How Malicious Code Authors Evade Detection

Document Sample
How Malicious Code Authors Evade Detection Powered By Docstoc
					                                                                                        March 2011
                                                                                               $99


Analytics.InformationWeek.com




                      S t r a t e g y        S e s s i o n
                                          Presented in conjunction with




                                Malware War: H ow M a l i c i o u s Co d e
                                Au t h o r s B at t l e to Eva d e D e te c t i o n
                                The stakes have never been higher in the fight for control of
                                corporate and consumer devices between malicious code
                                and the antimalware software designed to detect and stop it.
                                It’s a war of one-upsmanship, as security labs work ’round
                                the clock to analyze malicious code and the bad guys design
                                new, ingenious ways to frustrate analysts and automated
                                tools. This Tech Center report covers the key methods
                                malware writers use to thwart analysis and evade detection.
                                                                          By Tom Liston




 Report ID: 2630311
                                                                                                             Malware War
A n a l y t i c s . I n f o r m a t i o n We e k . c o m




                                                           S t r a t e g y        S e s s i o n


                CO NTENT S                                  4
                                                            5
                                                                Author’s Bio
                                                                Executive Summary
                                                            6   Malware’s Bane: Reverse Engineering
                                                            6   Evading Detection 101: Avoid Initial Capture
                                                            7   Advanced Evasion: Thwarting Reverse Engineering
                                                           10   Fighting Back: Seeing Through the Fog
                                                           11   If You Can’t Beat ‘Em, Take Away Their Tools
                                                           12   Detecting Virtual Test Environments
                                                           12   The Art of JavaScript Obfuscation
                                                           13   Round One to the Good Guys…
                                                           13   But the Bad Guys Counterpunch
                                                           14   Bugging the Debuggers
                                                           15   Related Reports
        F
        O
        E
        L
        B
        A
        T




                   2 March 2011                                                           © 2011 InformationWeek, Reproduction Prohibited
                                                                                                                Malware War
A n a l y t i c s . I n f o r m a t i o n We e k . c o m




                                                           S t r a t e g y      S e s s i o n



                                 CO NTENT S                 6   Figure 1: Malicious Data Breaches—And Their Cost—Are on the Rise
                                                            9   Figure 2: Code Obfuscation Example
                                                           13   Figure 3: The Ultimate Weapon: Overwhelming Force
                   F
                   O
                   E
                   L
                   B
                   A
                   T




                                         ABOUT US | InformationWeek Analytics’ experienced analysts arm business technology
                                         decision-makers with real-world perspective based on a combination of qualitative and quantitative
                                         research, business and technology assessment and planning tools, and technology adoption best
                                         practices gleaned from experience.
                                         If you’d like to contact us, write to managing director Art Wittmann at awittmann@techweb.com,
                                         executive editor Lorna Garey at lgarey@techweb.com and research managing editor Heather Vallis
                                         at hvallis@techweb.com. Find all of our reports at www.analytics.informationweek.com.




                   3 March 2011                                                             © 2011 InformationWeek, Reproduction Prohibited
                                                                                                                 Malware War
A n a l y t i c s . I n f o r m a t i o n We e k . c o m




                                                           S t r a t e g y          S e s s i o n




                                                                      Tom Liston is a senior security analyst with InGuardians, a lead-
                                                                      ing security consulting firm, as well as the director of
                                                                      InGuardians Labs. Tom pioneered the use of network “tarpitting”
     Tom Liston                                                       with the open source security application LaBrea, and is the
       InGuardians
                                                                      coauthor (with Ed Skoudis) of the second edition of Counter Hack
                                                           Reloaded. Tom is a Handler for the SANS Institute’s Internet Storm Center,
                                                           where he authors a popular series of diaries titled Follow the Bouncing
                                                           Malware.


                                                           As a part of research that InGuardians performed for the U.S. Department
                                                           of Homeland Security, Tom created the first public proof-of-concept exploit
                                                           demonstrating the potential for malicious code to escape from a virtual
                                                           machine—launching arbitrary code on a host machine from exploit code
                                                           running on a guest machine.




                   4 March 2011                                                               © 2011 InformationWeek, Reproduction Prohibited
                                                                                                              Malware War
A n a l y t i c s . I n f o r m a t i o n We e k . c o m




                                                           S t r a t e g y       S e s s i o n



                                     Executive Summary
                                                           In 1886, pharmacist John Pemberton was forced, by new, stricter laws, to
                                                           create a nonalcoholic version of the morphine-addiction cure he had been
                                                           selling. He christened his new concoction with a highly marketable, alliter-
                                                           ative name: Coca-Cola. Since then, the formula for Coca-Cola has been a
                                                           closely guarded trade secret.

                                                           Trade secrets are an integral part of our business environment. Over the
                                                           past several years, those of us in the security industry have watched as
                                                           malware has transformed itself from a vehicle for teenage self-expression
                                                           (“Your PC is now stoned!”) into an immensely profitable global business.
                                                           And, just like the folks at the Coca-Cola Company, the people behind
                                                           Malware, Inc. have their own trade secrets.

                                                           Why? The malware game is all about installing and maintaining malicious
                                                           code on a victim’s computer. Malware, Inc.’s business model depends on
                                                           using your company’s computers without your knowledge, whether it’s to
                                                           monitor keystrokes for login credentials, to send “V1@gra” spam or to be
                                                           part of a zombie botnet.

                                                           The big “no-no” in the malware game: doing something to get yourself
                                                           noticed. That can be as simple as overburdening the target machine to the
                                                           point that someone notices the slowdown, or as complex as triggering an
                                                           antivirus warning. In this report, we’ll explore some of the technology and
                                                           techniques malware authors use to keep malware analysts away from their
                                                           secrets, so they can thwart detection and execute successful attacks.




                   5 March 2011                                                            © 2011 InformationWeek, Reproduction Prohibited
                                                                                                                           Malware War
A n a l y t i c s . I n f o r m a t i o n We e k . c o m




                                                              S t r a t e g y             S e s s i o n




                         Malware’s Bane: Reverse Engineering
                         Reverse engineering is the enemy of trade secrets. Someone in a competitor’s laboratory could
                         pour a bottle of Coke into a mass spectrometer and figure out what makes Coke, er, Coke.

                         Malware “vendors” have, for quite some time, recognized that reverse engineering is their
                         enemy. Every day, an army of security researchers deploys a wide array of mass spectrometer-
                         like tools on thousands of suspicious executables. The 
				
DOCUMENT INFO
Description: The stakes have never been higher in the fight for control of corporate and consumer devices, as security labs work ’round the clock to analyze malicious code and the bad guys design ingenious new ways to one-up them. This report covers the key methods malware writers use to thwart analysis and evade detection.
BUY THIS DOCUMENT NOW PRICE: $79 100% MONEY BACK GUARANTEED
PARTNER InformationWeek
InformationWeek is a weekly magazine that combines the goals of business with technology to help you make the strategic decisions that affect your company's bottom line. Every week, InformationWeek delivers in-depth, mission-critical editorial that reinforces the strategic side of technology and the technical aspects of smart business. InformationWeek reaches more than 440,000 subscribers.