New malware distribution methods threaten signature-based AV

2005-09-01

Oren Drori

Commtouch Software, Israel

Nicky Pappo

Commtouch Software, Israel

Dan Yachan

International Data Corporation (IDC)
Editor: Helen Martin

Abstract

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.


Introduction

For some time now, viruses have been designed for rapid distribution during the few hours before anti-virus update signatures are produced (as discussed in a previous article by one of the authors, see [ 1 ]). In a recent report IDC stated that achieving high propagation rates is one of the main design goals of malware authors today [ 2 ]. Modern viruses and worms are not immune to vaccinations - rather, they are designed to infect as many computers as possible before vaccinations become available.

As a result, a timely response has become a key factor in effective protection against malware, and a major challenge for the AV industry. We have argued that all signature-based methods need powerful complements to provide early-hour (preferably zero-hour) protection.

New distribution methods

In recent months, however, there has been a decided shift in malware distribution patterns. The new breed of malware is distributed in ways that enable attacks to be executed fully before they can be blocked by signatures. Widespread adoption of these new distribution methods could pose a serious threat to signature-based protection methods.

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.

Malware distribution patterns

Classic malware uses a viral distribution pattern, in which one infected station infects another, and an epidemic develops. Traditionally, an outbreak of this type would grow gradually and peak after several days (see Figure 1a). This distribution pattern allows AV vendors valuable time to produce and distribute signature updates (although some of the viruses penetrate during the first hours). As powerful and dangerous as these attacks may be, signatures are still effective against them, unlike in the case of short-span attacks.

Malware distribution patterns.

Figure 1a. Typical viral propagation

Malware distribution patterns.

Figure 1b. Short-span attack

Malware distribution patterns.

Figure 1c. Serial variants attack

Figure 1. Malware distribution patterns.

Short-span attacks

No doubt the increasing spam-virus symbiosis plays a part in malware distribution patterns. The short-span attack combines the distribution methods of spam with the payload of malware: this type of attack is mass-mailed, mostly without any mechanism for self-propagation.

Typically, an entire short-span attack is completed within a few hours, sometimes within as little as 20 minutes. Outbreak-scale attacks, distributed via zombie networks, can infect many millions of users before signature protection is available. As a reference, large zombie-based spam attacks distribute 100-200 million messages, within five to seven hours.

Unlike viral-propagation attacks, which die slowly, short-span attacks have a spam-like distribution pattern: rapid buildup, steady distribution rate throughout the attack, and almost instant dropping off (see Figure 1b). According to IDC , this technique is highly effective for Trojan distribution, and is often used in financially-motivated attacks [ 2 ].

In many short-span attacks, AV vendors avoid the trouble of developing a signature that will be obsolete by the time it is released.

During the month of June 2005 alone, Commtouch identified four short-span malware attacks, which were completed within one to seven hours (see Figure 2).

AttackNamed byDateIntensitySpan
Goldun.BA[Commtouch]03-Jun-05Medium1 hour
Goldun.BB[Commtouch]17-Jun-05Medium45 minutes
Flooder.Agent-1[ClamAV]19-Jun-05Low1 hour
Flooder.Agent-1, variant[ClamAV]20-Jun-05Low1 hour
Beagle.BQ[Symantec]26-Jun-05Very high7 hours

Figure 2. Short-span malware attacks in June 2005 (measured by Commtouch Labs).

The most severe of these attacks was Beagle.BQ, which started and finished within seven hours. Of 20 major AV engines tested independently by VirusTotal, 10 did not manage to produce a signature before the end of the outbreak. 24 hours later, seven AV engines still had no signature for it at all (see Figure 3).

Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software , signature updates based on VirusTotal .

Figure 3. Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software [ 3 ], signature updates based on VirusTotal [ 4 ].

Beagle.BQ was one of the most intense attacks seen so far in 2005, perhaps the single most forceful one. Faced with it, 35% of commercial AV users obtained adequate protection only halfway through the attack, and 50% of products failed to provide adequate protection throughout the entire attack.

Serial variant attacks

Serial variant attacks not only make use of the early-hour vulnerability window in traditional AV methods, but extend it by a cumulative factor.

A series of variants, prepared in advance, are launched at timed intervals. Each of the variants requires a new signature; each outbreak therefore enjoys its own window of opportunity, its own open distribution time, unimpeded by signatures. The overall window of vulnerability of the attack is the cumulative vulnerable time span of the individual variants (see Figure 1c).

To maximize the vulnerability period, the malware distributor uses a larger number of variants. Theoretically, if an unlimited number of variants could be added to the series, it would mean extending the window of vulnerability indefinitely.

In order to maximize distribution intensity - the number of infections or penetrations per hour - the malware distributor would aim to release the variants at very closely-spaced intervals.

Example: MyTob. One example of a low-volume, long-term serial variant attack is MyTob, releasing, on average, one new variant every day over the course of six months (see Figure 4 for the list of variants in July 2005).

Even though the functionality of the different MyTob variants is identical, a new signature must be produced for each one. Considering an average production cycle of 10 hours (see [ 5 ]), and a new variant every day, this means that the average paying AV user is unprotected from MyTob for 10 out of 24 hours, or 42% of the time.

27-JulW32/Mytob-HU
26-JulW32/Mytob-DX
25-JulW32/Mytob-BV
25-JulW32/Mytob-DW
23-JulW32/Mytob-HM
23-JulW32/Mytob-HN
21-JulW32/Mytob-IN
21-JulW32/Mytob-DV
21-JulW32/Mytob-DU
20-JulW32/Mytob-CX
20-JulW32/Mytob-DT
18-JulW32/Mytob-DS
18-JulW32/Mytob-DR
18-JulW32/Mytob-DQ
13-JulW32/Mytob-DP
13-JulW32/Mytob-DN
12-JulW32/Mytob-DM
12-JulW32/Mytob-DL
12-JulW32/Mytob-DK
11-JulW32/Mytob-DJ
10-JulW32/Mytob-DI
9-JulW32/Mytob-DH
8-JulW32/Mytob-AS
7-JulW32/Mytob-IU
7-JulW32/Mytob-DG
7-JulW32/Mytob-DE
7-JulW32/Mytob-DF
7-JulW32/Mytob-DD
5-JulW32/Mytob-DC
5-JulW32/Mytob-DB
5-JulW32/Mytob-CY
1-JulW32/Mytob-CW

Figure 4. Serial variants MyTob attack.

Example: Beagle.  At the other end of the spectrum are attacks that maximize distribution density, by releasing multiple variants within a short time span. One good example is the Beagle attack of 1 March 2005 (Beagle.BB-BF) - an aggressive, high-volume attack that included no fewer than 15 different new variants in a single day, or almost one new variant per hour.

At the end of the day, Kaspersky's team recounted the news [ 6 ]: 'Today we have already intercepted 15 new pieces of malware produced by the author of Beagle. The newest variants follow hard on the heels of our updates and we suspect that the author is creating new variants every time we release updates to block previous versions.'

Conclusion

In the past two to three years, malware developers have zeroed in on the early-hour vulnerability gap of traditional AV protection methods. Focusing on this 'sweet spot', they have developed new ways of distributing malware, which not only use, but also extend the early-hour gap in AV protection dramatically.

So far, these particularly pernicious types of attack are a minority on the landscape of malware. Nevertheless, these aggressive short-span attacks and serial variants have the potential of becoming the norm. If such a thing were to happen, it would represent a game-changing event in the AV industry. We believe it is crucial for the AV industry to prepare immediately the technologies to protect users from emerging early-hour distribution attacks.

Bibliography

[1] 'Virus outbreak protection: network-based detection', Virus BulletinOrenDrori, March 2005.

[2] 'Zero hour virus protection: defending against the unknown', DanYachin, IDC, August 2005.

[3] Commtouch Software: http://www.commtouch.com/

[4] VirusTotal: http://www.virustotal.com/ . VirusTotal is an independent service that uses multiple anti-virus engines to analyse suspicious files. It facilitates the quick detection of viruses, worms, Trojans, and other kinds of malware detected by each of the anti-virus engines. Data documented by Commtouch, during the outbreak time.

[5] 'Proceedings of the Virus Bulletin International Conference 2004', Andreas Marx, AV-Test.org: http://www.av-test.org/

[6] 'Analyst's Diary', Kaspersky Lab, 1 March 2005 http://www.viruslist.com/

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

A review of the evolution of Andromeda over the years before we say goodbye

Andromeda, also known as Gamaru and Wauchos, is a modular and HTTP-based botnet that was discovered in late 2011. From that point on, it managed to survive and continue hardening by evolving in different ways. This paper describes the evolution of…

VB2012 paper: Malware taking a bit(coin) more than we bargained for

When a new system of currency gains acceptance and widespread adoption in a computer-mediated population, it is only a matter of time before malware authors attempt to exploit it. As of halfway through 2011, we started seeing another means of…

VB2017 paper: VirusTotal tips, tricks and myths

Outside of the anti-malware industry, users of VirusTotal generally believe it is simply a virus-scanning service. Most users quickly reach erroneous conclusions about the meaning of various scanning results. At the same time, many very technical…

The threat and security product landscape in 2017

VB Editor Martijn Grooten looks at the state of the threat and security product landscape in 2017.

VB2017 paper: Nine circles of Cerber

The Cerber ransomware was mentioned for the first time in March 2016 on some Russian underground forums, on which it was offered for rent in an affiliate program. Since then, it has been spread massively via exploit kits, infecting more and more…


Bulletin Archive