The Day Before Zero

Every couple of years there’s a new “hot threat” in security for which vendors abruptly tout newfangled protection and potential customers clamor for additional defense options. Once upon a time it was spyware, a few years ago it was data leakage, and today it’s mobile malware. It’s a reoccurring cycle, analogous to the “blue is the new black” in fashion – if you fancy adopting a certain cynical tone.

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you’ll uncover that the back story to many of these “hot threats” often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today’s hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there’s all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the “Mobile Threat”?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be “what do you define as the mobile threat?”

The term “Mobile Threat” is amorphous – it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all’s usually are. Instead, I’d rather focus on one aspect of the Mobile Threat – that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It’s all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it’s rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the “legacy” threat categories we’re already all too familiar with.

You could spin a lot of cycles looking into the “what if’s” of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things – how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools – of which the most commonly encountered category is “malware” – are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the “Mobile Threat”), it is interesting to note that they’re pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn’t really be a surprise to anyone – it’s all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision – do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there’s an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It’s important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

The Role Damballa Plays

One of the questions I commonly get asked on the topic is “what has Damballa been doing to defend against the mobile threat?”

In a nutshell, if you’re operating at the network level (e.g. Damballa Failsafe and Damballa CSP) the specifics of the compromised device and any application-level interactions are irrelevant – which is a round-about way of saying that Damballa customers have had defenses against mobile threats before the term made its red carpet début.

What do we do (or have been doing) in combating the mobile threat?

• Compromised devices that attempt to connect to the servers used by cybercriminals for command and control (C&C) and stolen data drops are identified within customer networks and are alerted upon in real-time. The device operating system, architecture, or communication protocol is irrelevant to this form of detection – and any victim mobile devices are similarly alerted upon.
• Damballa Labs monitors DNS on a truly global and massive scale. In basic terms, every successful domain to IP resolution around the world is recorded and used to automatically map relationships between Internet infrastructure components. This live “map” is augmented with streaming threat information and training data to automatically group, cluster and label the servers and hosting infrastructure used by cybercriminal entities.
  In practical terms what this means is that every time cybercriminals register a new domain and point it to one of their servers, or remove/add new servers, or change hosting facilities, or modify their DNS settings, Damballa Labs is able to identify and associate these changes with the specific criminal entity.
• Dynamic reputation systems such as Damballa Lab’s Notos system provide reliable reputation scoring capabilities for DNS. These technologies are used to detect communications to newly integrated cybercrime infrastructure, independent of whether the domain or IP address has previously been observed as providing C&C functionality.
• Thousands upon thousands of malware samples and suspicious files are harvested by Damballa Labs every day. Automated systems process these files through a mix of dynamic, static and bare-metal analysis systems in order to extract the network behaviors and characteristics of all newly identified malware. By employing a wide variety of clustering and machine learning systems, new C&C domains and IP addresses are automatically identified and associated with malware families, and in turn, the criminal entities that manage them.
  For example, new Android applications (and updates) published to the major international markets are automatically analyzed. For every application identified as “mobile malware”, any new C&C or related communication is in turn associated with a criminal operator and serves as actionable intelligence within the Damballa product range.
• Threat analysts target the most important cybercriminal entities for manual analysis and counter intelligence surveillance. Using a variety of tools, aliases, and social engineering tactics, Damballa Labs analysts gain an insider view of the criminal entities. This insight is used to not only track the latest changes with their operations, but also to preempt new attacks and attack vectors.
• Many times, the malware on the infected device has to search for its C&C – either because the static list of built-in potential C&C’s is out of date, or because it is using Domain Generation Algorithms (DGA) to bypass static reputation systems. Damballa technologies are able to identify malware that attempts to locate its C&C even if the cybercriminals’ C&C cannot be found (and before any communications can commence).
• Damballa Labs has visibility of DNS resolution traffic from multiple authoritative DNS servers. Using technologies such as Kopis, we are able to automatically detect malware-related domains at the upper DNS hierarchy independently of (and a long-time before) malware samples are captured by the security community and analyzed. This technology operates independently of the malware, and is able to forecast domains that are being abused for mobile threats a long time before the mobile application is recognized and classified as malware.

There’s more of course, but these are probably the most significant technologies and approaches that Damballa products use to keep ahead of the mobile malware threat (that I can mention in public). We’re constantly expanding the list of detection and threat tracking/labeling technologies with new research being published by Damballa Labs on a regular basis.

All-in-all, while the much hyped “mobile threat” is likely to bask in the media spotlight for another year or two, it’s comforting to know that defensive technologies are not only already out there but have been successful in combating the threat for several years already.

– Gunter Ollmann, VP Research

If you look deep enough, hidden at the darkest recesses of most security technologies deployed within enterprise networks today, you’ll find static reputation systems chugging away doing the grunt work of threat protection. They’re not glamorous and vendors have had a propensity to instruct their sales force (and resellers) to refrain from mentioning them to customers and prospects in recent years. They’re a legacy hangover from the days when cutting-edge security consisted of blacklists and regex signatures.

Static reputation systems are effectively frameworks for managing lists of previously classified goodness or badness – i.e. blacklists and whitelists. Their basic concepts are thoroughly understood and they tend to perform tremendously well as a first-pass filter for many of the most prevalent threat categories. So, despite their aged stature, they are an incredibly valuable tool. In fact, for many threat categories, modern protection products wouldn’t be able to handle traffic volumes if static reputation systems didn’t perform the first pruning of inbound threats. For example, in the world of Anti-Spam up-to-date blacklists of just a few hundred known bad IP addresses can reduce the spam volume that more sophisticated technologies must parse by 90+ percent.

There are however many limitations to static reputation systems. In a world of increasingly agile threats and a fundamentally dynamic (and some would say ‘chaotic’) Internet infrastructure, static reputation systems are simply incapable of keeping pace. Some short-term fixes have been applied – for example, releasing and importing updated blacklists more frequently, or pruning overly long blacklists to the most reliably static data in an attempt to remove “false positives”. Whilst these quick fixes have extended the life of some static reputation systems, the frayed edges have been exposed and are being constantly picked at.

In response to the failures and reducing viability of static reputation systems, a number of dynamic reputation system approaches have come to the fore in recent years. These new approaches seek to be more accurate in discerning goodness and badness, and to dynamically keep pace with agile threats and continuous Internet change.

Dynamic reputation systems aren’t a one-for-one replacement for systems currently dependent upon static reputation. While their protection objectives are similar, their output and delivery are quite different. Static reputation systems are effectively Boolean list technologies; the IP/Domain/URL/etc. is either on the list or it isn’t. Dynamic reputation systems typically operate as a queryable API and provide answers in a “score” format.

These scores can change at a moment’s notice as new intelligence relating to the IP/Domain/URL/etc. are received, features extracted and classified, and are derived in real-time. The scores themselves can often be interpreted as probabilities or confidence in a particular threat classification – and are delivered as values between zero and one, or as a percentage.

If you’re interested in learning more about the limitations of static reputation systems and how dynamic reputation systems have begun to replace them (and why), I’ve released a new reference paper on the topic – “Blacklists & Dynamic Reputation – Understanding Why the Evolving Threat Eludes Blacklists“- and it can be found on the Damballa website.

– Gunter Ollmann, VP Research

For many people the comments made by Michael Hayden, Former Director of the Central Intelligence Agency, at this week’s Black Hat Technical Security Conference in Abu Dhabi may have been unsettling as he commented upon the state of Chinese cyber espionage.

I appreciate the candor of his observations and the distinction he made between state-level motivations. In particular, his comment “We steal secrets, you bet. But we steal secrets that are essential for American security and safety. We don’t steal secrets for American commerce, for American profit. There are many other countries in the world that do not so self limit.”

Perhaps I grew up reading too many spy stories or watched one-too-many James Bond movies, but I’ve always considered one of the functions of government is to run clandestine operations and uncover threats to their citizens and their economic wellbeing. The fact that Cyber is a significant and fruitful espionage vector shouldn’t really be surprising. Granted, it’s not as visual as digging a 1476 foot long tunnel under Soviet Berlin during the Cold War (see The Berlin Tunnel Operation GOLD (U.S.) Operation STOPWATCH (U.K.)) or as explosive as the French infiltration and eventual destruction of the Greenpeace Rainbow Warrior in New Zealand, but in today’s electronic society cyber espionage is a necessary tool.

Personally, I think you’d struggle to find a country or government anywhere around the world that hasn’t invested resources in building out their cyber espionage capabilities in recent years. It’s a tool of modern statecraft and policing.

While the media tends to focus upon the term “cyber warfare” and its many faceted security and safety ramifications, I think that we often fail to divorce a governments need (or even expectation) to conduct espionage and what would logically be covered by the articles (and declaration) of war. Granted it all gets a bit fuzzy – just look at the history of the “Cold War”. Perhaps a more appropriate name for the current situation and tensions would be “Cyber Realpolitik“.

China is often depicted as the bogeyman – rightly or wrongly – when it comes to cyber espionage. We increasingly find ourselves drawn into a debate of whether attacks which are instigated or traced back to the country are state-sponsored, state-endorsed, socially acceptable, or merely the patriotic duty of appropriately skilled citizens. The fact of the matter though is that there’s a disproportionate volume of cyber-attacks and infiltration attempts coming from China, targeting North American and European commercial institutions. You may argue that this is an artifact of China’s population but, if that was the case, wouldn’t India feature more highly then? India is more populous and arguably has a better developed education system in the field of information technology and software development – and yet they are rarely seen on the totem pole of threat instigators.

Michael Hayden alludes that China (and other countries) is not opposed to using cyber espionage for commercial advancement and profit, and based upon past observations, I would tend to agree with that conclusion. That said though, I don’t think that any country is immune to the temptation. Given the hoopla of the recent U.S. congressional insider trading fiasco and French presidential corruption, I’m not sure that “self limit” approaches work in all cases.

Cyber Realpolitik is the world we find ourselves living in and cyber espionage is arguably the latest tool in a government’s clandestine toolkit. We could consume a lot of time debating the ethics and outcomes of modern espionage campaigns but, at the end of the day, it’s a facet of international politics and governmental needs that have existed for millennium. For those commercial entities being subjected to the cyber campaigns directed at them by foreign governments, I don’t believe this threat will be going away anytime in the foreseeable future. Perhaps the noise surrounding the attacks may disappear, but that may just reflect an increase in stealthiness.

– Gunter Ollmann, VP Research.

As the weeks remaining in 2011 dwindle and 2012 peaks out from behind the last page of the calendar, it must once again be that time of year for purposeful reflection and prediction. Or is that navel gazing and star gazing?

The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I’m sure there will be a bunch of annual threat reports preempting the end of year – extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word – “More”. The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.

But let’s put that aside for now. What does 2012 hold in stall for us?

It’s easy enough to predict the future when you’re merely commenting upon the trends of past years and projecting “more” of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011 – APT’s, mobile malware and botnet takedowns.

So, without further ado, here are a handful of predictions for 2012.

APT Bonanza

The volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT – which, after more detailed analysis and external input, will increasingly be revealed as false claims.

• More attacks will be labeled as APT’s due to misunderstanding by the victims, or because of an implied “get out of jail” tactic when public disclosure of the breach is mandated by law.
• External analysts and security firms will dedicate more time and resources to analyzing breaches that are disclosed as “APT’s”, and will be more vocal in correcting false claims.
• A growing unease will be attributed to the “cry wolf” mentality of labeling breaches as APT’s throughout the year.
• Real APT attacks will increasingly be lost in the noise of falsely-claimed APT’s, and the sophisticated attackers will be able to further obfuscate the intent of their attacks.

Mobile Malware threats will continue to be misunderstood

Mobile malware will divide into two streams – Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.

• The hype around mobile malware will continue to exceed the threat and the cybercriminals capabilities in 2012 – but the cybercriminals and security researchers will strive to meet that hype.
• As mobile systems become more usable for day-to-day financial transactions and online stores tune their shopping portals for larger-screened mobile devices, cybercriminals will increasingly target these platforms. This crimeware (and injection vectors) will be more “traditional” and a closer facsimile of current generation PC-based crimeware capabilities than many have projected in the past.
• Smartphones, long seen as “the” mobile threat vector and with the longest history of malware abuse (e.g. Symbian-based malware and premium-rate fraud), will technically be susceptible to the same malware as that affecting tablet systems – but will not be the primary target of attack.
• Cybercriminals that develop malware specifically for Smartphones will increasingly target the devices for propagation purposes – seeking to infect other (traditional) corporate systems and to breach corporate VPN’s.
• In the corporate realm, the Bring-Your-Own-Device (BYOD) consumerization of IT will entice cybercriminals that target enterprise networks to innovate new attack and propagation vectors. Throughout 2012 new vectors will be theorized and may be developed as proof-of-concept tools, but the hype will be bigger than reality because there are technical hurdles within the operating systems of the mobile devices that have yet to be overcome.
• Security conferences of a Black Hat ilk throughout 2012 will uncover and illustrate new vectors that subvert the underlying mobile device operating systems that will be leveraged in the 2013 timeframe for the targeted propagation of crimeware via BYOD
• The traditional invasive and “scary” mobile malware capabilities (e.g. eavesdropping on the victims calls, tracking the device owner, etc.) will not advance in 2012 and will continue to be potential capabilities rather than primary objectives for attackers.
• The first generation of commercial “DIY” mobile crimeware construction and attack tools will be developed and sold by enterprising cybercriminals
• Large scale botnets will not exist on the mobile platforms in 2012. There will be several “proof-of-concept” botnet implementations and theoretical attacks but, from an overall global threat perspective, they will be insignificant.

Botnet takedowns will be ineffective

Despite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.

• Professional criminals who build and monetize botnets will invest in more robust crimeware distribution technologies and services. The capability to infect 10,000+ computers per day will be more important than the marginal loss of 3-year old botnets with only a few hundred thousand infected devices.
• Botnet C&C infrastructure will continue to become more agile – flitting between domain names, IP addresses and physical locations at an increasing pace. In 2011 this agility was measured in weeks; by the end of 2012 it will be measured in hours.
• Botnet operators will add more layers between themselves and their victims. In 2011 cybercriminals increasingly adopted the use of commercial anonymous VPN services to connect to their C&C servers, and deployed C&C proxies between the botnet victims and the real C&C servers. In 2012 we can expect this trend to continue and there is a high probability that multiple layers of C&C proxies will be adopted to further protect the cybercriminals C&C investment.
• Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the focus of legal botnet takedowns. In response, cybercriminals will in most cases reduce the noise of their botnets and will also further segment their botnets to ensure that the entire botnet is not lost in a single takedown operation.
• Botnet takedown attempts will become more “risky” as the takedown entities become more comfortable with the process. Risk will be introduced as the entities pursue remote clean-up and remediation of victim devices.
• “Good guy” botnet remediation services will become a commercial reality in 2012. As multiple security vendors and academic institutions focus upon the botnet menace they will uncover more vulnerabilities lying within the heart of both the botnet malware and the C&C portal software. There will be growing pressure to exploit these vulnerabilities for the purpose of usurping control of the botnet from the cybercriminals hands and to issue appropriate shutdown and uninstall commands directly from the compromised C&C servers.

I wonder how many of these predictions will come to fruition? I guess we’ll find out in 380 days.

– Gunter Ollmann, VP Research

The increasingly sophisticated delivery platforms that cybercriminals use to host and distribute their malware have increased the pressure on Antivirus solutions in recent years to breaking point. Tools and techniques incorporated into Serial Variant Evasion (SVE) tactics have helped ensure that each piece of malware released by the cybercriminals can be not only uniquely crafted to the victim’s specifications, but also “guaranteed” to be undetectable.

I believe that there are two key ingredients in combating these increasingly sophisticated malware delivery platforms and the personalized malware they serve. First of all, cloud-based automated malware analysis; and secondly, dynamic reputation systems for DNS.

A couple of weeks ago I discussed the advantages of cloud-based malware inspection – but only touched on the analysis aspects of current systems. An important component of the system that I didn’t cover lies in the way they obtain the malware samples that they automatically analyze. For most, the samples are harvested directly from the vendor’s customer networks – by grabbing samples at network chokepoints such as proxies or egress points, reconstituting files streaming through the internal network via packet reassembly, or simply receiving files submitted from host-based antivirus agents (the primary method for all antivirus vendors that offer host-based software solutions). Some vendors also take a more proactive approach by actively scanning the Internet, setting up honeypots or HoneyMonkeys, probing likely malware delivery or hosting sites, and “milking” them for new samples. A lot of effort goes in to operating and maintaining these sample gathering systems.

When it comes to mobile malware – in particular Android and iPhone targeted malware threats – sample harvesting is considerably more difficult. The prospect of an antivirus agent installed upon the targeted device automatically uploading each executable being downloaded (and subsequent application update) from a market place or synchronization session back to the antivirus vendor isn’t going to happen for quite some time given factors such as data charges, battery life, wireless bandwidth, etc.

Meanwhile, harvesting malware (or suspicious binaries) “off the wire” is more difficult given the diversity of wireless communication options available to the device (e.g. WiFi, GPRS/3G/4G, Bluetooth) and roaming nature of the device. This can still be done, but organizations need to be able to tap each of the communication protocols in turn – which requires different physical infrastructure at office locations than what is traditionally deployed for standard network security monitoring and inspection.

Today, the most common technique used for mobile malware harvesting lies in the automatic scraping of the various market places – downloading each published mobile application and (typically) performing a mix of static analysis and bare-metal automated inspection techniques. From there, the antivirus vendors create signatures that they deploy to their mobile antivirus agent subscribers. There is a fly in the ointment though. Without special agreement from the marketplace operator and appropriate rights from the application developers that offer their software through those marketplaces, the harvesting of applications is generally limited to those that are offered for free. So, if you’re feeling a little evil and are inclined to get in the mobile malware business, the easiest way to evade many of the mobile antivirus products out there is to offer your malicious software for a price of one cent (or more).

I did hear that a small handful of mobile antivirus vendors have developed sophisticated and innovative systems that can automatically detect and prevent mobile malware without the signatures derived from such sample harvesting – or in-fact having ever seen any malware before. It sounds like magic to me. Well, actually it smells of something else to me and I’m too polite to say what of.

If desktop antivirus products (with all the benefits of speed, performance, processing power and greater bandwidth) haven’t managed to stop the same type of malware threat, how is that possible at the mobile device? Surely if these magical/secret/uber techniques really worked so well then those mobile antivirus vendors would be taking over the world by rolling out desktop versions of their antivirus software – it’s a much, much larger market.

Skepticism aside, I was asked recently what happens if the cloud components of modern antivirus solutions are unavailable. With all the advancement and protection goodness of antivirus coming from the cloud, if the victim has no access to the Internet how are they to be protected? Obviously, without Internet access (or network access in general) the breadth of potential malware threats is greatly diminished. The malware used by attackers today – i.e. crimeware – in almost all cases is there to perpetuate a crime and act as the vehicle for transporting data. Without Internet connectivity the crimeware can’t receive updates, action new commands or extricate their pilfered materials.

– Gunter Ollmann, VP Research