Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Another Big Thing, Part 1

Created: 23 May 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:49:19 GMT
Stuart  Smith's picture
0 0 Votes
Login to vote

The amount of new malware in the wild is growing quickly. While this is not a new observation, I have seen some claims that behavioral detection may be the answer to this ever-increasing amount of malware. Unlike more traditional types of detection that look at static attributes inherent in a piece of software, such as unique data, code, etc., behavioral detection involves running a possible threat, tracking its behavior with various monitors, and then using the information gathered to determine if it is malicious. As more behavioral detection products emerge, one article asked “Is Desktop Antivirus Dead?” [1]. Hardly, but it is worth a look at why the question even comes up.

Behavioral detection holds out the promise of more zero-day detections, and it reduces the number of updates you need to make to your antivirus software. Note that you cannot safely eliminate updates, since the definition of malicious behavior changes over time. The history of malware, from viruses and worms to spambots and phishing attacks, clearly illustrates this point. Behavioral detection does have its downsides. The more general nature of behavioral detections leads to much more effort spent mitigating false positives. And behavior can be masked from many types of detection. Still, behavioral detection is worth serious consideration.

There are two main steps in behavioral detection: the profiling of behavior, and the categorization of the threat. Both of these steps have challenges. Getting a particular file to generate behavior isn’t always easy, and catching and logging the behavior can be difficult. And once you’ve passed judgment on a set of behaviors, there is still the challenge of associating them with an appropriate source. That last step is critically important for any mitigation or remediation steps you may want to take. So how do you build software that overcomes these challenges?

One of the first decisions you need to make is where you plan to run a potential threat. The best place for generating behavior is with an environment identical to the malware’s target host, but isolated from causing any real damage. You need to reset and rebuild the whole system every time you run a potential threat, which can take a lot of time and resources. So often products will run a potential threat in a virtualized environment. Although slower than real hardware, a virtual machine has advantages. It can be reset and rebuilt quickly, and is easier to isolate.

While often sizable, the cost to acquire and maintain a product using virtualization is feasible for some organizations, especially compared to the cost of cleaning up every computer after an infection. But costs aside, virtualization has other problems. The most widely-used virtual machines, along with several other less popular ones, can be detected from inside the machine [2]. Even the much-vaunted hypervisor + Pacifica/VT combination can be detected [3]. And many threats simply refuse to run in a virtual environment. If the threat won’t run in your virtual machine, behavioral profiling will not work. In addition to the more advanced detection techniques, attempting to interact with the Internet can be sufficient. It doesn’t require any special skill to open up a connection to a remote website, exiting if the results aren’t satisfactory. Many threats exhibit this behavior, not to cleverly avoid detection, but because they are not designed to infect stand-alone computers. If all a program does is query Google and shut down, we can not say it’s malicious, as much as some other companies might want to. So some threats will get by.

You can also forgo using a virtual environment altogether by detecting and remediating malware as it runs on a host. This is what we do with Symantec Online Network for Advanced Response (SONAR), a technology included in our latest engines (Norton 360, Norton Internet Security 2007 and NAV/SAV 2007). In addition to overcoming some of the downsides of virtualization, many of our customers are users without the time and resources to dedicate to this approach. To solve their needs, we have to work within those constraints.

That’s it for this blog. Next time, I’ll look at the problems involved in the classification and mitigation of threats.

[1] http://www.pcworld.com/article/id,130455-c,techindustrytrends/article.html - On a side note, it is strange how the marketing spin has transformed the phrase “signature-based malware detection” into the word “Desktop Antivirus”. One would hope behavioral-based detection engines would detect and eliminate viruses. Very Odd.

[2] http://pferrie.tripod.com/papers/attacks2.pdf

[3] http://www.symantec.com/enterprise/security_response/weblog/2006/09/detecting_hardwareassisted_hyp.html