Malware Fighting

Luis Corrons
PandaLabs Technical Director

1
Malware Fighting

Infection Sources
Infection Sources

 Web

 Spam

 Social Networks
Infection Sources

Social Networks
Infection Sources
Infection Sources
Infection Sources
Infection Sources

Spam
Infection Sources
Infection Sources
Fuentes de infección
Infection Sources
Fuentes de infección
Fuentes de infección
Infection Sources
Infection Sources

Web
 Malware server
Infection Sources
Infection Sources

MPack
Infection Sources

MPack

 Tracking Mpack for 2 months (April & May

2007):

 41 different servers with Mpack running

 366,717 web pages “iframed”

 More than 1 million users infected (1,217,741)

Infection Sources

MPack
Infection Sources

Who is behind this?

Infection Sources

Yesterday’s Bad Guys

Blaster.B Nestky / Sasser CIH 29-A

Jeffrey Lee Parson Sven Jaschan Chen Ing-Hau Benny

Infection Sources

Today’s Bad Guys

Spam Phishing Spam

James Ancheta Andrew Schwarmkoff Jeremy Jaynes

Malware Fighting

A Real Case
Malware Fighting
Malware Fighting

The “Infected Team”

MPack
Dream Downloader
Limbo
Total Investment: 1,500$
Malware Fighting

The “Infected Team”

Malware Fighting

The “Infected Team”

Let’s do some maths…

China, Korea, Japan: $0.01 * 70,300 = $703
Finland, Norway…: $0.05 * 70,300 = $3,515
UK, France…: $0.20 * 70,300 = $14,060
USA, Canada: $0.40 * 70,300 = $28,120

And the same numbers in 30 days…

China, Korea, Japan: $0.01 * 70,300 * 30 = $21,090
Finland, Norway…: $0.05 * 70,300 * 30 = $105,450
UK, France…: $0.20 * 70,300 * 30 = $421,800
USA, Canada: $0.40 * 70,300 * 30 = $843,600
Malware Fighting

The “Infected Team”

Who’s paying the “Infected Team”?

Rogue AntiSpyware
Malware Fighting
Malware Fighting
Malware Fighting

How’s the money being handled?

The Business of Cybercrime
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting
Malware Fighting

Underground Shopping Cart

Malware Fighting

Underground Shopping Cart

– Stolen Accounts
• FTP accounts:                                  
– US$1 per account
• Icq numbers:                                    
– From US$1 to US$10 (depending on the ICQ number)
• RapidShare premium accounts:        
– 1 month -  US$5
– 3 months -  US$12
– 6 months   -  US$18
– 1 year -  US$28
• Online Shop accounts
– (megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each
• 50MB of Limbo Trojan logs
– US$30 (contains email accounts, bank account numbers, credit card
numbers, etc. A percentage is guaranteed)
Malware Fighting

Underground Shopping Cart

– Stolen Accounts
• Credit Cards
– VISA / MASTERCARD
» 1 - 10 cards US$2 (per card)
» 10 - 100 cards US$1.5 (per card)                               
– AMEX
» 1 - 10 cards US$2.5 (per card)
» 10 - 100 cards US$2 (per card)                

• Passports:                                    
– Black and white: US$2
– Color: US$5
Malware Fighting

Where to buy?
Malware Fighting
Malware Fighting
Malware Fighting

Malware figures
Malware Feeds
Antimalware Online Services Honeypots
Companies

Honeymonkeys

Malicious URLs

Malware Repository
Collective Intelligence

CERTs
Panda Users
Malware figures

Source: PandaLabs
Malware figures

Source: PandaLabs
Malware figures

Growth of Rogue AV 2008

40000
35000
30000
Samples

25000
20000
15000
10000
5000
0
y

ne
ry

t
ly

r
ch

er
r
ay

r
ril

be
ar

be
be
Ju

gu
ua

Ap

ob
Ju
M
ar
nu

m
m

m
Au
br

ct

e
e

e
Ja

Fe

ov
O
pt

ec
Se

D
Source: PandaLabs
Malware figures
Malware samples received at PandaLabs
Data up to December 2008

20 M.

X10

X2
X2 X2

2003 2004 2005 2006 2007 2008

Malware samples received at PandaLabs
Forecast 2009

40 M.

20 M.

X10
X2 X2 X2

2003 2004 2005 2006 2007 2008 2009

 There’s a gap in
detection of 1-month
old malware. This is
the malware that
causes 90% of the
infections.

Source: University of Michigan, 2008 60

% of detections seen only during 24 hours

61
62
Collective Intelligence

Multi-Scanners
•“Automagic detections”
Detection signatures are added
based on what other realiable
AV scanners detect.

•Good for comparatives

•No classification (verification)
•High False Positives
•Malware nomenclature

• Some “cloud-scanning”
technologies work like this.
Collective Intelligence

<Program<Program
ID:XXXXXID:XXXXX
Status:unknown.
Behavioral
<Program ID:XXXXX Status:Malware W32/XY.
traces: log2,… Date/time
Status:Malware W32/XY.
Status:unknown. Behavioral
of appearance: HHMMDDMMYY
Behavioral traces:log1,…
Behavioral traces:log1,… traces:log2,… Date/time
…
Date/time of appearance: HHMMDDMMYY of appearance: HHMMDDMMYY
Date/time of appearance: HHMMDDMMYY …
…
…
Collective Intelligence
Proceso de Análisis Estático: Meta Clasificador
• Análisis estático profundo
• Data Mining colectivo y análisis
estadístico
• Otras tecnologías

Proceso de Proceso de
Análisis Clasificación

Clasificación

Proceso de Análisis Dinámico: Clasificadores

• Automatización
• Emulación y Virtualización
Synapsis
•Rule-based malware family ID

•Identification of malware families based

in rules.

•Consisting of binary and/or text strings

and a logic expression relating each other.

•Traditional logical operators (and, or, not),

arithmetical (+,-,*,/) and of comparison
(<,>,==).

•File properties: size, characteristics of

the sections, functions that it exports
or imports, and all the data of the header
File Property Detection
•DETECTOR.EXE (1.2MB)

• Drivers
• Entry Point = 0
• Too many sections
• Non Portable-Executable (PE)
• Digital Signatures
• File Infectors
• EPO, Polymorphic
• HLL, HLLW or PE Binder
• Distant PE Header
• Postpending
• Unordered last section
• Installers (Inno Setup, InstallShield, Nullsoft, Thinstall, Wise, Generic)
• Runtime Packers
• By signature (ASPack, EXEStealth, EXECryptor, UPX, MEW,
PeCompact, Themida, Upack, Yoda, ..)
• Generic & Unknown !!!
Emulation &Unpacking
•Types of Unpacking:
• Runtime:
• Driver
• Memory dump
• Static
• Specific Unpacking Routines
• Generic Unpacking
• Emulation

•PVA.EXE (48kb)
• Specific Unpacking Routines
• Over 50 packer brands & variants
• ASPack, ASProtect, BeRoEXEPacker, Cexe, CryptoCrack, EXEShield,
EXECryptor, FSG, MEW, MoleBox, NSPack, Obsidium, PCShrink, PECrypt,
PECompact, PENinja, PESpin, Petite, Themida WinLicense, UPX, Upack,
Yoda’s, eXPressor, tElock, y0da’s Crypter, y0da’s Protector.
• Generic Unpacking
• Signature-less static unpacking
• Emulation
Clustered Grouping
•FLUSTER.EXE (24kb)

•Agglomerative Single Linkage Clustering

Algorithm for Grouping Similar Binary Files

1.Each object (file) starts in its own cluster

2.Two closest clusters merged together
3.Distance d between two
clusters is defined as the
minimum distance between
any object (file) from each
of the clusters.
4.Result of algorithm is a
hierarchical representation
called a dendogram.

Source: Victor Alvarez. Published in Virus Bulletin, May 2008

Automatic Malware Classification

•Malware Genome
Graph, Entropy and Grid Computing

•Sample Analysis
1. IDAPro + IDAPython
2. Flow Control
3. Functions “Control Flow Graph” (CFG)
signatures [Blocks:Axis:FunctionCalls]
4. Function’s CRC32 Adjacency Matrix
5. Function’s names
6. Operating System & Library Calls (API)

Columns & rows = graph nodes

Source: Ismael Briones. Virus Bulletin 2008, Ottawa.

 Variants of
Bankolimb
Family

Source: Ismael Briones. Virus Bulletin 2008, Ottawa.

Source: Ismael Briones. Virus Bulletin 2008, Ottawa.
Specialized Heuristics
•Very good for specific threats to keep low false positive rates.

•Implemented in product specialized heuristics for phishing websites and

Banking Trojans.

•Banking Trojans
•Wspoem 94.56%
•Sinowal 96.78%
•Torpig 92.79%
•Goldun 84.60%
•Abwiz 94.95%
•Briz 91.08%
•Bancolimb (Limbo) 91.38%
•Dumador 95.58%
•Bankpatch 100.00%
•Banco 73.98%
•Banbra 74.21%
•…
What’s all this
geeky stuff for
anyway?
PandaLabs’s Objective
To be the #1 in classification
& detection of new malware.
Thanks!
Luis Corrons
luis.corrons@pandasecurity.com

PandaLabs Blog:
http://www.pandalabs.com

75