August 09, 2006

Defcon Speakers Team Up to Fight 'Queen Bots'
- By Brian Krebs on Computer Security
original link

Imagine for a moment that our central defense against bank robbers was a technology that recognized criminals based largely upon their physical appearance. Now imagine that the bad guys had figured out a way to rapidly and automatically change not only their facial structure, but their height, weight, clothing and method of attack. The net result those attacks would ultimately be more successful and profitable bank robberies, encouraging the bad guys to step up the frequency and brazenness of their attacks.

That is a rough analogy for describing the dirty little secret of the anti-virus industry today -- that the authors of computer worms and viruses designed to turn regular computers into spam-spewing and data-stealing zombies or "bots" are increasingly outpacing the security vendors, by automatically updating the genetic makeup of their creations before anti-virus companies have time to ship updates to their detection files. As a result, we have an industry whose business is predicated on 10 to 20 percent of its customers being successfully attacked before it can even begin to respond, according to some estimates.

In light of this trend, some security experts say it is high time for anti-virus companies to put aside their competitive interests and partner with the various public-sector malware collection and analysis projects. At the Defcon hacker conference in Las Vegas last week, Internet pioneer Paul Vixie and Georgia Institute of Technology bot researcher David Dagon presented blueprints for an industrywide, automated "malware repository" designed specifically to address the problem of self-updating bot programs, which they called "queen bots."

Queen bots, said Vixie, comprise about half of the known bot programs operating today. They are successful because they can regularly recode themselves on the fly using various "packers," custom programs that can shrink and change a targeted file's appearance. While most anti-virus products can detect malicious files altered by common packer programs, there are a slew of more advanced and stealthy packers emerging each week that presented some tough challenges to the AV companies. On top of that, most of today's self-updating bot programs use multiple packers to further confuse anti-virus programs.

To help with that challenge, Vixie and Dagon have created a "malware repository" that automatically "unpacks" any submitted malware to determine whether the specimen is new or just an obfuscated clone of a known bot program. The process is repeated until the malware is completely unpacked. This allows fully automated analysis, because the system only needs to flag bot malware that includes new components, such as a different exploit or payload. Anonymous users can upload and view aggregate stastics about any samples they share, and users who identify themselves can download a detailed analysis of samples they submit. Users who have been vetted and authenticated can upload and download all malware samples and results of any analysis.

The repository has already attracted tens of thousands of malware contributions from the guys at Shadowserver.org, and the malware collection folks at Nepenthes. Following Dagon's and Vixie's presentation, I spoke with Thorsten Holz, co-founder of the German Honeynet Project, who said he plans to submit some 30,000 malware samples.

Johannes Ullrich, chief research officer for the SANS Institute, said he is in the process of realligning SANS's malware team to regularly contribute to the archive.

"The most difficult part [of malware analysis] is the unpacking, and there are a dozen or so common ones, but then there are a lot of boutique packers that are only used by particular hacking crews," Ullrich said.

Still, the goal is to attract full participation by the anti-virus industry, not just open-source volunteer research groups. Dagon said to the extent that anti-virus companies do share real-time data from their collections with the larger Internet security community today, such sharing tends to take place in isolated, "hostage exchange" type situations, wherein a company will only share information if they can be assured of getting some privileged data from a competitor in return.

"If we really do have 20 percent infection rate [against new bot malware], I would say the anti-virus industry [is] failing to address the problem," Vixie said. "The interesting part of the problem will be compliance monitoring. We want to find the part of malware that is beneficial for competitors to share with each other ... but whenever you set up cooperative agreements, there is a fairly good chance that some [vendors] will share enough that you think they are sharing everything, when they really are keeping the goodies to themselves."

Vixie added that he is optimistic that at least one anti-virus company will soon agree to contribute any samples it receives on a regular and automated basis. "All it takes is one to act and gain an edge for the rest to adapt and level the playing field. [Anti-virus companies] have to understand that if they hoard [new malware samples], then they're going to be lonesome. The early indications are that the old ways will part pretty easily this time."

By Brian Krebs | August 9, 2006; 5:25 PM ET

266 Ferst Drive, Atlanta, GA 30332-0765 | 404-385-4272 | Georgia Institute of Technology | privacy policy