Detecting Malware Time Bombs with Virtual Machines

Tuesday, October 24, 2006

Detecting Malware Time Bombs with Virtual Machines

Back in June, details on an event that happened during 2002 started emerging, namely UBS bank's employee use of a logic bomb on the internal network that naturally had the type of insider empowerment it needed to spread :

"According to prosecutors, shortly after Duronio created the code in late 2001, he quit his job and banked thousands in "put" options against UBS, in which he would profit if the company's stock price declined by March 15, 2002, as a result of the attack he had allegedly set to launch against computer systems on March 4. Prosecutors said that "within an hour or so" of walking out the door from UBS, Duronio was at a securities office buying "puts" against UBS. The mail fraud charges relate to confirmation of purchases of the puts that were sent through the U.S. Postal Service. The damage caused by the malicious code impaired trading at the firm that day, hampering more than 1,000 servers and 17,000 individual work stations. The attack cost UBS about $3 million to assess and repair, said Assistant U.S. Attorney V. Grady O'Malley. "It took hundreds of people, thousands of man hours and millions of dollars to correct," O'Malley told jurors."

And while this isn't the last time logic bombs are used -- examples during the 80's -- it's important to note how flexible that type of malware could be, going way beyond the most common trigger - a specific date and time.

The authors of "Detecting Malware Timebombs with Virtual Machines" conducted research on automated early warning system to shorten the time necessary to estimate the exact timetable of a malware in question :

"Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis."

It successfully analyses Code Red, Klez, MyParty, Blaster, CME-24 and speculates on the future of the automated process. Worth reading and rethinking is the Internet's infected population actually the zombies, or aren't they the ones who still haven't been awakened?

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Tuesday, October 24, 2006

Detecting Malware Time Bombs with Virtual Machines

No comments:

Post a Comment