While catching up on an old but excellent post by jason geffner on reconstructing import tables I remembered that I've been wanting to study the real impact of packers on the latest malware received at our labs. Many of us AV companies are now more proactively detecting packers as malicious. Although this issue was discussed at length at the International Antivirus Testing Workshop 2007 in Iceland earlier this month, no real conclusion was reached as there is still a major unknown which is the use of packers in goodware and the negative impact on false positives this approach might have.

When it comes to the use of packers in malware here are some stats on the new unique sample submissions we received during the last month (samples seen in previous months were discarded for the study). Using PEid with a customized database of packing signatures (available here), a purpose built emulator and some generic unpacking routines, we found that 79% of new malware is using some type of packing technique or other.

For the study I've grouped together different versions and modified routines of packers, as its common for malware writers to slightly modify known packing algorithms to evade detection. So for example all different versions of UPX plus all modified (or private) UPX routines are grouped under the common "UPX" term. The same applies to the rest of the detected routines.

For those interested in the detailed data-set you can find it here.

I recently came across an interesting document by Gartner's analyst Neil MacDonald, called Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough. There is confusion in the market about what a HIPS really is and Neil's work really helps in clarifying the different technologies that are being marketed as HIPS. Similarly other articles such as HIPS: what's in a name? also talk about the confusion in the market about the subject.

In Neil's document different HIPS solutions are analyzed based on the different technology approaches they use. He differentiates among technologies which work when code is entering the network, non-executing code, and code executing in the machine. As the document labels Panda TruPrevent Technologies as a HIPS and I've been asked about this many times already, I thought I'd write a couple of articles to explain exactly what TruPrevent is and how it works.

TruPrevent consists of 2 main technologies: behavioral analysis (intelligent analysis and termination of a running process by its behavior) and behavioral blocking (a.k.a. policy-based application control and system hardening). When integrated with an anti-malware signature-based engine, static heuristics, a deep packet inspection firewall, prevention of vulnerability exploitation and network access control it makes up what is considered an integrated, "converged HIPS" solution.

TruPrevent Behavioral Analysis
Code-named Proteus, it acts as a true last line of defense against new malware executing in the machine that manages to bypass signatures, heuristics and behavior blocking. Proteus intercepts, during runtime, the operations and API calls made by each program and correlates them before allowing the process to run completely. The real-time correlation results in processes being allowed or denied execution based on their behavior alone.

As soon as a process is executed all its operations and API calls are monitored silently by Proteus, gathering information and intelligence about that process's behavior. During the initial execution path, a malicious process will try to perform a series of actions, each of which is correlated by Proteus. It is then that Proteus decides, as early in the execution path as possible, whether the process is malicious or not. If it is determined as suspicious, the communication of the process is blocked. Immediately thereafter, as it's determined malicious, the process is blocked and killed before it can carry out all of its actions and prevented from running again.

Unlike other behavioral technologies, Proteus is autonomous and does not present technical questions to the end user ("Do you want to allow process xyz to inject a thread into explorer.exe or memory address abc?"). If Proteus thinks that a program is malicious it will block it without requiring user intervention. Most users cannot make informed decisions when it comes to security. Some behavioral products throw non-deterministic opinions — or behavioral indecisions — whose effectiveness depends on the user clicking on the right choice.  A key functionality of any behavioral technology must be making decisions without user intervention. Anything less is a potential point of failure.

Proteus has been built from the ground up to detect the maximum number of malware as quickly as possible, as early in its execution path as possible and without any user intervention. Our internal stats show that this technology alone is capable of detecting (without signatures and heuristics) 80 to 90 percent of the new malware that causes epidemics in the wild without generating problematic false positives or behavioral indecisions. A bot would not be a bot if it didn’t behave as such, but if it does so it will be detected by this technology, regardless of its shape or name.

In the next article we'll dive into TruPrevent's behavioral blocking, a policy-based application control and system hardening technology.

Recently there have been some studies regarding Internet hosting providers which are often used maliciously to distribute malware.

As this is an interesting subject we've been tracking quite a few thousand malware samples received over the last few months at PandaLabs in order to extract (using unpacking and emulation techniques) any URLs pointing to additional malicious software. It is important to note that most of these URLs are hidden inside existing malware (downloaders, bots, trojans, etc.) in order to download additional malware from the Internet. This is becoming a common technique by malware writers. To evade AV detection they simply change the malware binary hosted on the server, in some cases automatically re-compiling the malicious code every couple of hours to evade signature-based detections.

Some basic stats on the study:

We processed the URLs through a hostname-to-country script and these are the results.

One interesting thing that pops to mind looking at the data is how malware is being designed for redundancy; each malicious binary has an average 2.58 URLs encoded in it, pointing to different locations. The most redundant sample was hiding 49 different URL locations for downloading new malware updates. This shows a trend in evading take-down efforts of compromised or maliciously exploited servers.

The other interesting conclusion is that over 60% of malicious code is hosted in servers located in China, Russia, Korea and Brazil. I recall some discussions a few years back when the whole phishing movement started to show up about how certain US companies and ISPs considered blocking access to certain eastern European and Asian countries. Think about it, if your company doesn't do any business with these countries and they're the biggest source of malware, could blocking access to entire countries be considered a "proactive" security measure? Would a "block xyz country" functionality be valued in gateway filtering products?

Lastly, the US is still the second largest malware-hosting country. I recall similar studies reaching similar results, so this can be clearly an interesting area for closer cooperation between the industry and law-enforcement agencies.

Comments?