Q&A: Malware analysis

Greg Hoglund is the CEO and Founder of HBGary. He has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners, he created and documented the first Windows NT-based rootkit, founding rootkit.com in the process. Greg went on to co-found Cenzic through which he orchestrated numerous innovations in the area of software fault injection. In this interview Greg discusses malware analysis.

What are the biggest challenges related to malware analysis today?
One of the greatest challenges is attribution: figuring out not only who wrote the malware, but also who bought and paid for it, and who is operating it. As a whole, the security industry needs to start focusing more on the human threat. The malware is just a tool — the real threat is the human who operates it.

Another one of the difficult challenges when responding to an incident is the ability to quickly recover actionable intelligence from an unknown, never-before-seen malware infection. Once an organization has been compromised, every second counts. Quickly recovering accurate bits of forensic, artifact data while not overwhelming the user with too much other data is a daunting task. Last, but not least, is the fact that the malware authors are specifically trying to hide from or completely subvert most analysis tools and security countermeasures.

Based on your experience, in an ever-changing and evolving threat landscape, what problems do anti-malware vendors face? How can they overcome these issues?
Traditional signature-based, anti-virus techniques are not well suited for combating the ever-exploding list of daily new malware variants. The A/V industry needs to abandon signatures and move towards behavioral- and capability-based detection. This requires technology that can analyze software at a very low level, and it has to work automatically. Historically, signature- based systems did a pretty good job of detecting specific virus variants. This model quickly has fallen down, though, in the face of so many different malware variations.

One of the biggest and hardest problems to solve for any A/V or anti-malware company is what we call the “30 day free trial” problem. Any security vendor who offers a free trial of their security software (which is just about everyone) is at risk of having their software easily subverted. Think about it: What is the easiest way for a malware author to test if their hot new credit-card stealing malware variant is going to be detected out-of-the-box by virus scanners and other security products? The answer is easy: The attacker will go download a 30-day free trial of each of those products and tweak their malware until it’s completely undetectable. It is a very difficult problem for which no really good solution exists. I don’t think software as an industry could sustain not providing free evaluation copies to prospective customers. At the same time, these free trials essentially provide malware authors with 100% free, anytime access to the newest version of most if not all security products. Ultimately the free-trial problem gives malware authors a substantial edge in the cat-and-mouse battle.

Is there an upcoming malware menace we haven’t realized yet, but should be on the lookout for?
There is a menace — it’s the global economy of malware developers and users. There is a great deal of money involved and the criminals who build and disseminate malware are multiplying. Malware is also going to evolve and propagate to new mediums. For example, USB thumbdrive-infecting malware is standard now, and there are already a few smart phone viruses out there banging around. As high-speed networking components and wireless technologies become more prevalent, it’s only going to get worse. Malware is also working itself deeper into the system than ever before. Last year new forms of BIOS infecting malware appeared that can even survive 100% wipe and reinstallation of the operating system. Hypervisor technology was barely out of the virtual box and it already had malware variants waiting for it. It is safe to say going forward that if a hot new technology CAN be used by malware, it WILL be used to house, hide, or facilitate malware.

How has virtualization changed the way researchers analyze malware?
Virtualization makes it much easier and much more feasible to analyze malware. Virtualization has essentially given birth to an age of runtime analysis of malware. In the pre-virtualization days you really only had two choices: First, you could analyze a piece of malware “statically,” which means you load an on-disk copy of the virus or malware into a disassembler tool and look at the code that WOULD run if you did execute it. Second, you could run the suspected virus code — thereby infecting your computer with the virus which is also non-ideal for obvious reasons.

Fortunately we now live in a world where fast, viable, virtualization of an entire Windows operating system is possible. This advance has opened the door for a whole new class of automated runtime analysis tools that instrument and collect data on a REAL, RUNNING copy of the suspected malware package. This is especially important when you consider that today many malware packages are “packed” or self-decompressing, making them all but impossible to analyze using traditional, static, non-runtime-based techniques.

Since cybercriminals have realized the impact their research can do to their bottom line, we keep seeing increasingly sophisticated attacks of a targeted nature. How will these attacks impact the life of the average Internet user who spends most of its time on social networking sites?
Social networking sites are a growing area of attack. You can search on LinkedIn, for example, and find 375 nuclear physicists who have worked at Lawrence Livermore National Lab. Social networking allows attackers to single out specific groups of individuals, and with targeted attacks on the rise, this is a significant threat.

The average Internet users can do a lot to educate and protect themselves. In general, it is absolutely critical to keep up-to-date with your operating system’s security patches. It is specifically very important to keep your Internet browser software updated as well since most malware infections today exploit security flaws in your Internet browser. Finally, if you’re searching the Web with your favorite search engine and you encounter a link that looks potentially suspicious, try clicking on the “Preview” or “Cached” link if one is available. Many times this “preview” feature will allow you to view a safe, sanitized, offline copy of the Website in question which is usually enough information to determine if it is a site actually worth visiting.

What tools would you recommend to those interested in learning more about malware analysis?
On the commercial side of things, malware analysis doesn’t get any easier than using HBGary’s Responder product. You can trace all of the behavior of a malware program in just minutes. If you are on a budget or want to use free tools, you can download a number of great freeware utilities and tools.

For virtualization, you can download “Sun VirtualBox” or VMWare’s freeware version of ESX which is called ESXi. You can also download a free debugger called “OllyDbg” that is an easy-to-use, GUI based usermode debugger that is very useful for single-step debugging certain malware packages. I’d also recommend the Microsoft-built debugger “windbg”, especially if you’re interested in researching kernel mode malware components. Microsoft also provides some very useful, free system utilities called “Process Explorer”, “ProcMon”, “FileMon”, and “RegMon” (Previously from SysInternals).