Black Hat USA Conference 2012: Anti-Malware Analysis Detection

Security research wizard Rodrigo Rubira Branco discussed how his Dissect.pe Project can bring value to organizations globally.

At the beginning of my sit-in, I learned that the security researchers were all from Brazil.  I have to admit that I love Brazil due to its festive culture and their cuisine. It should definitely be on your vacation bucket list of ‘must-dos’. But what you must also know is that it possesses some of the most dedicated, highly intelligent security researchers in the world. Let's take a briefing on where malware stands today.

Malware has been a huge thorn for the corporate world these days. According to Panda Security, malware has hit a record high of about 26 million new strains found in 2011. This is quite concerning, considering that corporations and government agencies are trending to bring-your-own device (BYOD) laptops, tablets, and smartphones for their employees. This is because organizations must harden security strategies to protect these BYODs against sophisticated malware or otherwise face a possible catastrophic loss of valuable IP data. But detecting these malware payloads is one of the key challenging aspects security intelligence analysts must endure. While attentively listening to the A Scientific (But Non Academic) Study of How Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies lecture, I was delivered some fascinating, yet daunting results in the challenge of combating evolving malware.

Security researcher Rodrigo and his colleagues, Gabriel Negreira Barbosa and Pedro Drimel Neto, discussed how counter-detection methods were being used extensively in millions of malware samples which have been analyzed under their Dissect PE Project. This project is a scalable and flexible automated malware analyzer engine that provides feedback to the security community. Dissect PE allows the security researchers to use ‘plugins’ that can use any computer language (C, Perl, Python, etc) to output malware analysis. This project is being made public and allows security researchers, the media, and partners to share their malware code analysis within this portal on a global level. Some interesting facts that I discovered:

• There are 10 dedicated machines located in São Paulo, Bauru and Germany
• It receives 150+ gigabytes of malware samples per day
• A total of 30+ million unique malware samples have been discovered so far

So what?

So why is this important? We already have companies like FireEye, Bit9, Websense, Symantec, Cisco, McAfee and Damballa performing malware analysis. Well, as it turns out, the recent results that Dissect.pe outputted showed that at least four different Anti-Reverse Engineering (Anti-RE) techniques can detect and even compromise software/hardware processes in order to evade malware detection. Let me briefly provide a definition for each one, as the lecture mentioned:

• Anti-Debugging - Techniques to compromise debuggers and/or the debugging process
• Anti-Disassembly - Techniques to compromise disassemblers and/or the disassembling process
• Obfuscation - Techniques to make the signatures creation more difficult and the disassembled code harder to be analyzed by a professional
• Anti-VM - Techniques to detect and/or compromise virtual machines

Even more interesting was the fact that Anti-Virtual Machine detection (Anti-VM) techniques were the most common category discovered. This is because security vendors are commonly using virtual boxes to capture and analyze malware.

So the big question to ask is: Will executives who have purchased commercial security solutions still be awake at night because of insufficient malware detection power? My answer is yes: If security companies are still under the impression that their dedicated malware analyzers are doing an adequate job in determining the presence of malware, then we are in big trouble. This is because malware authors are continuing to rewrite malicious codebases to adapt to these detection systems daily. And with Rodrigo’s findings, it seems the security intelligence community now has a two-fold job in malware analysis: Determining if the threat is malware and if that same malware package is trying to avoid detection by using the four listed techniques!

I have to be forthcoming; I was extremely pleased and ‘sold’ on this project. The real value from using Dissect PE portal serves as a sanity check and as a means to double-check other malware findings on other systems. But as Rodrigo mentioned, there is much more work to be done, and asks other security researchers in the world to include their findings and add their improved algorithms into the project in order to continuously counter these malware evasion techniques.

Rodrigo comically stated that “Brazilians are not that lazy” and they “missed a lot of parties” due to analyzing these millions of samples. But this is the passion that is needed to defeat this never-ending battle against malware.