Malware Detection - Take the Blinders Off
Last Updated: 2008-06-14 23:15:32 UTC
by Lorna Hutcheson (Version: 1)
How many times have you sat in a discussion talking about how to protect against malware and the focus is always on what type of Antivirus to use? Do you use one vendor to keep it simple or do you use at least two vendors to get better coverage? I don't disagree that antivirus software is an essential tool in your security architecture and I'm an advocate of it. But my point is that we have severely restricted our abilities to detect malware when the only focus is only an antivirus solution. When this is the case, you are operating with blinders on.
Malware development and usage is a rapidly growing area of concern. Sadly, the developers of malware are getting better and better at fine tuning their craft. Malware today is very sophisticated with amazing GUI interfaces that make it so easy anyone can use it with no skills required. It is too easy to create malware that is not detected by antivirus software. Sadly, by the time the malware is found and detection is provided many days may have passed. Take Slammer for instance and the fact it infected the majority of the 75,000 systems it compromised within the first ten minutes. How do you get a signature out to detect something that moves that fast? The answer is simple...you can't!!
The use of signature based detection has its limitations and developments in behavioral and heuristic based approaches aren't where they need to be yet. This is not a slam against any antivirus vendors. I'm simply advocating that we need to take the blinders off an look at other ways we can do detection to increase our security posture. Just to clarify, I use the term "forensics" because I look at forensics as the art of looking for clues. That is really what you're doing in all of these. Looking for clues that would help you spot malware. Call it whatever you want:>) Here are some things that can be used to monitor for malware.
Network forensics is a method to examine the characteristics of your network traffic and provide early alert warning. One of the guiding principles when doing any type of analysis is to learn what is normal. If you learn what is normal, the abnormal will immediately stand out to you. All network traffic has patterns that are unique to that network. By watching your network traffic, you can determine rapidly what is abnormal. With network speeds today, one of the best methods of doing this is graphical analysis. They are many tools out there that will graphically display your communication flows. You can visually see where your traffic is going and abnormal traffic patterns instantly stand out. For instance, if your watching your connections and suddenly 2 boxes, then 10, then 20 etc. all start trying to connect to IP address that is not their normal pattern, you would want to check that out. If its malware related, you will be able to find out very quickly and provide protection for your network. With visual monitoring, abnormalities stand out very quickly.
Web traffic Forensics
I also recommend doing forensics on your web traffic. The same methodology applies. Look for the abnormalities in your traffic. Since port 80 is open, its a good target. I wrote a diary a while back on a piece of undetected malware that used a covert channel over port 80 to get its commands. Forensics on your web traffic would have spotted that site suddenly showing up at repeated intervals in your analysis.
Host Based Forensics
You should know what your basic build is for all your systems. Using a good tool to alert you for changes is another method of early detection. You can also do forensics on your logs by monitoring for key events such as services starting or new processes being added. You can run a local script at night on each system to send you a list of services and processes that are running on the systems. That can be automated to be compared against a known list and the outliers written to a file for further analysis. (Note, I recommend at night because the systems will be more stable as to what is running)
The bottom line is to think outside the box and be creative (with permission of course)!! Set up a Darknet, use LaBrea on an unused network space in your environment, watch for increased traffic to certain ports or whatever comes to mind. Just don't depend on your antivirus to be your only solution for detection of malware. We all need to move toward being proactive and not reactive. If you have implemented something to help look for malware, please let us know and we'll combine the methods and update the diary.