ANTIVIRUS INTELLIGENCE TO COLLECTIVE - PANDA'S TECHNOLOGY EVOLUTION
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FROM TRADITIONAL
ANTIVIRUS
TO COLLECTIVE
INTELLIGENCE
PANDA'S TECHNOLOGY EVOLUTION
Technology Paper by Panda Research
research.pandasecurity.com
www.pandasecurity.comFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 2
Content
1 Abstract 3
2 The malware landscape 4
2.1 Antivirus laboratories under attack 4
2.2 Malware techniques and design 5
2.2.1 Targeted Attacks: staying below the radar 5
2.2.2 Malware QA 5
2.2.3 Rootkits and sandbox detection techniques 6
2.2.4 Runtime-packers 6
2.2.5 Botnets 7
2.2.6 Staged infection vectors 8
2.2.7 "Malware 2.0" 8
3 Pandas Technology Evolution 9
3.1 First Generation: Antivirus 9
3.2 Second Generation: Anti-malware 9
3.3 Third Generation: Proactive technologies 10
3.3.1 Uncloaking techniques 10
3.3.2 TruPrevent® Behavior Analysis 10
3.3.3 TruPrevent® Behavior Blocking 12
3.3.4 Genetic Heuristics 13
3.4 Collective Intelligence 14
3.4.1 Benefiting from Community Knowledge 14
3.4.2 Automated Malware Protection Process 15
3.4.2.1 Automated malware collection 15
3.4.2.2 Automated malware classification 15
3.4.2.3 Automated malware remediation 16
3.4.3 Gaining Knowledge on Malware Techniques 16
3.4.4 Deploying Security Services from-the-cloud 17
3.4.5 A note on white-listing 17
4 Conclusion 19
5 References 20FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 3
1. Abstract
T
here is more malware than ever being released in the wild, and antivirus companies
relying on signatures to protect users cannot keep up with the pace of creating
signatures fast enough. As a result, the current installed base of anti-malware solutions
is proving to be much less effective against the vast amounts of threats in circulation.
As we have been able to prove in a recent research study , even users protected with anti-
malware and security solutions with the latest signature database are infected by active
malware. Complementary approaches and technologies must be developed and
implemented in order to raise the effectiveness to adequate levels.
This paper presents the fourth generation of security technologies by Panda Security, called
Collective Intelligence. The Collective Intelligence allows us to maximize our malware
detection capacity while at the same time minimizing the resource and bandwidth
consumption of protected systems.
The Collective Intelligence represents an approach to security radically different to the
current models. This approach is based on an exhaustive remote, centralized and real-time
knowledge about malware and non-malicious applications maintained through the
automatic processing of all elements scanned.
One of the benefits of this approach is the automation of the entire malware detection
and protection cycle (collection, analysis, classification and remediation). However
automation in and by itself is not enough to tackle the malware cat-and-mouse game.
With large volumes of malware also comes targeted attacks and response time in these
scenarios cannot be handled by automation of signature files alone.
The other main benefit that the Collective Intelligence provides is that it allows us to gain
visibility and knowledge into the processes running on all the computers scanned by it.
This visibility of the community, in addition to automation, is what allows us to tackle not
only the large volumes of new malware but also targeted attacks.
Written and reviewed by:
Pedro Bustamante, Senior Research Advisor
Iñaki Urzay, Chief Technology Officer
Luis Corrons, Technical Director PandaLabs
Josu Franco, Director of Corporate DevelopmentFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 4
2. The malware landscape
I
t is a known fact by all security professio analysts at the labs3 or by advocating for
nals that there are more malware sam stronger intervention4 by Law Enforcement5
ples infecting users than ever before. to help ease the workload by convicting
the most active malware creators.
Malware writers have realized they can gain
large amounts of money from distributing Unique Samples Received at PandaLabs
malware. The shift in motivation for creating 14.000
malware, combined with the use of 12.000
advanced techniques, has resulted in an
exponential growth of criminally 10.000
professional malware being created and
distributed to infect unsuspecting users.
8.000
6.000
Also known as a type of targeted attacks,
this new malware dynamic has become the 4.000
next big plague for users and companies 2.000
alike. Gartner estimates that by the end of
2007 75% of enterprises will be infected 0
April 2004
May 2004
June 2004
July 2004
Aug 2004
Sept 2004
Oct 2004
Nov 2004
Dec 2004
Jan 2005
Feb 2005
Mar 2005
April 2005
May 2005
June 2005
Sept 2005
July 2005
Aug 2005
Oct 2005
Nov 2005
Dec 2005
Jan 2006
Feb 2006
Mar 2006
April 2006
May 2006
June 2006
July 2006
Aug 2006
Sept 2006
Oct 2006
Nov 2006
Dec 2006
Jan 2007
Feb 2007
Mar 2007
with undetected, financially motivated,
targeted malware that evaded their
traditional perimeter and host defenses 2 . Figure 1:
Unique samples received at PandaLabs 2004 to 2007
Initiatives to get law enforcement more
2.1 Antivirus laboratories involved are definitely a necessary step in
under attack the right direction but unfortunately it
seem as an insufficient solution for the
Nowadays antivirus laboratories are under a short term as the number of variants is
constant and increasingly frequent distributed increasing incrementally and most of the
denial of service attack. The security industry is time only the mules and script kiddies
literally being saturated with thousands of are actually convicted.
new malware samples every day.
The more advanced malware writers, who
Each one of these new samples needs to be are selling their code to spammers, mafias
looked at by an analyst trained in reverse and criminals, are more evasive and harder
engineering in order to create a signature, to catch. In addition, the lack of resources
which is costly and resource intensive from a at most law enforcement agencies around
corporate and business perspective. the world, tied to insufficient international
cooperation and coordination among them
Some companies are trying to deal with the make for a difficult task when trying to
problem by increasing the number of arrest a suspect or known cyber criminal. InFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 5
the long run both a technological and a In the past a single virus or worm was res
social approach are needed if we want to ponsible for infecting hundreds of thou
solve this problem. sands and even millions of computers. Visi
bility of these situations was very obvious
In addition, malware writers are getting for antivirus labs.
sophisticated and reverse engineering some of
the latest common threats requires a higher Nowadays malware only infects a few
level of knowledge and a larger amount of hundred PCs before updating itself with a
time dedicated to each sample than new, undetectable variant to avoid detection
historically. Because of this situation antivirus by regular antivirus signatures. The
engineers can no longer be employed by the underlying issue is how does an antivirus lab
numbers to create hundreds of thousands of become aware of such an infection if it is
signatures every few months. only affecting a handful of users?
2.2 Malware techniques 2.2.2 Malware QA
and design An older technique used incrementally by
malware today is basic QA testing. This is
The main differences between past viruses done by testing each variant against the
and todays malware is that the lifecycle most common antivirus engines to make
has been significantly shortened and the sure it goes undetected by the majority
objectives refined; to steal identities, use of them.
computers as spam bots, steal online ban
king credentials, credit card information, This task is greatly simplified by online-
web logins, etc. scanning services such as Jotti, VirusTotal,
the antivirus vendors online scanning
More importantly, todays malware is services 7 and online sandboxing services
designed to not raise any alarms. Unlike in such as Cwsandbox, Norman and Anubis.
the past where viruses and worms were
designed to spread to as many computers Malware creators also count on customized
as possible without user intervention, tools to automate testing of new malware
generating a lot of noise and media against signatures, heuristics and even
awareness, todays criminal malware wants behavioral analysis technologies. With
to be as inconspicuous as possible. In order these tools malware writers can test the
to achieve its objective, malware today uses quality of their creations off-line, without
advanced techniques to evade detection risking having the sample sent to the
and fly low. antivirus laboratories via the above-
mentioned online scanning services.
2.2.1 Targeted Attacks: staying The objective of malware QA testing is not
below the radar so much to avoid detection by all scanners
and all proactive techniques (generic signa
One of the main strategies used by Targe tures, heuristics, behavior analysis, behavior
ted Attacks for staying below the radar is blocking, etc.) but to avoid the majority of
to distribute few copies of many variants6. them. Given its objective of staying belowFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 6
the radar it is not worth creating the most has become a problem for antivirus
undetected malware if it is only going to li laboratories that approach malware reverse
ve for a few hours or days. engineering in a traditional manner and
need to analyze each sample one by one.
Not only the antivirus labs are having
2.2.3 Rootkits and sandbox problems with rootkits, but also companies
detection techniques are starting to experience the negative
effects of rootkits in business, especially
Another common detection evading techni when it is used for corporate espionage10.
que which is gaining momentum8 is the use of
rootkit techniques within Trojan and Spyware In order to get a better idea of the problem
samples. When used by malware, rootkits at real users machines we have gathered
create yet another barrier for being detected, all known and unknown rootkit detections
especially as advanced rootkit detection tech by our free utility Panda Anti-Rootkit 1 1
nologies have not yet been deployed to all between the months of December 2006
mass-production security solutions. and June 2007 and mapped the
distribution of rootkits within malware in
It also means that the antivirus laboratories the wild. The resulting Top 5 rootkits in
need to spend more time analyzing kernel the wild are shown in figure 2 below,
mode drivers than user-mode samples. For which shows a great increase in the use of
example LinkOptimizer, which has been kernel-mode rootkits.
seen in-the-wild in recent months, is able
to determine if the machine it is about to
infect has security, debugging or system 2.2.4 Runtime-packers
monitoring tools installed. It also checks if
it is running in a Virtual Machine Perhaps the most common technique to try
environment. If these checks are matched it to evade detection by anti-malware pro
silently exits and does nothing. ducts is the use of obscure runtime packers
with anti-debugging and anti-virtualization
Labs that depend on VM will have to go techniques.
through great lengths to be able to install
certain LinkOptimizer samples in order to These types of tools can modify and com
analyze them in depth. press an executable file by encrypting and
changing its form from its original format.
At the time of writing few anti-malware The final result is a modified executable
and security suites include some basic form which, when executed, does exactly the sa
of rootkit detection such as low-level me thing as the original code, but from the
access cross-view against API-level calls, but outside has a completely different form
most have not yet incorporated the more and therefore evades signature-based de
advanced rootkit detection and tection unless either the engine has the
deactivation techniques found in free, specific unpacking algorithm or it is able to
stand-alone anti-rootkit utilities9. unpack it generically.
Overall the use of rootkits by malware Malware writers caught up to this
creators keeps steadily growing and this approach and we are now even seeingFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 7
Top Rootkit User-mode Kernel-mode Prevalence
1 Beagle.Fu x 6.20%
2 NaviPromo x 5.73%
3 Rustock.A x 1.20%
4 Flush.K x 1.01%
5 Oddysee.B x 0.20%
Figure 2: Top Rootkits in the Wild as detected by Panda Anti-Rootkit from December 2006 to June 2007
malware which use either modified 2.2.5 Botnets
versions of known packers or even create
their own runtime packing routine According to some studies approximately
specifically for their malware samples 12 . 11% of computers worldwide are infected
by bots, which are responsible for sending
In order to address this problem, Pandas up to 80% of all spam 14 . A large portion
engineers have created both generic packer of money made by cyber criminals stems
detectors and generic unpacking from botnets.
algorithms which can detect unknown
packers and try to unpack them. The control of these large networks of
compromised machines is sold or rented to
However, a more effective solution will be perform certain types of cyber-criminal
to at least flag the newly created runtime activities, from sending spam runs,
packers as suspicious altogether. Some off- distributed denial of service attacks, renting
the-shelf perimeter solutions already do of proxies, keylogging, pay per click installs,
this by default. Even some host-based adware installations, stored passwords,
security solutions are using this approach man in the middle attacks, etc.
by flagging these types of samples as
malicious as is becoming obvious from the PandaLabs has witnessed on-line wars
different detection names used by the between different bot gangs to win over
different anti-malware engines13. hijacked PCs. Even though some evidence
suggests that there are many PCs
The impact of such an approach to belonging to Fortune 500 companies
proactive packer detection is not without which are controlled remotely by bot
cost. While speaking to other anti-malware herders to send out spam 15 , the reality is
vendors during the 2007 International that virtually every corner of the Internet is
Antivirus Testing Workshop in Iceland it infested by bots.
became apparent that doing so in
corporate environments was a good Even though traditional botnets are
approach, but vendors with high install controlled via IRC, new P2P and HTTP
base on the consumer market could face based botnets which use stronger
such a high wave of false positives that the communication encryption are becoming
solution could potentially be worse than popular among cyber-criminals in order to
the problem itself. evade detection and shutdown.FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 8
2.2.6 Staged infection vectors graphical tools emerge that simplify the
creation of new downloaders19, even with
Its nothing new that most of todays custom packing techniques to evade
malware has a tendency of using a two- detection.
staged attack as its main infection
technique, either by exploiting known or
zero-day vulnerabilities or by using small 2.2.7 Malware 2.0
downloaders which change very rapidly to
avoid detection. A current trend in malware creation is that
the actual binary that infects the users PC
While in the past it would take malware is dumb and the intelligence is in-the-
authors weeks or even months to take cloud. The code that resides on the PC
advantage of a vulnerability as its main has some simple functions that it passes on
infection vector, nowadays its normal to to a remotely compromised server. The ser
see exploits in the wild for vulnerabilities a ver then returns instructions on what to do.
couple of days after it is known. Even Borrowing the (perhaps overused) 2.0
further, organizations that manage term from current web trends, we will refer
darknets such as Team Cymru are seeing to Malware 2.0 as malware which sepa
new zero-day exploits in the wild using rates its intelligence from its code base.
stealthier techniques for days and weeks
before it is widely known and before they PandaLabs has reported the 2.0
are massively used by botnets. approach in banking targeted attack
Trojans in order to remotely monitor users
Examples such as GDI, animated cursor and browsing habits and, based on the online
VML vulnerabilities are being exploited by banking landing page and authentication
automated infection frameworks such as scheme, inject some type of HTML code or
Web-Attacker16 and MPack17, which make other. Known banking Trojans such as
use of multiple vulnerabilities to exploit Limbo/NetHell and Sinowal/Torpig use
unsuspecting and un-patched users in these techniques quite extensively20
order to infect them with a Trojan.
Other 2.0 techniques recently used by
Downloaders have also become common malware are server-side-compilation,
practice for two-staged infection where the webserver re-compiles a new
techniques. First a small file is executed binary every few hours. Lastly, botnets are
either via a browser drive-by download or using fast-flux DNS networks for improved
similar exploit. This file is coded with a resistance against take-down efforts. These
single objective in mind; download a last techniques are more visible in the
second file from a URL and execute it. This recent Storm/Nuwar attacks.
second file in turn is the true Trojan which
ends up infecting the system.
These downloaders have become very
advanced. SecuriTeam recently ran a Code
Cruncher competition to create the
smallest downloader in the world18. More
recently we are seeing a myriad ofFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 9
3. Pandas Technology Evolution
D 3.1 First Generation:
ealing with this malware situation
using a traditional signature
approach has not been valid for Antivirus
some years now. A complete Host Intrusion
Prevention System (HIPS) with advanced The first generation of antivirus products
heuristics, deep packet inspection firewall, was purely based on signature detection.
behavior blocking, behavior analysis and This generation of technology occupied
system and application hardening are an most of the 1990s and included polymor
absolute must for any security solution, phic engines as well as basic rule-based
even though the sad reality is that about MS-DOS, Win32, Macro and, later on,
half the solutions on the market do not script heuristics. This period was also mar
have these types of technologies yet. 2 1 ked by the appearance of the first massive
ly used win32 Trojans, such as NetBus and
At Panda we research and develop BackOrifice.
100% of our core anti-malware techno
logies. This dedication to innovation has
allowed us to lead the way in proactive 3.2 Second Generation:
technology deployment to the market.
Anti-malware
Following a defense-in-depth philosophy,
Starting in 2000 new types of malware star
which could be summarized as integrating
ted to emerge, with file-less network worms
different protection technology layers at
and spyware taking the spotlight causing
different infrastructure layers, Panda
massive and highly visible epidemics.
Research, a team dedicated to developing
new security technologies, developed a
Basic antivirus engines evolved to integra
new focus to security protection which is
te personal firewalls to be able to identify
based on the concept of Collective
and stop network worms based on packet
Intelligence.
signatures as well as system cleaners to
restore modified Operating System set
The Collective Intelligence concept is
tings such as registry entries, HOST files,
d e s i g n e d t o c o m p l e m e n t P a n d a s
Browser Helper Objects, etc. It is within
integrated desktop, server and gateway
this second generation of technologies
protection to take the battle against todays
that Panda Security integrated the Smart
malware dynamic head on and provide the
Clean functionality into the anti-malware
f i n a l c o m p l e m e n t o f P a n d a s i d e a l
engine, designed to disinfect and restore
protection model.
the Operating System from a spyware or
Trojan backdoor infection.
Before we dive into explaining Collective
Intelligence, lets do a walk-through of the
different technology generations on top of
which Collective Intelligence is built.FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 10
3.3 Third Generation: havioral blocking, also known as system
and application hardening. Before going into
Proactive technologies each of these lets take a look at the under
lying uncloaking layer which makes malware
Panda released TruPrevent® behavioral tech visible to these behavioral technologies.
nologies in 2004 after more than three years
of intensive research and development.
3.3.1 Uncloaking techniques
Since then, TruPrevent® has evolved into a
set of behavioral technologies that are As malware has evolved so have the
substantially more effective at blocking techniques used to evade detection and
zero-day malware proactively without any hide from prying eyes.
dependency on viral signatures than any
other previous effort in such direction. To combat these hiding techniques there is
TruPrevent® is constantly adapted to new an underlying layer of uncloaking
malware techniques and exploits. technologies common to all of Panda
products.
TruPrevent® was designed as an additional
protection layer to the anti-malware The following techniques are able to
engine. Currently there are more than 5 inspect any item as deeply as necessary,
million computers running TruPrevent®. All even if the item is making use of stealth
these computers also act as high- techniques to remain hidden in the system,
interaction honeypot nodes which report to and pass on the results to the scanning and
PandaLabs any new malware sample that monitoring technologies:
TruPrevent® flags as suspicious and which
is not detected by regular antivirus · Deep Code Inspection
signatures. · Generic Unpacking
· Native File Access
TruPrevent's® approach consists of · Rootkit Heuristic
scanning each item or potential threat
using different techniques, carrying out in-
depth complementary inspections at the
different layers of the infrastructure. The 3.3.2 TruPrevent
approach to TruPrevent® implementations Behavior Analysis
is modular and therefore can be applied
both to desktops and servers to become Codenamed Proteus, it acts as a true last li
full-blow integrated Host Intrusion ne of defense against new malware execu
Prevention Systems (HIPS). ting in the machine that manages to
bypass signatures, heuristics and behavior
As an approximate detail of its blocking. Proteus intercepts, during runti
effectiveness, about two thirds of the new me, the operations and API calls made by
malware samples received at PandaLabs each program and correlates them before
from our users are now coming from allowing the process to run completely. The
automated submissions from TruPrevent®. real-time correlation results in processes
Technically TruPrevent® consists of 2 main being allowed or denied execution based
technologies: behavioral analysis and be on their behavior alone.FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 11
As soon as a process is executed its name. Several third-party tests have been
operations and API calls are monitored performed on TruPrevent®.Performing
silently by Proteus, gathering information tests for behavioral technologies such as
and intelligence about that process's TruPrevent, using real-life malware
behavior. Proteus exhaustively analyses the samples, is time-consuming and it requires
behavior and is designed to block the a fair amount of expertise in the field. It is
malware as soon as it starts performing without doubt much more challenging
malicious actions. than performing on-demand tests of
antivirus scanners against a collection of
If it is determined as suspicious, the process viruses.
is blocked and killed before it can carry out
all of its actions and prevented from The first test was commissioned by Panda
running again. and it was performed by ICSALabs, a
Division of CyberTrust Corporation, in the
Unlike other behavioral technologies, fall of 2004. ICSALabs tested the
Proteus is autonomous and does not technologies against a set of approximately
present technical questions to the end user 100 real malware samples. This first test
("Do you want to allow process xyz to was designed to verify that the
inject a thread into explorer.exe or memory technologies worked against a variety of
address abc?"). If Proteus thinks that a malware types, rather than to reach a
program is malicious it will block it without conclusion about the overall effectiveness
requiring user intervention. of the technologies over time.
Most users cannot make informed At the same time, ICSALabs tested
decisions when it comes to security. Some TruPrevent® against several sets of
behavioral products throw non- legitimate applications, from games to
deterministic opinions or behavioral Peer-to-peer packages, but was not able to
indecisions- whose effectiveness depends produce any instance of false positives,
on the user clicking on the right choice. A despite their efforts in this regard.
key functionality of any behavioral
technology must be making decisions Another early review by PC Magazine
without user intervention. Anything less is USA concluded that TruPrevent blocked
a potential point of failure. two-thirds of a sample of recent worms,
v i r u s e s , a n d Tr o j a n s b a s e d s t r i c t l y o n
Our internal statistics show that this behavior. Blocked no legitimate programs.
technology alone is capable of detecting No noticeable impact on system
over 80 percent of the malware in the wild performance.
without signatures and without generating
false positives.
This technology does not require signature
updates, as it is based solely on the
behavior of applications. A bot would not
be a bot if it didnt behave as such, but if it
does so it will be detected by this
technology, regardless of its shape orFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 12
Figure 3: Pandas integrated endpoint security
3.3.3 TruPrevent® Behavior wed and denied actions for a particular
application of group thereof. Rules can be
Blocking
set to control an applications access to fi
les, user accounts, registry, COM objects,
Codenamed KRE (Kernel Rules Engine), this
Windows services and network resources.
is TruPrevents second main component,
also known as Application Control & Despite offering a high degree of
System Hardening or Resource Shielding. granularity to administrators for creating
custom policies, the Application Control &
Hackers and malware abuse the privileges System Hardening module (KRE) is shipped
of legitimate applications to attack systems with a set of default configuration policies
by injecting code. To prevent these types of which are managed and updated by
attacks generically it is very cost-effective to PandaLabs.
use rule-based blocking technology which
can restrict the actions that authorized The default policies provide protection
applications can perform in the system. against attacks exploiting common
weaknesses found in out-of-the-box as well
KRE is composed of a set of policies which as fully-patched installations of Windows
are defined by a set of rules describing allo operating systems.FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 13
A recent example of the effectiveness that algorithm. The genetic traits define the
proactive blocking provides is the never- potential of the software to carry out
ending wave of Microsoft Office format malicious or harmless actions when
vulnerabilities which are being exploited to executed on a computer. GHE is capable of
hide malicious code24. These vulnerabilities determining whether a file is innocuous,
have been used recently by targeted worm, spyware, Trojan, virus, etc. by
attacks on certain companies. According to correlating the different traits of each item
a study of known (patched) and zero-day scanned.
(un-patched) Microsoft Office vulnerability
exploits, an average antivirus signature GHE can be set to low, medium or high
detection rate of 50% was achieve by all sensitivity with the obvious combination
tested antivirus engines. Thats a one-in- trade-off between detection rates and false
two chance of being infected by simply positives. The different sensitivity levels are
opening an exploited Microsoft Word, designed to be applied to different
PowerPoint or Excel document. environments depending on the probability
of malware prevalence on each.
On the contrary, behavioral blocking
technologies such as TruPrevent, For example at network SMTP gateways we
proactively prevents Microsoft Word, have found that the likelihood of an
PowerPoint, Excel, Access, Acrobat Reader, executable files being malware is very high.
Windows Media Player and other Therefore the implementation we have
done in our commercial products is of high
applications from dropping and running
sensitivity for network layer e-mail scanning
any type of executable code on the system.
products. However for storage (or
Unlike any antivirus signatures tested,
application) layers where the vast majority
TruPrevent® provides real zero-day
of executable code is from legitimate
protection against any Microsoft Office
applications, we have implemented GHE
exploit, known or unknown.
with medium sensitivity. With this setting
we've been able to maximize detection
rates for unknown malware while having a
3.3.4 Genetic Heuristics negligible false positive rate.
Genetic technologies are inspired by the The results of the GHE so far are excellent.
field of genetics in biology and its useful Since its release, roughly one third
ness to understand how organisms are in (cumulative) of the new variants received at
dividually identified and associated to other PandaLabs from real users' machines have
organisms. These technologies are based been submitted automatically by the GHE.
on the processing and interpretation of
"digital genes", which are represented in
our case by quite a few hundred characte
ristics of each file that is scanned.
Codenamed Nereus, the Genetic Heuristic
Engine was initially released in 2005. The
objective of GHE is to correlate the genetic
traits of files by using a proprietaryFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 14
3.4 Collective Intelligence 3.4.1 Benefiting from
Community Knowledge
Today there is over 10 times more malware
being distributed than two years ago. The Traditional security solutions are architected
obvious conclusion is that a security with a PC-centric philosophy. This means
solution must detect 10 times more that a PC is treated as a single unit in time
malware to provide adequate protection to and any malware detected within that PC is
users. While a full-fledged HIPS solution considered separately from the rest of the
raises the bar substantially by detecting and malware samples detected in millions of
blocking most of these with proactive other PCs.
technologies, it is still possible for unknown
malware to slip through its defenses. We Traditional security companies do not have
need to consider the fact that, while 80% visibility into what PC a particular piece of
or 90% of proactive effectiveness is malware was first seen on. Neither is there
relatively speaking an excellent score, in visibility of the continuity of that malwares
absolute terms it may lead to hundreds or evolution over time in different PCs.
thousands of malware samples being
missed over time, since even a small Most importantly, other PCs do not
fraction of a large enough number will still automatically benefit of proactive malware
be a big number. detections on different PCs. They have to
wait for the antivirus lab to receive that
The Collective Intelligence approach is specific sample, wait for a signature to be
initially released at the end of 2006 in created, QAed, deployed and protect other
limited pilots with the objective of being users.
able to reliably detect 10 times more than
we are currently detecting with 10 times Ultimately this results in traditional
less effort. Collective Intelligence approaches being too slow to combat
functions as an online and real-time todays rapidly moving malware.
Security-as-a-Service (SaaS) platform. With
over two years of research and One of the main benefits of the Collective
development behind it and millions of Intelligence approach, in addition the
dollars in investment efforts, it is already effectiveness provided by the automation
paying off by: of the malware remediation life-cycle, is the
automatic and real-time benefit it provides
1. Benefiting from community to the users of the Collective Intelligence
knowledge to proactively protect Community.
others.
2. Automating and enhancing malware As soon as a malicious process is detected
collection, classification and in a users PC by the Collective Intelligence
remediation. servers (whether by system heuristics,
emulation, sandboxing or behavioral
3. Gaining knowledge on techniques to
analysis, etc.) the rest of the users
improve existing technologies.
worldwide will automatically benefit in real-
4. Deploying new generation of time from that specific detection. This
security services from the cloud. results in a close to real-time detection notFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 15
only of initial malware outbreaks but also the vast majority of samples. Lets walk
of targeted attacks whose objective is through the process from the point of view
infecting a small number of users to stay of a computer who has just been exploited
below the radar. and infected by a malicious code.
3.4.2 Automated Malware 3.4.2.1 Automated malware
Protection Process collection
One of the biggest barriers to raising the The Collective Intelligence (CI) agent
bar of reliable malware detection ratios is gathers information of processes and
the fact that the process of creating a memory objects and performs queries
signature against a single sample takes too against the CI central servers which
long in the industry. Each malware sample perform a variety of checks against those.
needs to be sent to the lab by an affected
user or fellow researcher, reversed If certain conditions are met, the suspicious
engineered by a lab technician which in file or parts thereof is automatically
turn needs to create a detection signature uploaded, with the users consent, to the CI
and disinfection routine for it. These in turn servers where it is further processed.
need to be quality-assured, uploaded to
production servers, replicated worldwide Since processes loaded in memory are not
and finally downloaded and applied by subject to many of the cloaking techniques
customers. and reveal themselves, the agent
component does not need to contain a
This entire process is, in most cases, mostly large amount of intelligence and
manual and can take up anywhere from uncloaking routines and can therefore be
minutes, to hours or days or even weeks, very light.
depending on the workload of the lab
engineers and other factors such as sample Panda has built a vast database of malware
priority, prevalence, damage potential, samples, which are automatically collected,
media coverage, etc. which in turn provides the CI web-service
with a real-time feed of new malware
The process can be even delayed much classification entries.
longer when intelligence or functionality
upgrades to the anti-malware or behavioral
engines are involved. It is typical of an anti-
malware vendor to upgrade its solutions
3.4.2.2 Automated malware
once or twice a year, as each upgrade has classification
a costly testing and deployment process for
corporate customers. Server-based processing is not limited by
the CPU and memory constraints of
Thanks to the Collective Intelligence personal computers. Therefore scanning
infrastructure this entire process of malware routines at the CI servers undergo much
collection, classification and remediation more in-depth processing by more sensitive
can be automated and performed online for technologies (signature and sensitiveFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 16
heuristics scanning, emulation, sandboxing, which have been gradually deployed to our
virtualization, white-listing, etc.) to reach a existing products.
final classification.
One of the main benefits of the Collective
It is important to note that the scanning Intelligence approach is that these
power used at the CI servers is only limited signatures do not need to be downloaded
by hardware and bandwidth scaling, unlike to each client as they operate from the
a typical scenario at a PC, desktop or server cloud. This however does not mean that
machine. Therefore many of the more the client machine will not need to
resource-intensive proactive techniques maintain updated signatures.
which PandaLabs is using, and which
provide much higher detection rates (at an A potential threat to such an approach is
also higher computational costs) can now the availability of the Collective Intelligence
be used massively for the benefit of the servers. However our approach for
users without even touching valuable integration of the Collective Intelligence
customers CPU and memory resources. technology on current solutions is designed
as an additional layer of protection.
With this approach the majority of new Therefore under non-availability of the
malware samples can be analyzed and platform for whatever reason, security
classified automatically in a matter of protection would fall back to the regular
minutes. The CI servers are managed by HIPS solution which provides well above
PandaLabs and therefore samples that average protection.
cannot be classified automatically are
ultimately looked at by an analyst at the lab.
3.4.3 Gaining Knowledge on
Malware Techniques
3.4.2.3 Automated malware
remediation Other one of the main benefits provided by
the community feature of Collective Intelli
The remediation module of the CI is in gence is that of giving insight to our engi
charge of automatically creating detection neers of new malware techniques and dis
and disinfection signatures for the samples tribution points. Questions such as where
previously analyzed by the processing and was a specific piece of malware first found
classification module. These signatures are and how did it spread allow us to model
in turn used by the community of CI users additional intelligence into specific malware
to proactively detect and disinfect new or families and even creators of specific
even targeted attacks with very low num malware variants.
bers of infected hosts.
This approach of applying data
The traditional anti-malware and HIPS warehousing and data mining techniques
solutions have also started to benefit from to malware detections by the community
the CI approach. During the initial 3 provides significant knowledge on how
months of operation the remediation malware and targeted attacks are carried
module has created protection for a few out. The type of knowledge that can be
hundreds of thousands of malware samples gathered using this approach becomesFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 17
especially useful if it can be applied for Initially this approach might have seemed
tracking infection origins, which in turn as an interesting idea back then. However
might have some interesting applications the challenges presented by a white-listing
and benefits for law enforcement efforts. solution to completely prevent malware are
varied. Some of the main shortcomings of
a white-listing only approach are:
3.4.4 Deploying Security Servi
1. There are billions of goodware files vs.
ces from-the-cloud the few millions of malware files in
existence today. For white-listing to be
We have developed and deployed a few
effective you would have to analyze
services already that function purely based
many more files than malware.
on the Collective Intelligence platform. The
se online services are designed to perform
2. Every time a new file has to be added to
in-depth audits of machines and detect
the white-list, it needs to be analyzed to
malware not detected by the installed secu
make sure it is not malicious. Simply
rity solution.
adding files to the white-list without
analyzing them completely defeats the
For consumers and stand-alone PCs we
purpose of a white-list. Otherwise how
h a v e d e p l o y e d N a n o S c a n do you prevent malware from being
(www.nanoscan.com) which scans a PC for included on the white-list?
malware actively running and TotalScan
(www.pandasecurity.com/totalscan) which 3. Every time a new update or upgrade is
performs a full system scan of the entire made available as a Service Pack or
PC, including hard drive, memory, email Hotfix for Microsoft Windows, Office,
databases, etc. QuickTime, Adobe, Java, etc. the white-
listed files need to be re-analyzed and
On the corporate front the requirements for re-created.
performing and in-depth malware audit are
more demanding. Therefore we have 4. Managing these white-lists on each
created a specific managed service called computer on a network is a manual and
Malware Radar (www.malwareradar.com). tedious job which needs to be done and
Thanks to this service companies can quickly which network administrators need to
perform complete audits of their entire find time to perform.
network endpoints to verify their level of
security, pinpoint non-detected infection 5. I f a n t i v i r u s l a b o r a t o r i e s w h o h a v e
sources or to unveil machines which have hundreds of engineering resources
been subject to targeted attacks. cannot keep up with the pace of
analyzing all the malware, how much
investment in capital and resources
3.4.5 A note on white-listing should a white-listing company require
in order to keep up with the pace of
Since 2004 there have been some new analyzing 100 times more goodware?
companies spawn from under the rocks
promising to get rid of the virus problem 6. Anti-malware updates are delivered to
forever with a white-listing approach. customers via signature databases whichFROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 18 are already big in size. However white- white-listing component is an important listing updates will be much bigger in si aspect for complementing and improving ze. How shall those be delivered to the black-list detection and, specially, reducing desktop and companies? false positives and processing times. 7. What happens when theres new or updated applications that a user or company needs to run which are not included in the white-list? Who will be doing the reverse engineering and analysis of the supposedly benign program and associated files to determine that they are truly non- malicious? 8. What happens when a virus or worm manages to infect files of a white-listed reputable software companys installer package? It has happened in the past a few times already. Relying exclusively on white-listing technologies might make sense in certain locked down environments such as call centers, ATM machines and the like. But in the vast majority of corporate environments this is not the case. There have been very active and lively discussions25 26 lately on the pros and cons of white-listing, specially promoted by the white-listing companies themselves that feed on the Antivirus is Dead, White- Listing is the solution rumor. However the white-listing approach should not be dismissed altogether. It does bring up many interesting opportunities in the fight against malware, but we believe the benefits are much more effective when combined with black-listing and other proactive approaches. As we have seen during the explanation of the Collective Intelligence platform, a
FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 19
4. Conclusion
T
he latest advances by the black hat and cybercrime communities are taking
advantage of the inherent weaknesses in the security industry: (a) the labs are being
swamped by more malware which is being created every day, (b) by remaining
invisible users do not perceive the need for additional protection, (c) targeted attacks that
only infect very few users are more effective than epidemic attacks that infect millions of
users and (d) users tend to trust a single solution or single layer of protection as their main
line of defense against malware.
As malware techniques advance in this cat-and-mouse game, security vendors need to add
more layers of protection to keep customers safe. The need for additional protection is
revealed by the fact that a large portion of users with current and updated security
solutions is in fact infected.
To tackle todays problem we need new layers of protection that take advantage of
automating the entire malware protection cycle, from sample collection, analysis,
classification to remediation. But automation by itself is not enough. We also need visibility
into whats happening on all PCs in order to detect targeted attacks more efficiently and
gain a competitive edge on malware creators.
The approach developed by Panda Security, called Collective Intelligence, provides all the
benefits of an added layer of defense that provides effective response and protection to
the current malware threats, is able to detect targeted attacks and gains intelligence
thanks to the correlation of all the detections by the community of users.FROM TRADITIONAL ANTIVIRUS TO COLLECTIVE INTELLIGENCE Pag. 20
5. References
1. Research Study: Active Infections in Systems Protected by 17. MPack Uncovered, May 2007.
Updated AntiMalware Solutions. Panda Research. August http://blogs.pandasoftware.com/blogs/images/PandaLabs/2
2007. 007/05/11/MPack.pdf
http://research.pandasecurity.com
18. The Worlds Smallest Downloader. Symantec. December
2. Gartner's 10 Key Predictions for 2007. Gartner. 2006.
December 2006. http://www.symantec.com/enterprise/security_response/we
http://www.eweek.com/article2/0,1895,2072416,00.asp blog/2006/12/worlds_smallest_downloader.html
3. The Zero-Day Dilemma. Security IT Hub. January 2007. 19. Packing a punch (II). Panda Research. March 2007.
http://www.security.ithub.com/article/The+ZeroDay+Dilem http://research.pandasoftware.com/blogs/research/archive/2
ma/199418_1.aspx 007/03/20/Packing-a-Punch-_2800_III_2900_.aspx
4. Welcome to 2007: the year of professional organized 20. Banking Targeted Attack Techniques. Panda Research.
malware development. F-Prots Michael St. Neitzel at Hispasec. March 2007.
February 2007. http://research.pandasoftware.com/blogs/images/Panda-
http://blog.hispasec.com/virustotal/16 eCrime2007.pdf
5. Call the cops: We're not winning against cybercriminals. 21. Host-Based Intrusion Prevention Systems (HIPS) Update:
ComputerWorld. February 2007. Why Antivirus and Personal Firewall Technologies Aren't
http://www.computerworld.com/action/article.do?comman Enough. Gartner. January 2007.
d=viewArticleBasic&articleId=9010041 http://www.gartner.com/teleconferences/attributes/attr_165
281_115.pdf
6. The Long Tail: malwares business model. Panda Research.
January 2007. 22. A Very Large Honeynet. Panda Research. December 2006.
http://research.pandasoftware.com/blogs/research/archive/2 http://research.pandasoftware.com/blogs/research/archive/2
007/01/08/The-Long-Tail_3A00_-malware_2700_s-business- 006/12/19/A-very-large-malware-honeynet.aspx
model.aspx
23. Panda TruPrevent Personal 2005. PC Magazine USA.
7. List of online scanners. CastleCops Wiki. November 2004.
http://wiki.castlecops.com/Online_antivirus_scans http://www.pcmag.com/article2/0,1759,1727653,00.asp
8. Kernel Malware. F-Secure. February 2007. 24. The Last Great Security Crisis. eWeek February 2007.
http://www.f-secure.com/weblog/archives/archive- http://www.eweek.com/article2/0,1895,2095118,00.asp
022007.html#00001118
9. Antirootkit.com List of Rootkit Detection & Removal Software. 25. Comments on The Decline of Antivirus and the Rise of
http://www.antirootkit.com/software/index.htm White-Listing. The Register. June 2007.
http://www.theregister.co.uk/2007/06/27/whitelisting_v_an
10. Rootkit used in Vodafone Phone Tapping Affair. July 2007. tivirus/comments/
http://www.antirootkit.com/blog/2007/07/12/rootkit-used-
in-vodafone-phone-tapping-affair/ 26. More on White-listing. Kurt Wismer. June 2007.
http://anti-virus rants.blogspot.com/2007/06/more-on-
11. Panda Anti-Rootkit. April 2007. whitelisting.html
http://research.pandasoftware.com/blogs/research/archive/2
007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-
1.07.aspx
12. Packing a punch. Panda Research. February 2007.
http://research.pandasoftware.com/blogs/research/archive/2
007/02/12/Packing-a-punch.aspx
13. AV performance statistics. OITC & MIRT. Real-time feed
of antivirus zero-day detection.
http://winnow.oitc.com/avcentral.html
14. Attack of the Zombie Computers Is Growing Threat. The
New York Times. January 2007.
http://www.nytimes.com/2007/01/07/technology/07net.ht
ml?ex=1325826000&en=cd1e2d4c0cd20448&ei=5090
15. 30 Days of Bots Inside the Perimeter. Support Intelligence.
March-April 2007.
http://blog.support-intelligence.com
16. Web-Attacker Exposed. Websense. November 2006.
http://www.websense.com/securitylabs/blog/blog.php?BlogID=94PANDA SECURITY
Panda SPAIN Panda USA
Ronda de Poniente, 17 230 N. Maryland, Suite 303
28760. Tres Cantos. Madrid. SPAIN P.O. Box10578. Glendale, CA 91209 - USA
Phone: +34 91 806 37 00 Phone: +1 (818) 5436 901
www.pandasecurity.com
© Panda 2007. All rights reserved. 0907-WP-PSD-I-01
www.pandasecurity.comYou can also read
