August 26, 2019

A honeytrap for malware.

I haven’t seen the sixth Mission Impossible movie – and I don’t think I will. I sat through the fifth – in suitably zombified state (returning home on a long-haul flight after a tough week’s business) – but only because one scene in it was shot in our shiny new modern London office. And that was one Mission Impossible installment too many really. Nope – not for me. Slap, bang, smash, crash, pow, wow. Oof. Nah, I prefer something a little more challenging, thought-provoking and just plain interesting. After all, I have precious little time as it is!

I really am giving Tom Cruise and Co. a major dissing here, aren’t I? But hold on. I have to give them their due for at least one scene done really rather well (i.e., thought provoking and plain interesting!). It’s the one where the good guys need to get a bad guy to rat on his bad-guy colleagues, or something like that. So they set up a fake environment in a ‘hospital’ with ‘CNN’ on the ‘TV’ and have ‘CNN’ broadcast a news report about atomic Armageddon. Suitably satisfied his apocalyptic manifesto had been broadcast to the world, the baddie gives up his pals (or was it a login code?) in the deal arranged with his interrogators. Oops. Here’s the clip.

Why do I like this scene so much? Because, actually, it demonstrates really well one of the methods of detecting… unseen-before cyberattacks! There are in fact many such methods – they vary depending on area of application, effectiveness, resource use, and other parameters (I write about them regularly here) – but there is one that always seems to stand out: emulation (about which I’ve also written plenty here before).

Like in the film, the emulator launches the object being investigated in an isolated, artificial environment, which encourages it to reveal its maliciousness.

But there’s one serious downside to such an approach – the very fact that the environment is artificial. The emulator does its best to make that artificial environment as close to a real environment of an operating system, but ever-increasingly smart malware still manages to differentiate it from the real thing, and the emulator observes how the malware has recognized it, so then has to regroup and improve its ’emulation’, and on and on in a never-ending cycle, which regularly opens the window of vulnerability on a protected computer. The fundamental problem is that the functionality of the emulator tries its best to look like a real OS, but never quite does it perfectly to be the spitting image of a real OS.

On the other hand, there’s another solution to the task of behavioral analysis of suspicious objects – analysis… on a real operating system – one on a virtual machine! Well why not? If the emulator never quite fully cracks it, let a real – albeit virtual – machine have a go. It would be the ideal ‘interrogation’ – conducted in a real environment, not an artificial one, but with no real negative consequences.

On hearing about this concept, some may rush to ask why it wasn’t thought of before. After all, emulation has been in the tech-mainstream since 1992 (!) already. Well, it turns out it’s not so simple.

First: analysis of suspicious objects on a virtual machine is a resource-intensive process, suited only to heavyweight enterprise-grade security solutions – where scanning needs to be super intensive so that absolutely zero maliciousness gets through the defenses. Alas, for home computers – much less smartphones – this technology’s not suitable… yet.

Second: actually, we do use this technology – internally here at the Kompany: we use it for internal investigations. But to be used as a market-ready product, we feel it’s just too early yet. Competitors have released similar products, but their effectiveness leaves a lot to be desired. As a rule such products are limited to just collecting logs and basic analysis that can only be called… a sieve!

Third: launching a file on a virtual machine – that’s just the beginning of a very long and tricky process. After all, the aim of the exercise is to have the maliciousness of an object reveal itself, and for that is needed: a smart hypervisor, logging and analysis of behavior, constant fine-tuning of the templates of dangerous actions, protection from anti-emulation tricks, execution optimization, and much more besides. And it is here where, without the false modesty, I can announce that we, truly, are way ahead – of the whole planet!

Recently we were granted a U.S. patent (US10339301) covering the creation of a suitable environment for a virtual machine for conducting deep, rapid analysis of suspicious objects. This is how it works:

  • Virtual machines are created (for different types of objects) with pre-installed settings that ensure both their optimal execution and a maximally high detection rate.
  • The hypervisor of a virtual machine works in tandem with system logging of an object’s behavior and system analysis thereof, helped out by updatable databases of templates of suspicious behavior, heuristics, the logic of reactions to actions, and more.
  • Should suspicious actions be detected, the analysis system enters on-the-fly changes to the process of execution of the object on a virtual machine in order to encourage the object to show its malicious intentions. For example, the system can create files, amend the register, speed up time, and so on.

The last – third – point just these is the most unique and delicious feature of the technology. Let me give you an example to show you how.

The system detects a launched file has ‘fallen asleep’ and no longer manifests any activity. That’s because the object can be programmed to quietly do nothing for several (dozen) minutes (hours) until the beginning of malicious activity. When it does (do nothing), we speed up time on-the-fly inside the virtual machine so that its passes one, three or five minutes per second. The functionality of the file being analyzed doesn’t change, while the time of the wait is lowered by hundreds (or thousands) of times. And if, after its ‘snooze’, the malware decides to check the system clock (has it been ticking?), it will be fooled into thinking it has, and continue with its malicious mission – exposing itself in the process.

Another example:

The object uses a vulnerability of a specific library or tries to change the contents of this or that file or register. At first, with the help of the regular fopen() function, it tries to open the library (or file or register), and if it fails to do so (there’s no library, or no access rights to the file) – then it simply gives up. In such a scenario we change (on-the-fly) the value of the fopen() function from ‘file absent’ to ‘file exists’ (or, if necessary, we create the file itself and fill it with appropriate content), then we simply observe what the object does.

Such an approach works really well also in conditions of logic trees of conduct of the object. For example: if there exist file A and file B, then file C is modified and the job’s finished. However, it’s not known what the file being investigated will do if only one of either file A or file B exists. Therefore, we launch an iteration in parallel and ‘tell’ the file that file A exists but B doesn’t, then we analyze the further logic-tree activity.

What’s important to note is that the rules of reaction to execution of the file are configured by external, easily-updatable databases. To add new logic you don’t need to redevelop the whole engine. All that’s needed is to correctly describe the multitude of possible scenarios of malicious behavior and perform a one-click update.

And that, in a nutshell, is how this technology works. It will soon be added to KATA, and also delivered to the market in the form of separate solutions for enterprise purchasers of Kaspersky Sandbox.

Any questions? Please fire away in the comments.

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email
  • No, thanks

READ COMMENTS 2
Comments 2 Leave a note

    Arthur Champernowne

    Perhaps, if it is so hard to write an emulator which behaves like a real machine, it would be possible to make real machines behave more like emulators.

    0
    Reply to conversation

    Eugene Kaspersky

    That way computers behaving like emulators should distinguish malware from legit software. In that case the problem is solved and all infosec people go do something else :)
    The problem is if computers behave like emulators then this will influence the legit software as well making it useless

    1
    Reply to conversation
Leave a note
Facebook

April 22, 2024

Yakutsk-Tiksi-Yakutsk-2024: first overnight stay – Khandyga.

Hi folks! Herewith, another episode in my  Yakutsk-Tiksi-Yakutsk expedition series… You’ve had my warm-up posts (about winter/ice roads, naleds, and the Kolyma Highway). Now’s come the time to climb behind the wheel and get going!… It all started in Yakutsk. From there we headed east/northeast along the Kolyma Highway for nearly a thousand kilometers. Next, […]

April 17, 2024

1500km on the R504: devilish cold; snow, ice and hoar.

There are many different kinds of roads and highways. There are straight and there are winding; there are smooth and there are bumpy; there are fast-moving and there are snail’s pace; there are ordinary and there are beautiful (rather: ordinary, pretty, beautiful, and mind-blowing). There are plenty of beautiful roads around the world – most […]

April 16, 2024

Water, outside, not frozen – below -40°C. How?!

Our friend, the Far North – even in winter (and up there, in northern Yakutia, even March is winter). The extended winter of the North is a kingdom of eternal snow and ice, extreme cold, and endless white expanses. All the same – and you won’t believe this – you can find H2O in liquid form […]

April 12, 2024

You’ve heard of a road trip. But what about an ice-road trip?!

You’ve had your intro posts already; now, if there are no questions from the audience, I’ll proceed to my next tale from the Far Northern side, which could have been titled “Yakutian ice roads heading north from Kolyma Highway“. But first, I think – an explainer… What is an ice road? And what’s a winter […]

April 9, 2024

My friend, the North. Yakutsk-Tiksi-Yakutsk 2024.

Hi folks! Last week I completed quite possibly my most mind-blowingly awesome trip up to the Far North – from Yakutsk in a northeasterly direction and then further north to Russia’s northern coast. You’ve had a few intro-posts on the expedition already; now for a (slightly) deeper dive… My regular readers will know well how […]

April 4, 2024

Yakutian winter roads, photoshoots on frozen rivers, and 4×4 and other good fun.

Hi folks! You’ve had your aperitifs, finger-nibbles, and soup (one, two, and April 1); now for… a salad starter!… How long have we been road-tripping on Yakutian highways and winter roads? Oh – three weeks already! Time to be heading back home I guess… As usual for my expeditions, I’ve taken a ton of photos […]

More

Travel Vlog

You might also like…