The Flashback computer virus gained notoriety earlier this year as the first malware to make headway against Apple’s relatively untouched operating system, Mac OS X, infecting some 600,000 victims’ machines at the peak of the outbreak.
But computer scientists and security professionals were more worried about another aspect of the malware. The authors of Flashback used a technique that Hollywood often employs to prevent movie and music files from being copied—they added functions that bound the virus to each infected system. The use of that technique prevented security companies from running the virus in their labs.
New research shows that a refinement to the technique could make automated analysis of malware nearly impossible. Paul Royal, a research scientist with the Georgia Institute of Technology’s Information Security Center, plans to reveal the work at the Black Hat conference in Las Vegas this week.
Royal and his colleagues at Georgia Tech show that a form of copy protection called host identity-based encryption can encrypt critical parts of a malware program with keys based on information gleaned from a victim’s system, thereby making it even harder to analyze the specimen on a different machine.
Analyzing the malicious software that criminals use to infect people’s computers is a time-consuming operation, yet a necessary one. The makers of antivirus software regularly collect samples of malware and then use automated analysis to generate a collection of identifying characteristics, commonly called a signature.
While an individual analyst can get around the restrictions imposed by malware authors —in the same way that movie copy protections can be circumvented by pirates—preventing security companies from automatically processing large volumes of files will damage their ability to keep up with attackers.
“For the antivirus model, this significantly complicates taking the fire hose quantity of malware and weaning it down into a subset that can be practicably analyzed by a human analyst,” Royal says.
Because antivirus software is dependent on using such signatures to catch malware, online criminals regularly attempt to make the analysis harder. Over the last decade, for example, attackers have used polymorphism—a technique for changing programs each time they are copied to a new machine—to make identification harder. This trend has accelerated in recent years (see “The Antivirus Era Is Over”).
The database of malware maintained by Symantec includes about 19 million signatures. In its annual Internet Security Threat Report released earlier this year, Symantec stated that its automated analysis systems analyzed 403 million unique variants of malicious programs in 2011, a 41 percent increase from the 286 million analyzed in 2010. Without automation, this task would be much harder.
“If malware guys can get to a stage where, even if you have the [file], that it’s tied to a particular machine, then that complicates our life,” says Roel Schouwenberg, senior researcher for Kaspersky, another software security firm. Kaspersky processed more than a billion samples through its automated systems in 2011.
If Flashback is an indication of the future, and automation can no longer cull the onslaught of files to analyze, then antivirus companies could see their costs skyrocket.
“From our perspective, we analyze hundreds of thousands of samples per day,” says Dean De Beer, chief technology officer of ThreatGRID, a malware-analysis services firm. “Now they are throwing this curveball, and we have to sit back and say, ‘What do we need to do in order to ensure that we can collect the sample?’ “
Antivirus firms could attempt to foil such malware by creating a virtual machine that appears identical to the victim’s system. But this could raise privacy concerns among users. To make the analysis more difficult, malware authors could create functions that interpret commands from the command-and-control servers using a key created from information about the computer’s network location. Known as instruction-set localization, the technique would make commands meant for a machine based in San Francisco unrecognizable to a machine based in Boston.
Antivirus firms hope that Royal keeps the discussion at a high level to avoid giving attackers precise advice on how to improve their ability to lock malware to infected machines. “Flashback was a pain,” says Schouwenberg. “If the talk is on how to make this very easy for the attacker, then I am not looking forward to that.”
Royal hopes the presentation serves as a warning that defenders need to solve this problem quickly. “This presentation is not a reason to throw away your malware analysis tools,” he says. “It is supposed to be a warning. We all need to prepare.”