New malware distribution methods threaten signature-based AV

2005-09-01

Oren Drori

Commtouch Software, Israel

Nicky Pappo

Commtouch Software, Israel

Dan Yachan

International Data Corporation (IDC)
Editor: Helen Martin

Abstract

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.


Introduction

For some time now, viruses have been designed for rapid distribution during the few hours before anti-virus update signatures are produced (as discussed in a previous article by one of the authors, see [ 1 ]). In a recent report IDC stated that achieving high propagation rates is one of the main design goals of malware authors today [ 2 ]. Modern viruses and worms are not immune to vaccinations - rather, they are designed to infect as many computers as possible before vaccinations become available.

As a result, a timely response has become a key factor in effective protection against malware, and a major challenge for the AV industry. We have argued that all signature-based methods need powerful complements to provide early-hour (preferably zero-hour) protection.

New distribution methods

In recent months, however, there has been a decided shift in malware distribution patterns. The new breed of malware is distributed in ways that enable attacks to be executed fully before they can be blocked by signatures. Widespread adoption of these new distribution methods could pose a serious threat to signature-based protection methods.

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.

Malware distribution patterns

Classic malware uses a viral distribution pattern, in which one infected station infects another, and an epidemic develops. Traditionally, an outbreak of this type would grow gradually and peak after several days (see Figure 1a). This distribution pattern allows AV vendors valuable time to produce and distribute signature updates (although some of the viruses penetrate during the first hours). As powerful and dangerous as these attacks may be, signatures are still effective against them, unlike in the case of short-span attacks.

Malware distribution patterns.

Figure 1a. Typical viral propagation

Malware distribution patterns.

Figure 1b. Short-span attack

Malware distribution patterns.

Figure 1c. Serial variants attack

Figure 1. Malware distribution patterns.

Short-span attacks

No doubt the increasing spam-virus symbiosis plays a part in malware distribution patterns. The short-span attack combines the distribution methods of spam with the payload of malware: this type of attack is mass-mailed, mostly without any mechanism for self-propagation.

Typically, an entire short-span attack is completed within a few hours, sometimes within as little as 20 minutes. Outbreak-scale attacks, distributed via zombie networks, can infect many millions of users before signature protection is available. As a reference, large zombie-based spam attacks distribute 100-200 million messages, within five to seven hours.

Unlike viral-propagation attacks, which die slowly, short-span attacks have a spam-like distribution pattern: rapid buildup, steady distribution rate throughout the attack, and almost instant dropping off (see Figure 1b). According to IDC , this technique is highly effective for Trojan distribution, and is often used in financially-motivated attacks [ 2 ].

In many short-span attacks, AV vendors avoid the trouble of developing a signature that will be obsolete by the time it is released.

During the month of June 2005 alone, Commtouch identified four short-span malware attacks, which were completed within one to seven hours (see Figure 2).

AttackNamed byDateIntensitySpan
Goldun.BA[Commtouch]03-Jun-05Medium1 hour
Goldun.BB[Commtouch]17-Jun-05Medium45 minutes
Flooder.Agent-1[ClamAV]19-Jun-05Low1 hour
Flooder.Agent-1, variant[ClamAV]20-Jun-05Low1 hour
Beagle.BQ[Symantec]26-Jun-05Very high7 hours

Figure 2. Short-span malware attacks in June 2005 (measured by Commtouch Labs).

The most severe of these attacks was Beagle.BQ, which started and finished within seven hours. Of 20 major AV engines tested independently by VirusTotal, 10 did not manage to produce a signature before the end of the outbreak. 24 hours later, seven AV engines still had no signature for it at all (see Figure 3).

Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software , signature updates based on VirusTotal .

Figure 3. Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software [ 3 ], signature updates based on VirusTotal [ 4 ].

Beagle.BQ was one of the most intense attacks seen so far in 2005, perhaps the single most forceful one. Faced with it, 35% of commercial AV users obtained adequate protection only halfway through the attack, and 50% of products failed to provide adequate protection throughout the entire attack.

Serial variant attacks

Serial variant attacks not only make use of the early-hour vulnerability window in traditional AV methods, but extend it by a cumulative factor.

A series of variants, prepared in advance, are launched at timed intervals. Each of the variants requires a new signature; each outbreak therefore enjoys its own window of opportunity, its own open distribution time, unimpeded by signatures. The overall window of vulnerability of the attack is the cumulative vulnerable time span of the individual variants (see Figure 1c).

To maximize the vulnerability period, the malware distributor uses a larger number of variants. Theoretically, if an unlimited number of variants could be added to the series, it would mean extending the window of vulnerability indefinitely.

In order to maximize distribution intensity - the number of infections or penetrations per hour - the malware distributor would aim to release the variants at very closely-spaced intervals.

Example: MyTob. One example of a low-volume, long-term serial variant attack is MyTob, releasing, on average, one new variant every day over the course of six months (see Figure 4 for the list of variants in July 2005).

Even though the functionality of the different MyTob variants is identical, a new signature must be produced for each one. Considering an average production cycle of 10 hours (see [ 5 ]), and a new variant every day, this means that the average paying AV user is unprotected from MyTob for 10 out of 24 hours, or 42% of the time.

27-JulW32/Mytob-HU
26-JulW32/Mytob-DX
25-JulW32/Mytob-BV
25-JulW32/Mytob-DW
23-JulW32/Mytob-HM
23-JulW32/Mytob-HN
21-JulW32/Mytob-IN
21-JulW32/Mytob-DV
21-JulW32/Mytob-DU
20-JulW32/Mytob-CX
20-JulW32/Mytob-DT
18-JulW32/Mytob-DS
18-JulW32/Mytob-DR
18-JulW32/Mytob-DQ
13-JulW32/Mytob-DP
13-JulW32/Mytob-DN
12-JulW32/Mytob-DM
12-JulW32/Mytob-DL
12-JulW32/Mytob-DK
11-JulW32/Mytob-DJ
10-JulW32/Mytob-DI
9-JulW32/Mytob-DH
8-JulW32/Mytob-AS
7-JulW32/Mytob-IU
7-JulW32/Mytob-DG
7-JulW32/Mytob-DE
7-JulW32/Mytob-DF
7-JulW32/Mytob-DD
5-JulW32/Mytob-DC
5-JulW32/Mytob-DB
5-JulW32/Mytob-CY
1-JulW32/Mytob-CW

Figure 4. Serial variants MyTob attack.

Example: Beagle.  At the other end of the spectrum are attacks that maximize distribution density, by releasing multiple variants within a short time span. One good example is the Beagle attack of 1 March 2005 (Beagle.BB-BF) - an aggressive, high-volume attack that included no fewer than 15 different new variants in a single day, or almost one new variant per hour.

At the end of the day, Kaspersky's team recounted the news [ 6 ]: 'Today we have already intercepted 15 new pieces of malware produced by the author of Beagle. The newest variants follow hard on the heels of our updates and we suspect that the author is creating new variants every time we release updates to block previous versions.'

Conclusion

In the past two to three years, malware developers have zeroed in on the early-hour vulnerability gap of traditional AV protection methods. Focusing on this 'sweet spot', they have developed new ways of distributing malware, which not only use, but also extend the early-hour gap in AV protection dramatically.

So far, these particularly pernicious types of attack are a minority on the landscape of malware. Nevertheless, these aggressive short-span attacks and serial variants have the potential of becoming the norm. If such a thing were to happen, it would represent a game-changing event in the AV industry. We believe it is crucial for the AV industry to prepare immediately the technologies to protect users from emerging early-hour distribution attacks.

Bibliography

[1] 'Virus outbreak protection: network-based detection', Virus BulletinOrenDrori, March 2005.

[2] 'Zero hour virus protection: defending against the unknown', DanYachin, IDC, August 2005.

[3] Commtouch Software: http://www.commtouch.com/

[4] VirusTotal: http://www.virustotal.com/ . VirusTotal is an independent service that uses multiple anti-virus engines to analyse suspicious files. It facilitates the quick detection of viruses, worms, Trojans, and other kinds of malware detected by each of the anti-virus engines. Data documented by Commtouch, during the outbreak time.

[5] 'Proceedings of the Virus Bulletin International Conference 2004', Andreas Marx, AV-Test.org: http://www.av-test.org/

[6] 'Analyst's Diary', Kaspersky Lab, 1 March 2005 http://www.viruslist.com/

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

VB99 paper: Giving the EICAR test file some teeth

There are situations that warrant the use of live viruses. There are also situations where the use of live viruses is unwarranted. Specifically, live viruses should not be used when safer and equally effective methods can be used to obtain the…

Powering the distribution of Tesla stealer with PowerShell and VBA macros

Since their return more than four years ago, Office macros have been one of the most common ways to spread malware. In this paper, Aditya K Sood and Rohit Bansal analyse a campaign in which VBA macros are used to execute PowerShell code, which in…

VB2017 paper: Android reverse engineering tools: not the usual suspects

In the Android security field, all reverse engineers will probably have used some of the most well-known analysis tools such as apktool, smali, baksmali, dex2jar, etc. These tools are indeed must‑haves for Android application analysis. However, there…

VB2017 paper: Exploring the virtual worlds of advergaming

As adverts in gaming (‘advergaming’) ecosystems continue to become more sophisticated, so the potential complications grow for parents, children and gamers, who just want to play without having to worry about where their data is going (and how it is…

Distinguishing between malicious app collusion and benign app collaboration: a machine-learning approach

Two or more mobile apps, viewed independently, may not appear to be malicious - but in combination, they could become harmful by exchanging information with one another and by performing malicious activities together. In this paper we look at how…


Bulletin Archive