New malware distribution methods threaten signature-based AV

2005-09-01

Oren Drori

Commtouch Software, Israel

Nicky Pappo

Commtouch Software, Israel

Dan Yachan

International Data Corporation (IDC)
Editor: Helen Martin

Abstract

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.


Introduction

For some time now, viruses have been designed for rapid distribution during the few hours before anti-virus update signatures are produced (as discussed in a previous article by one of the authors, see [ 1 ]). In a recent report IDC stated that achieving high propagation rates is one of the main design goals of malware authors today [ 2 ]. Modern viruses and worms are not immune to vaccinations - rather, they are designed to infect as many computers as possible before vaccinations become available.

As a result, a timely response has become a key factor in effective protection against malware, and a major challenge for the AV industry. We have argued that all signature-based methods need powerful complements to provide early-hour (preferably zero-hour) protection.

New distribution methods

In recent months, however, there has been a decided shift in malware distribution patterns. The new breed of malware is distributed in ways that enable attacks to be executed fully before they can be blocked by signatures. Widespread adoption of these new distribution methods could pose a serious threat to signature-based protection methods.

In this article, we identify two new malware distribution methods: short-span attacks and serial variant attacks. We describe their particular distribution patterns, the development of recent attacks, and the potential dangers they present.

Malware distribution patterns

Classic malware uses a viral distribution pattern, in which one infected station infects another, and an epidemic develops. Traditionally, an outbreak of this type would grow gradually and peak after several days (see Figure 1a). This distribution pattern allows AV vendors valuable time to produce and distribute signature updates (although some of the viruses penetrate during the first hours). As powerful and dangerous as these attacks may be, signatures are still effective against them, unlike in the case of short-span attacks.

Malware distribution patterns.

Figure 1a. Typical viral propagation

Malware distribution patterns.

Figure 1b. Short-span attack

Malware distribution patterns.

Figure 1c. Serial variants attack

Figure 1. Malware distribution patterns.

Short-span attacks

No doubt the increasing spam-virus symbiosis plays a part in malware distribution patterns. The short-span attack combines the distribution methods of spam with the payload of malware: this type of attack is mass-mailed, mostly without any mechanism for self-propagation.

Typically, an entire short-span attack is completed within a few hours, sometimes within as little as 20 minutes. Outbreak-scale attacks, distributed via zombie networks, can infect many millions of users before signature protection is available. As a reference, large zombie-based spam attacks distribute 100-200 million messages, within five to seven hours.

Unlike viral-propagation attacks, which die slowly, short-span attacks have a spam-like distribution pattern: rapid buildup, steady distribution rate throughout the attack, and almost instant dropping off (see Figure 1b). According to IDC , this technique is highly effective for Trojan distribution, and is often used in financially-motivated attacks [ 2 ].

In many short-span attacks, AV vendors avoid the trouble of developing a signature that will be obsolete by the time it is released.

During the month of June 2005 alone, Commtouch identified four short-span malware attacks, which were completed within one to seven hours (see Figure 2).

AttackNamed byDateIntensitySpan
Goldun.BA[Commtouch]03-Jun-05Medium1 hour
Goldun.BB[Commtouch]17-Jun-05Medium45 minutes
Flooder.Agent-1[ClamAV]19-Jun-05Low1 hour
Flooder.Agent-1, variant[ClamAV]20-Jun-05Low1 hour
Beagle.BQ[Symantec]26-Jun-05Very high7 hours

Figure 2. Short-span malware attacks in June 2005 (measured by Commtouch Labs).

The most severe of these attacks was Beagle.BQ, which started and finished within seven hours. Of 20 major AV engines tested independently by VirusTotal, 10 did not manage to produce a signature before the end of the outbreak. 24 hours later, seven AV engines still had no signature for it at all (see Figure 3).

Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software , signature updates based on VirusTotal .

Figure 3. Beagle.BQ short-span attack. Sources: attack intensity based on data from Commtouch Software [ 3 ], signature updates based on VirusTotal [ 4 ].

Beagle.BQ was one of the most intense attacks seen so far in 2005, perhaps the single most forceful one. Faced with it, 35% of commercial AV users obtained adequate protection only halfway through the attack, and 50% of products failed to provide adequate protection throughout the entire attack.

Serial variant attacks

Serial variant attacks not only make use of the early-hour vulnerability window in traditional AV methods, but extend it by a cumulative factor.

A series of variants, prepared in advance, are launched at timed intervals. Each of the variants requires a new signature; each outbreak therefore enjoys its own window of opportunity, its own open distribution time, unimpeded by signatures. The overall window of vulnerability of the attack is the cumulative vulnerable time span of the individual variants (see Figure 1c).

To maximize the vulnerability period, the malware distributor uses a larger number of variants. Theoretically, if an unlimited number of variants could be added to the series, it would mean extending the window of vulnerability indefinitely.

In order to maximize distribution intensity - the number of infections or penetrations per hour - the malware distributor would aim to release the variants at very closely-spaced intervals.

Example: MyTob. One example of a low-volume, long-term serial variant attack is MyTob, releasing, on average, one new variant every day over the course of six months (see Figure 4 for the list of variants in July 2005).

Even though the functionality of the different MyTob variants is identical, a new signature must be produced for each one. Considering an average production cycle of 10 hours (see [ 5 ]), and a new variant every day, this means that the average paying AV user is unprotected from MyTob for 10 out of 24 hours, or 42% of the time.

27-JulW32/Mytob-HU
26-JulW32/Mytob-DX
25-JulW32/Mytob-BV
25-JulW32/Mytob-DW
23-JulW32/Mytob-HM
23-JulW32/Mytob-HN
21-JulW32/Mytob-IN
21-JulW32/Mytob-DV
21-JulW32/Mytob-DU
20-JulW32/Mytob-CX
20-JulW32/Mytob-DT
18-JulW32/Mytob-DS
18-JulW32/Mytob-DR
18-JulW32/Mytob-DQ
13-JulW32/Mytob-DP
13-JulW32/Mytob-DN
12-JulW32/Mytob-DM
12-JulW32/Mytob-DL
12-JulW32/Mytob-DK
11-JulW32/Mytob-DJ
10-JulW32/Mytob-DI
9-JulW32/Mytob-DH
8-JulW32/Mytob-AS
7-JulW32/Mytob-IU
7-JulW32/Mytob-DG
7-JulW32/Mytob-DE
7-JulW32/Mytob-DF
7-JulW32/Mytob-DD
5-JulW32/Mytob-DC
5-JulW32/Mytob-DB
5-JulW32/Mytob-CY
1-JulW32/Mytob-CW

Figure 4. Serial variants MyTob attack.

Example: Beagle.  At the other end of the spectrum are attacks that maximize distribution density, by releasing multiple variants within a short time span. One good example is the Beagle attack of 1 March 2005 (Beagle.BB-BF) - an aggressive, high-volume attack that included no fewer than 15 different new variants in a single day, or almost one new variant per hour.

At the end of the day, Kaspersky's team recounted the news [ 6 ]: 'Today we have already intercepted 15 new pieces of malware produced by the author of Beagle. The newest variants follow hard on the heels of our updates and we suspect that the author is creating new variants every time we release updates to block previous versions.'

Conclusion

In the past two to three years, malware developers have zeroed in on the early-hour vulnerability gap of traditional AV protection methods. Focusing on this 'sweet spot', they have developed new ways of distributing malware, which not only use, but also extend the early-hour gap in AV protection dramatically.

So far, these particularly pernicious types of attack are a minority on the landscape of malware. Nevertheless, these aggressive short-span attacks and serial variants have the potential of becoming the norm. If such a thing were to happen, it would represent a game-changing event in the AV industry. We believe it is crucial for the AV industry to prepare immediately the technologies to protect users from emerging early-hour distribution attacks.

Bibliography

[1] 'Virus outbreak protection: network-based detection', Virus BulletinOrenDrori, March 2005.

[2] 'Zero hour virus protection: defending against the unknown', DanYachin, IDC, August 2005.

[3] Commtouch Software: http://www.commtouch.com/

[4] VirusTotal: http://www.virustotal.com/ . VirusTotal is an independent service that uses multiple anti-virus engines to analyse suspicious files. It facilitates the quick detection of viruses, worms, Trojans, and other kinds of malware detected by each of the anti-virus engines. Data documented by Commtouch, during the outbreak time.

[5] 'Proceedings of the Virus Bulletin International Conference 2004', Andreas Marx, AV-Test.org: http://www.av-test.org/

[6] 'Analyst's Diary', Kaspersky Lab, 1 March 2005 http://www.viruslist.com/

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2018 paper: Analysing compiled binaries using Logic

In this paper Thaís Moreira Hamasaki provides an introduction to some practical applications of SMT solvers in IT security, investigating the theoretical limitations and practical solutions, focusing on their use as a tool for binary static analysis.

VB2018 paper: Internet balkanization: why are we raising borders online?

Nowadays, walls are not just being raised in the real world, but on the Internet as well. Countries want to isolate themselves and shut down the information they are not comfortable with, or the companies they don’t want to do business with. Freedom…

VB2018 paper: Where have all the good hires gone?

Much ink has been spilled on the subject of the information security skills gap, and how difficult it is to hire and retain people for these positions. And yet, we all know someone who has had a hard time finding a suitable position despite having…

VB2018 paper: Little Brother is watching – we know all your secrets!

In their research, Siegfried Rasthofer, Stephan Huber & Steven Arzt evaluated the security level of the most popular family-tracking apps on Android. They assessed the security of the respective apps and conducted assessments of the corresponding…

VB2018 paper: Inside Formbook infostealer

Formbook is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a user with the handle ‘ng-Coder' but only came to public attention after it was extensively used in spam campaigns in late 2017. This paper…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.