Traditional methods of analyzing malware to produce detection signatures are no longer a viable way to identify and eradicate malicious code on infected machines, according to a noted security expert who is hoping his research will prompt the security industry to change its ways.
[AV vendors] are kind of like the janitor that sweeps the offices and vacuums the floor. They're hygienic in nature
founder, CEOHBGary Inc.
Greg Hoglund, a malware expert and founder of HBGary Inc., is pushing a malware analysis method that focuses on malware attribution and fingerprinting techniques to study and document the toolmarks left by hackers within the malicious code. This method is better than traditional malicious code analysis because when malware is executed, it has obfuscated string data that would not be present on a file that is sitting at rest on disk or a file that was acquired in transit over the network, Hoglund said.
If done right, security pros can block certain attacks on their network by preventing them from executing and tracing malware back to their source. URLS used to connect to the command-and-control server and DNS strings can be carried directly over to perimeter security devices.
"Input those specific strings into them as IDS signatures and very rapidly you can detect other machines that are infected with that same attack and communicating with the command and control," Hoglund said.
Hoglund has attended a number of security conferences this year, where he preached the need for a new approach to malware protections and defenses. He founded HBGary in 2004, and since then, Hoglund said malware writers have increased their output, flooding enterprise systems with thousands of malware variants -- many of them growing more sophisticated – that are evading signature-based security technologies to remain virtually undetectable on systems.
"What I've discovered is that most of the data that's actionable exists in clear-text human readable strings when you take physical memory snapshots of a computer," Hoglund said in an interview with SearchSecurity.com. "When data is actually in execution it calculates a bunch of string data at runtime that's tremendously useful."
Before reimaging infected machines, IT security pros should take the time to do some level of incident response on the machine, Hoglund said. Investigators can use live forensics to reach out over the network and grab the event logs and the prefetch input queue that contain valuable data to defend against future attacks.
"There are things that you can get that are easy to understand and they're not too complicated for your [incident response] team to get," Hoglund said. "It doesn't require disassembly level knowledge of malware to use this information; it's just sitting there."
The same process is carried out when other infected machines are discovered and over time, enterprises can build a much smarter detection capability for the attackers, which is more specific to the environment, Hoglund said. Most organizations in the commercial space rely entirely on antivirus vendors to do all the security.
"The AV vendor has no idea the threats that are targeting an individual site. ... They're kind of like the janitor that sweeps the offices and vacuums the floor. They're hygienic in nature," Hoglund said. "They're trying to make these magical DAT files that address everybody's problems across the industry and while it's a nice goal, they can't do it because it's too much data."
Research on malware attribution and fingerprinting techniques is still in its infancy. Until then, Hoglund said enterprises need to focus on combining traditional technologies like AV with network security and other malware detection technologies.
HBGary is a niche security vendor that sells tools used by incident response teams and computer forensic investigators to examine system memory for malware detection and analysis. The company is rolling out a new appliance called Inoculator, which is designed to remove and block malware. The appliance is currently in beta and will be made widely available by the end of Q4 2010.
"If a customer knows about a malware program that's in their environment, it enables them to scan their entire enterprise to the presence of the malware without using any endnode agents," Hoglund said.
The software works in Microsoft Windows environments and is designed to enable IT teams to remove malware from infected machines without requiring them to reimage the machine. It works without deploying agents, making the process easier for incident response teams.
The appliance scans the files and registry keys that malware uses to maintain persistence on a system. If the malware is found, the system will alert the user. The appliance can also be configured to clean the malware and prevents new infections by blocking the malware files and registry keys from being recreated.