This year, we had the privilege of attending the 21st Virus Bulletin International Conference in Barcelona, Spain.
Researchers from Trend Micro presented three topics in the corporate stream and one topic in the technical stream. Ethan YX Chen covered file-fraction reputation for the technical stream on day 1. For the corporate steam on day 2, Max Goncharov presented on traffic direction systems as malware distribution tools while David Sancho and Rainer Link talked about the lessons they learned while sinkholing botnets. Trend Micro global director of education David Perry talked about the missing metrics of malware.
Among the different topics that were presented in this conference, we got hooked on those in the technical stream. Here’s a rundown of what we found particularly interesting.
A Mobile Malware Jail
The presentation entitled, “An OpenBTS GSM Replication Jail for Mobile Malware,” by Axelle Apvrille discussed the challenges security researchers faced when analyzing mobile threats.
As she said, the golden rule of antivirus is not to spread any malware that we are analyzing. However, when testing malware, sometimes it is necessary to connect to the Internet or to other connections during analysis in order to verify or analyze their routines. Analysis is easier to do on malware affecting computers since it is easy to isolate them from the Internet and still be able to see what they do. Mobile malware, however, are not as easy to confine since there are no wires to unplug in order to analyze them.
Since we don’t want to risk infecting our co-workers’ smartphones while trying to analyze a mobile malware, we need a way to be able to analyze mobile malware effectively without putting other users at risk.
Ms. Apvrille’s solution for this is to create a dummy GSM service operator. This is a cheaper solution compared with building a Faraday cage but it is as effective in confining the malware. It uses OpenBTS, an open source, Unix-based application, and a Universal Software Radio Peripheral (USRP) device. How cheap is cheap? Around US$1,000. Still expensive but we believe this is a good investment for antivirus companies due to the growing number of mobile malware.
Fraud and Stealth Malware
The presentation about fraud malware analysis showed us that FAKEAV/fake tools have been around for some time now and will probably be there for even longer because of their capability to adapt to changes in the computing landscape.
According to the report, we may even expect such threats to adapt to mobile platforms in the coming years.
File Reputation Research
In his presentation, Tim Ebringer of Microsoft brought out the issue regarding difficulties with finding other malware samples related to one particular file. This was similar to Ethan YX Chen’s paper wherein he proposed a solution to combine reputation- and content-based solutions. He offered a different perspective on the efforts to fight against today’s highly polymorphic, micro-distribution malware.
There are a lot of malware families right now so how can we say that a certain sample belongs to a certain malware family?
For the popular ones (Autorun, OnlineGames, FAKEAV), there is no problem but for the not-so-popular ones (RAMNIT, SYSWRT), the likelihood of placing the sample in a new family is high, therefore, damaging the malware taxonomy.
With Bindex, all malware samples are divided into blocks of code and stored in a database. If a new sample that is being analyzed by an engineer contains an interesting code snippet, he/she can search the database using the snippet and find related malware. If the result turns out to be very broad (e.g., composed of different families) then the code snippet that he/she searched may be a compiler code.
Being able to identify a compiler code can help avoid false alarms since the engineer will then know that the code should not be used as a malware signature. Overall, we think this application is of great help in creating heuristic detections.
VB2011 was a great experience for meeting other people in the antimalware industry. In sum, the learning we gained during the conference will definitely help us become even stronger in our battles against future threats and ultimately be better in providing solutions for and in protecting users.