Hardened cryptographic algorithms and other defensive capabilities are making reverse engineering and analysis increasingly difficult for malware researchers. But some researchers are putting increased vigor into creating tools to bolster malware analysis and in turn create better security technologies.
Security researchers attending the 2012 Black Hat Briefings acknowledged that the industry is failing to better understand the capabilities being deployed by malware authors. That lack of understanding is resulting in less than stellar security technologies, says Rodrigo Branco, director of vulnerability and malware research at Redwood City, Calif.-based Qualys. Attackers are penetrating corporate networks because they are consistently evading security defenses with sophisticated methods, Branco says. Meanwhile, enterprises are not stepping up to invest in staff to isolate and better analyze incidents.
"It's amazing to see that an industry that is 15 years old maybe even more has not documented the techniques that it is fighting against," he says. "This industry has the information, but it has each researcher looking into one specific sample and that process isn't working anymore."
At Black Hat, Branco unveiled a new malware analysis system that he hopes will aid independent security researchers. The research database has nearly a million malware samples in it and is constantly growing, collecting samples from antivirus vendors, software makers and intrusion detection and prevention vendors. The system was designed so researchers could test their detection capabilities against millions of samples.
"We need to look more into the whole ecosystem of malware, not individual samples," Branco says.
Researchers are trying to gain a better understanding into how serious targeted attacks or advanced persistent threats truly are, says Joe Stewart, director of malware research at DellSecureWorks. Stewart calls malware "sophistication" an abused word in the industry. The sophistication doesn't always come from the malware and backdoors that attackers are using, Stewart says. A lot of it has to do with reconnaissance, spear phishing techniques and the kind of exploits the cybercriminals are using.
"I think we're just getting to the point now where we can classify it all," Stewart says. "When you look at the malware itself it's usually not that sophisticated compared to cyberfraud kind of malware like Zeus and SpyEye. I think [malware authors] are intentionally making very simple backdoors and downloaders, but they make a lot of them and in that way if one gets detected, [there is another they can rely on]"."
Other experts shared their research at Black Hat. Jason Jones, a security researcher at HP DVLabs, explored the rising sophistication of automated attack toolkits, including Black Hole and Phoenix, which are responsible for a precipitous increase in Java exploits. Chengyu Song, a Ph.D. student at Georgia Institute of Technology, discussed the Flashback Trojan and how its techniques put malware researchers at a disadvantage.
"Malware analysis and malware prevention is probably the most difficult area to solve," says Adam O'Donnell, chief architect in the cloud technology group at Sourcefire. "Coming up with a way to guarantee that the binaries on people's machines are safe and secure is a very hard problem and there seems to be a huge amount of attention focused on it this year."
However, malware research only goes so far, he says. Enterprises need to bolster their security staff to create stronger incident response teams. Investing in staff can greatly boost a business' security posture because they can monitor automated detection systems and isolate and analyze malware before it becomes a serious data leakage threat, he says.
"You need to have a good IR team, but they also need to have the tools to be able to understand how critical a threat is, to quantify the threat and be able to prioritize and figure out what it did and where it went," O'Donnell says. The alternative of doing nothing would lead to a breach that could cause irreparable damage to the business – results that are "too unspeakable," he adds.
About the author:
Robert Westervelt is news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org