Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    This year, we had the privilege of attending the 21st Virus Bulletin International Conference in Barcelona, Spain.

    Researchers from Trend Micro presented three topics in the corporate stream and one topic in the technical stream. Ethan YX Chen covered file-fraction reputation for the technical stream on day 1. For the corporate steam on day 2, Max Goncharov presented on traffic direction systems as malware distribution tools while David Sancho and Rainer Link talked about the lessons they learned while sinkholing botnets. Trend Micro global director of education David Perry talked about the missing metrics of malware.

    Among the different topics that were presented in this conference, we got hooked on those in the technical stream. Here’s a rundown of what we found particularly interesting.

    A Mobile Malware Jail

    The presentation entitled, “An OpenBTS GSM Replication Jail for Mobile Malware,” by Axelle Apvrille discussed the challenges security researchers faced when analyzing mobile threats.

    As she said, the golden rule of antivirus is not to spread any malware that we are analyzing. However, when testing malware, sometimes it is necessary to connect to the Internet or to other connections during analysis in order to verify or analyze their routines. Analysis is easier to do on malware affecting computers since it is easy to isolate them from the Internet and still be able to see what they do. Mobile malware, however, are not as easy to confine since there are no wires to unplug in order to analyze them.

    Since we don’t want to risk infecting our co-workers’ smartphones while trying to analyze a mobile malware, we need a way to be able to analyze mobile malware effectively without putting other users at risk.

    Ms. Apvrille’s solution for this is to create a dummy GSM service operator. This is a cheaper solution compared with building a Faraday cage but it is as effective in confining the malware. It uses OpenBTS, an open source, Unix-based application, and a Universal Software Radio Peripheral (USRP) device. How cheap is cheap? Around US$1,000. Still expensive but we believe this is a good investment for antivirus companies due to the growing number of mobile malware.

    Fraud and Stealth Malware

    The presentation about fraud malware analysis showed us that FAKEAV/fake tools have been around for some time now and will probably be there for even longer because of their capability to adapt to changes in the computing landscape.

    According to the report, we may even expect such threats to adapt to mobile platforms in the coming years.

    The stealth malware presentation analysis featured recently emerging rootkits and bootkits, including the infamous TDL Family, Zeroaccess, POPUREB, and Mebromi (aka MyBios).

    File Reputation Research

    In his presentation, Tim Ebringer of Microsoft brought out the issue regarding difficulties with finding other malware samples related to one particular file. This was similar to Ethan YX Chen’s paper wherein he proposed a solution to combine reputation- and content-based solutions. He offered a different perspective on the efforts to fight against today’s highly polymorphic, micro-distribution malware.

    There are a lot of malware families right now so how can we say that a certain sample belongs to a certain malware family?

    For the popular ones (Autorun, OnlineGames, FAKEAV), there is no problem but for the not-so-popular ones (RAMNIT, SYSWRT), the likelihood of placing the sample in a new family is high, therefore, damaging the malware taxonomy.

    With Bindex, all malware samples are divided into blocks of code and stored in a database. If a new sample that is being analyzed by an engineer contains an interesting code snippet, he/she can search the database using the snippet and find related malware. If the result turns out to be very broad (e.g., composed of different families) then the code snippet that he/she searched may be a compiler code.

    Being able to identify a compiler code can help avoid false alarms since the engineer will then know that the code should not be used as a malware signature. Overall, we think this application is of great help in creating heuristic detections.

    VB2011 was a great experience for meeting other people in the antimalware industry. In sum, the learning we gained during the conference will definitely help us become even stronger in our battles against future threats and ultimately be better in providing solutions for and in protecting users.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://galaxynews.de/content/hellbreed/7935_ein_hoellisch_heisses_eisen browsergame

      Simply wish to say your article is as astounding. The clarity on your submit is just nice and that i could suppose you are knowledgeable in this subject. Well with your permission let me to grab your RSS feed to stay up to date with forthcoming post. Thank you a million and please keep up the gratifying work.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice