Tackling Modern Malware

Wednesday, August 15, 2012

Simon Heron


With new unique pieces of malware emerging daily and ever-increasing access requirements from a host of new endpoints, the challenge posed by malware detection has changed. 

Zero-day threats pose an increasing risk as, by definition, nobody has a signature for this and in many cases heuristics can be bypassed.

User habits are changing too; the vast majority of applications are now downloaded and installed over the internet.   Users need to connect to the internet to do anything useful; time off-line is usually brief and increasingly rare and unproductive.   

This, though, provides a new way of delivering security that can keep users safe and up to date instantly.  Webroot have used this in their Secure Anywhere (WSA) product to provide a new concept that changes the anti-malware game.

WSA doesn’t download vast databases of signatures onto an end user’s device, which is a boon for the increasing army of endpoints that are being used.  This also saves bandwidth and it saves time, the installation times drop dramatically and make it very easy to install.  Some anti-malware solutions are downloading vast quantities of data everyday in updates. 

Instead, Webroot’s system stores a vast database in the cloud (over 400TBytes and growing), which is updated all the time with new solutions (around 200GBytes a day).  Any file that can be executed is first ‘hashed’ and then sent up to this vast store and categorised as:

  • Known good software – the hash uniquely identifies the code as a known piece of software that has been tested and known to be safe to run.
  • Known bad software – the hash uniquely identifies the files as a known piece of malware that will be blocked from running and either quarantined or removed from the endpoint.
  • Unknown – this is where the clever stuff happens and the fact that Webroot’s database defines known as well as unknown makes this category very useful:

The graphic below illustrates the communication flow between the agent and cloud.

  • If the Webroot Intelligence Network (WIN) responds with an unknown classification, the file is executed in a virtual sandbox environment. This allows the behaviour of the file to be monitored. This behaviour is then packaged and sent up to the Webroot Intelligence Network where it’s compared to thousands of behavioural rules.
  • In the diagram, you can see the behaviour is classified as Good. This means that Webroot haven’t observed any malicious behaviour at this stage.
  • Because the behaviour is good (so far), the file is allowed to execute on the endpoint but it’s placed in monitor mode. While in monitor mode, the behaviour is watched to see if changes. As soon as it starts to behave maliciously, or as soon as Webroot’s Threat Research team identify the threat, the malware is quarantined or removed and, more importantly, it is remediated.
  • While in monitor mode, every single change the file makes to the endpoint is recorded in a local change-journal database. So if a file is found to be malicious, remediation means not just quarantining or deleting the malware, it means that all changes that the file made to the endpoint can be reversed, providing a perfect clean-up routine.

Tackling Modern MalwareIn addition to the Monitoring functionality, there is also a powerful Identity & Privacy shield to protect data from information stealing malware which means that even if the initial infection tries to make changes, the endpoint and user’s data will still be protected.

(click image to enlarge)

The other major benefit this solution brings to companies is that it can be run from an interface in the cloud allowing the administrator to manage the system from wherever they are without the time and expense of maintaining a locally sourced server. 

Added to which this administration interface provides a wide range of features that will even allow administrators to do all the usual administration tasks as well as white and black listing applications right down to  executing commands on end users’ systems if required.

The other thing to consider is what happens when the endpoint is not connected to the internet.  If a brand-new piece of software is introduced when the endpoint is completely offline, and it has no relationship with any existing software on the endpoint, then WSA automatically applies special offline heuristics blocking many threats automatically. If a threat gets past this logic, it is run in monitoring mode which ensures any threats that do execute cannot do lasting damage.

The suspicious program is monitored to see precisely what files, registry keys, and memory locations are changed by the software program, while remembering the “before and after” picture of each change. If the software is subsequently found to be malicious, WSA proceeds to clean up the threat when it is online again.

The important thing here is that WSA doesn’t just simply delete the main file—it removes every change that the threat made and returns the endpoint to its previously known good state. If at any point a suspicious program tries to modify the system in such a way that WSA cannot automatically undo it, the user is notified and that change is automatically blocked.

With conventional antivirus products, their signature bases are never completely up to date. When a brand-new infection emerges, and the antivirus software hasn’t applied the latest update or there isn’t a signature written for that specific threat, the infection simply roams freely across all endpoints, deleting, modifying, and moving files at will. As a result, it doesn’t really matter if a device is online or offline—the malware infection has succeeded in compromising the endpoint.

When a traditional AV product comes back online, it applies any updates and if configured to do so, runs a time-consuming scan—it might then be able to remove the infection. But it will not be able to completely reverse the changes the infection made, so the user or administrator will have to activate the System Restore function. More likely, the endpoint will need to be re-imaged because it’s so unstable—a major further drain on time and productivity.

Conversely, WSA leverages behavioural monitoring to pick up infections when the Internet is inactive or the endpoint is offline and it isn’t sure whether a file is malicious or not. This process provides uniformly strong protection against the damaging effects of malware.

The effectiveness of the approach was highlighted in 2007 when it recognised Flame and protected customers against it a good number of years before other manufacturers even knew of its existence. 

A conversation between computer security companies reveals the effectiveness of Webroot’s approach: http://www.npr.org/2012/05/30/153970997/computer-security-companies-debate-flames-origins.

This is a really clever use of the internet to provide a large database of signatures and heuristics but keeping the footprint on the endpoint very light giving the best of both worlds.  The other consideration is that there is a mechanism for catching and remediating zero-day threats which shows a degree of pragmatism rarely seen in other products

Cross-posted from RedScan

Possibly Related Articles:
Viruses & Malware
Information Security
Antivirus virus Software malware Detection Network Security Monitoring Security Solution Remediation Webroot Secure Anywhere
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.