus solutions has subsumed
many aspects of an earlier technology.
Signature
Host
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Vulnerability Detection
NETWORK IDS
Figure 3: The evolutional relationship of key network-based antivirus technologies
Network-based Detection Technologies
The antivirus technologies deployed in network-based defenses share a common ancestry with host-based detection
technologies. However, due to their dedicated use and greater resource assignment, the detection components
they employ are generally more sophisticated and more advanced than their host-based counterparts.
Again, like host-based antivirus solution evolution, network-based antivirus solutions evolved in the way they did
primarily due to two reasons: filling-in weaknesses and evasions of the earlier generation of antivirus technology,
and positioning within the network with respect to other network protection technologies.
7w h i t e pap e r
The Evolution of Network Antivirus
The primary network-based antivirus technologies and approaches can be described as the following:
• Signature Detection • Dynamic Signature Creation
• Behavioral Analysis • Cloud Sharing
• Dynamic Analysis • Cloud Analysis
Most network antivirus solutions are deployed in at least one of three common configurations:
•Passive Detection
The antivirus appliance is expected to passively observe all network traffic (e.g. from a network tap) and raise
alerts when malicious files are seen traversing the wire. The appliance is not expected to block the malware –
merely report detections.
•In-line Blocking
The antivirus appliance is positioned within the network in such a way that specific types of traffic must pass
through it before reaching the nominated destination. The appliance monitors various protocols associated
with specific data transfer types (e.g. HTTP for Web downloads, SMTP for email attachments), identifies files,
analyzes their content, makes a decision as to their maliciousness, and ideally allows benign files through and
prevents malicious files from reaching their destination.
•External Classification
The antivirus appliance is used as an external “expert” by other traffic parsing and analyzing technologies for
the identification and classification of malware threats. Binary files will be intercepted by one network device or
server and passed to the antivirus appliance for threat determination. The antivirus appliance will analyze the
file and essentially pass the abbreviated results to the requestor. Protocols such as ICAP are commonly used
by Proxy and Mail servers to pass intercepted binary files to specialist antivirus appliances.
An obvious limitation of network-based antivirus solutions is of course their visibility of network traffic. Enterprise
network topology can make for a number of challenges that effectively limit the scope of the traffic that can be
observed and, correspondingly, limit the number of vectors that malware can be distributed to the victim device.
While host-based antivirus is theoretically capable of observing all binaries transported to the victim device,
network-based antivirus typically has a more limited perspective of the inbound threat.
Signature Detection
Network-based signature detection capabilities are the same as those of host-based signature systems. Armed
with a library of previously known and classified signatures or file hashes, the network antivirus product can
identify malicious files that the appliance is passed for analysis.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Signature detection was, and continues to be, the backbone of many network-based antivirus solution approaches.
In essence the product vendor remotely analyzes malware samples they have gathered from around the world
and creates a signature for each malicious file. That signature may be as simple as a unique file hash value,
or a rudimentary regular expression that searches for specific data sequences within a file. Each signature is
associated with a threat label.
8w h i t e pap e r
The Evolution of Network Antivirus
Fill which detection gap?
Signature-based malware detection was added to the network level as an economical defense-in-depth strategy
to corporate defenses. Network-based antivirus solutions are often easier to update and manage than several
thousands of host-based antivirus deployments (which may be in various states of patching and update status).
Network-based solutions also provide some level of antivirus defense to devices that do not have their own antivirus
capabilities (due to resource constraints, OS support issues, etc.).
Top-3 Strengths Top-3 Evasion Techniques
1. Extremely fast file classification, using simple file hash value 1. “Just-in-time malware” releases. It takes time for vendors to
comparisons. Fast analysis of files using simple analysis receive and analyze files, to generate new signatures, and to
signatures. deploy them to customers. The attacker only needs to release
or update malware more frequently than the vendors can
push new signatures.
2. Identification of legitimate files and applications that have 2. Employment of polymorphic techniques that “randomize”
been injected with known malicious code. malicious binaries with every installation – creating a one-of-a-
kind file. Since each file is unique, signatures dependent upon
known file hash values are defeated.
3. Low false positive rates. 3. The use of exploits and malware installation processes that
disable host-based defenses – ensuring that the malicious
content will not be detected.
Behavioral Analysis
Network-based behavioral analysis capabilities differ from those found in host-based antivirus products. The
evolutionary path for network-based antivirus detection saw a differentiation between emulator and virtual machine
based approaches. In general, “behavioral analysis” in network-based antivirus solutions can be assumed to be a
mix of heuristic and emulator-based analysis mechanisms.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Emulators for mainstream operating systems (e.g. Windows XP) are capable of replicating many of the standard
procedure calls necessary to allow software to “run” within them. Emulators can be easily instrumented to identify
all calls made by guest applications, which in turn can be associated with behaviors. These behaviors are then
classified as malicious or not.
The addition of emulators to network-based antivirus solutions allows for the signature-less detection of several
common classes of malware, and the association of specific behaviors to maliciousness. The emulators themselves
are generally “lightweight” – replicating only the minimal set of OS functionality – so are capable of accelerated
binary execution and analysis (i.e. faster than running the malware on a standard OS installation) – typically
imposing only a slight delay to the end user as the file is analyzed. However, their Achilles heel lies in their limited
scope of OS functionality and any application that makes non-standard calls will cause a failure in analysis.
Emulators are typically prone to high false positive detection rates.
9w h i t e pap e r
The Evolution of Network Antivirus
Fill which detection gap?
Behavioral-based malware detection is designed to augment signature systems by adding a degree of signature-less
capability. The emulator is capable of recognizing certain malware traits and behaviors and automatically labeling
them as malicious. As malware has become more advanced the limited OS functionality of emulators has limited
their usefulness.
Top-3 Strengths Top-3 Evasion Techniques
1. Addition of “signature-less” detection for common families 1. Addition of non-standard packers and malware armoring tools
of malware. that use non-standard (non-emulated) procedure calls within
the emulator.
2. Rapid processing of malware binaries and behavioral 2. Addition of binary functions capable of detecting the presence
classification. of an emulator and causing the malware to act benignly.
3. Small “bump in the wire” as files are delayed in transit, 3. Use of HTTPS to transfer malicious binary – ensuring that the
analyzed, and eventually sent to the destination. network appliance is incapable of observing or obtaining a
sample of the malware in transit.
Dynamic Analysis
Dynamic analysis systems typically include virtual machine (VM) analysis engines. Unlike emulators, VMs are designed
to more fully replicate a standard desktop environment – typically virtualizing all of the hardware interfaces –
and allowing a “guest” operating system to be installed. The guest OS will often be a complete installation and
typically require software drivers for accessing the underlying virtualized hardware. Because of their more
accurate replication of a standard operating system, VMs are able to run a variety of operating systems and
most standard applications within them.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
The strength of VM-based approaches lies in their versatility to handle a broad spectrum of malicious software
and their ability to be extensively instrumented to capture a variety of behaviors.
VMs are however not a lightweight analysis platform. Because they replicate a real OS and application deployment,
they cannot normally “accelerate” the operation of malware deployed within them – meaning that malware samples
must be played “in real time” to be analyzed. Depending upon the configuration of the dynamic analysis engine,
malware samples may require several minutes to execute. This means that dynamic analysis antivirus appliances
often process malware samples asynchronously to traffic flow and are rarely used to “block” malware infiltration
in the way emulator-based behavioral detection systems are.
Fill which detection gap?
The goal of dynamic analysis antivirus appliances is to identify malware that would otherwise evade emulator-based
behavioral detection technologies. The VM approach allows for a broader range of behaviors to be observed and
classified, and the mechanics of operation are more difficult to be detected by the malware itself. This heavy-weight
approach, while capable of identifying a broad range of malware, is very slow compared to signature and emulator-
based detection approaches – so is typically augmented with a signature-based detection system (identifying
known malware that then does not need to undergo expensive analysis cycles).
10w h i t e pap e r
The Evolution of Network Antivirus
Top-3 Strengths Top-3 Evasion Techniques
1. Capable of detecting a broad range of obfuscated and 1. The addition of VM-focused armoring and evasion functionality.
armored malware designed to bypass signature and While VMs are harder to detect than emulators, there is very
emulator-based detection technologies. little difference in it. Commercial armoring tools have added
tick-box evasion for defeating both emulator and VM-based
analysis systems.
2. Can produce detailed malware “trace” data that is very 2. Use of HTTPS to transfer malicious binary – ensuring that the
useful to corporate malware defense teams when it comes network appliance is incapable of observing or obtaining a
to developing clean-up scripts. sample of the malware in transit.
3. Can be configured to use a number of “gold images” (i.e. 3. The use of multi-stage “droppers” and “downloaders” from the
standard desktop configurations used within a corporate fully-featured malware component. Droppers/Downloaders
environment) to detect multi-stage malware that requires must successfully install themselves on the target machine,
certain application components and DLL’s to exist on the inventory the victim, upload the inventory to a site, and then
victim device before operating in a malicious manner. receive a “locked” malware for the host. The inventory phase
is used to identify the “uniqueness” of the victim. Non-unique
machines are not exposed to the real malware.
Dynamic Signature Creation
Dynamic signature analysis approaches are effectively a combination system of standard signature-based
detection engines with dynamic analysis engines, in which the dynamic analysis engine is supposed to detect
new malware (i.e. malware that doesn’t already have a signature) and to automatically create a signature that
can then be incorporated into the appliance’s local signature cache.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Fill which detection gap?
Dynamic signature analysis approaches are designed to increase the overall performance of stand-alone signature
and dynamic analysis systems. While dynamic analysis engines must operate asynchronously to normal network
traffic flow, the signature they can create can be automatically added to the in-line signature detection engine –
thereby blocking all future downloads of the same malware (based upon regular expression or unique hash).
Top-3 Strengths Top-3 Evasion Techniques
1. Addition of blocking capability for second-time detection of 1. Use of HTTPS to transfer malicious binary – ensuring that the
new malware strains. network appliance is incapable of observing or obtaining a
sample of the malware in transit.
2. Can produce detailed malware “trace” data that is very useful 2. The use of “one-time” personalized malware. In essence, the
to corporate malware defense teams when it comes to malicious binary is created automatically on-the-fly by the
developing clean-up scripts. attacker – with each malware sample being unique – making
the creation of a signature a moot point.
3. Can be configured to use a number of “gold images” (i.e. 3. Incorporation of network-dependent features within the malware
standard desktop configurations used within a corporate that require Internet access to engage, and use unique or
environment) to detect multi-stage malware that requires algorithmically generated domains to engage with the attackers
certain application components and DLL’s to exist on the remote infrastructure – resulting in any automatically generated
victim device before operating in a malicious manner. signature to be irrelevant for future malware operation.
11w h i t e pap e r
The Evolution of Network Antivirus
Cloud Sharing
Some antivirus products now incorporate the automatic sharing of malware intelligence between the software
vendor and the network antivirus appliance via a centralized “cloud” platform. This “Cloud Sharing” arrangement
is designed to enable new malware samples intercepted and classified by dynamic analysis engines to be shared
with the vendor. In return, the vendor is able to develop signatures for a broader distribution of malware threats
and, ideally, push new signatures and threat classifications down to their customers faster.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
Fill which detection gap?
Network-based cloud sharing systems are designed to overcome the “what if this is the first time?” problem of
dynamic signature creation appliances. By utilizing the vendor’s cloud, the “first” discovery of the malware variant
can be discovered elsewhere and all other customers should be similarly protected. If a new malware threat is
first discovered by the organization, the file can be shared with the vendor and all other customers would receive
the new signature – which would be deployed in a blocking mode.
Top-3 Strengths Top-3 Evasion Techniques
1. Broader visibility of threats from around the world. 1. Use of HTTPS to transfer malicious binary – ensuring that the
network appliance is incapable of observing or obtaining a
sample of the malware in transit.
2. Faster signature distribution than traditional signature 2. Multi-part malware that relies upon other shared libraries,
update mechanisms. DLL’s or agents being present upon the targeted device for
the malicious activities to execute. The cloud analysis system
must be identical to the target system – with the same
installed applications – for the malware to be operational.
3. Reduces likelihood of encountering malware that doesn’t 3. Inappropriate settings or detection tuning at one customer
have a signature and can’t be blocked. location can cause non-malicious binaries to be classified
as malicious – causing rogue signatures to propagate to
other cloud members.
Cloud Analysis
While the cloud sharing capabilities of earlier network-based antivirus appliances increase the speed at which new
signatures can be deployed, they do not increase the fidelity of detections or increase the breadth of malicious
binaries capable of being detected. New cloud-based analysis approaches largely do away with the in-network
analysis of binaries – instead passing them to a cloud-based analysis platform for capable of performing more
advanced examination and classification processed.
Behavioral Dynamic Analysis Dynamic Cloud Cloud
Signature (Emulator) (Virtual Machine) Signature Creation Sharing Analysis
Network Network Network (VM+Sig) Network Network Network
12w h i t e pap e r
The Evolution of Network Antivirus
Modern cloud-based analysis appliances do not provide in-situ analysis of suspicious files, instead they perform
a number static analysis operations on intercepted binary files, determine their suspiciousness, check with the
cloud as to the known state of the binary (e.g. has the binary been seen before, is it malicious, and what are the
features/artifacts of the malware) and employ that knowledge for detecting and blocking the binary. If the binary
is “unknown”, it is passed to the cloud platform for full analysis. By removing the restrictions of operating from a
single appliance, cloud-only analysis platforms employ many different automated techniques in parallel to analyze
the binary – and to generate high-fidelity detection signatures and threat intelligence. By examining malware from
many angles and subjecting samples to dynamic analysis under multiple conditions simultaneously (without being
inhibited by the resource limitations of a single analysis appliance), it becomes increasingly difficult for the malicious
binary to evade detection.
Fill which detection gap?
Cloud analysis platforms fill a number of critical gaps in network-based malware analysis and protection.
These include the following:
• Detection and classification of non-Microsoft Windows malware – such as Mac OSX, Android, Linux, etc.
• Detection and classification of multiple application file formats beyond portable executable files.
• Parallel analysis of malware through emulator, VM and bare metal configurations. While a malware sample may
be armored and designed to bypass one type of analysis platform, it is impossible to bypass all techniques.
• Incorporation of more advanced and resource intensive analysis engines that are too cumbersome to deploy
with a corporate network.
• Internet access can be made available to allow malware samples to perform as if they would upon a real
victim’s device – overcoming evasion techniques employed in a growing number of malware families.
Top-3 Strengths Top-3 Evasion Techniques
1. Support for operating systems and applications not compatible 1. Use of HTTPS to transfer malicious binary – ensuring that
with emulator and VM-based analysis platforms. the network appliance is incapable of observing or obtaining
a sample of the malware in transit.
2. Automatic analysis of any binary independent of any armoring 2. “Blacklisting” by the attackers of IP addresses associated the
or evasion techniques used by the malware. cloud-based analysis platform in order to prevent component
updates to the malware sample under analysis.
3. Detailed analysis of malicious binaries – including compre- 3. The use of “one-time” personalized links within “dropper” and
hensive analysis intelligence that can be used by corporate “downloader” malware components to prevent third-parties
security teams to construct advanced blocking and from accessing the real malicious binary.
remediation strategies.
13w h i t e pap e r
The Evolution of Network Antivirus
Recommendations
Antivirus defenses have evolved, and continue to evolve, in response to the threat. As the threat morphs and as
the attackers advance their evasion and obfuscation techniques, detection has moved into the cloud. The cloud
offers not only economies of scale (i.e. pooling of global threat observations), but increasingly offers considerably
more advanced capabilities where it comes to analyzing and dissecting malware threats. The tools with which
attackers can construct and armor their malware already exceeds the analysis technologies that can reasonably
be deployed within a corporate network – and the gap between evasion and detection will continue to increase.
Defensive strategies have traditionally focused on preventing the threat at the network level and layering in detection
at the host. Given the array of methods in which malware can be distributed and eventually install itself onto the
victim device, organizations are having to revise their legacy protection strategies.
Organizations should continue to invest in technologies that reduce the volume of threats capable of penetrating
their network perimeter, but should assume that a growing number of threats will be successful in penetrating
them. Therefore, an increasing emphasis should be placed upon the detection of threats have already breached
those defenses – ideally focused upon early detection of the penetration and optimization of rapid, automated,
remediation processes.
Malware Defensive Strategies
Given the breadth of technologies marketed to combat the evolving malware threat, it can be very confusing
to many organizations as to which security technologies provide the best complementary defensive posture.
As the organization changes, it should reevaluate its defenses throughout the year.
However, given the media attention applied to recent data breaches and the advanced forms of malware
employed by the attackers, there is an executive emphasis on dealing with the advanced malware threat.
As depicted earlier in the evolution of antivirus technology, there are many options available to combat the threat –
depending upon the type of threat an organization is most fixated upon. However, while the technologies are
depicted in an evolutionary fashion, it must be noted that not all features and capabilities exist within a single
appliance. It is not recommended that organizations “jump” to the latest antivirus defense tools without ensuring
that other network protection technologies are already in place.
firewall Filter unwanted network ports and protocols
proxy Block non proxy-aware malware
signature antivirus Block known, mainstream and legacy malware
intrusion prevention Block malware propagation techniques
breach detection Detect successful penetrations
next generation antivirus Detect new and unique malware variants
data leakage detector Detect confidential data being leaked
Figure 4: Prioritization of network security technologies
14w h i t e pap e r
The Evolution of Network Antivirus
Organizations should ensure that “fundamental” network security technologies are covered within their enterprise
before focusing upon (and deploying) technologies that target a specific class of threat. As depicted in the figure
above, before investing in advanced “next generation” antivirus technologies, organizations should ensure that
they have firewalls, proxies, signature antivirus, intrusion prevention and breach detection first.
What do each of these prerequisite security technologies bring to the table when it comes to protecting against
todays advanced malware threats? Firstly, todays advanced malware threats are a specialized subset of threat –
and the older threats have never gone away. If an organization is incapable of dealing with older, less advanced
threats, then they will continue to succumb to most attacks and attack vectors. In other words, adding video
surveillance capabilities to the front door of a house does little good if all the doors and windows in the house
are left open.
30.118.1012
About Damballa Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that
criminals use to breach networks to steal corporate data and intellectual property, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa protect
networks with any type of server or endpoint device including PCs, Macs, Unix, smartphones, mobile and embedded systems. Damballa customers include mid-size and large enterprises
that represent every major market, telecommunications and Internet service providers, universities, and government agencies. Privately held, Damballa is headquartered in Atlanta, Georgia.
© 2012 Damballa Inc. All rights reserved worldwide. www.damballa.comYou can also read
