Tuesday, February 14, 2012

Mobile Malware Analysis

Every couple of years there’s a new “hot threat” in security for which vendors abruptly tout newfangled protection and potential customers clamor for additional defense options. Once upon a time it was spyware, a few years ago it was data leakage, and today it’s mobile malware. It’s a reoccurring cycle, analogous to the “blue is the new black” in fashion – if you fancy adopting a certain cynical tone.

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you’ll uncover that the back story to many of these “hot threats” often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today’s hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there’s all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the “Mobile Threat”?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be “what do you define as the mobile threat?”

The term “Mobile Threat” is amorphous – it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all’s usually are. Instead, I’d rather focus on one aspect of the Mobile Threat – that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It’s all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it’s rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the “legacy” threat categories we’re already all too familiar with.

You could spin a lot of cycles looking into the “what if’s” of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things – how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools – of which the most commonly encountered category is “malware” – are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the “Mobile Threat”), it is interesting to note that they’re pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn’t really be a surprise to anyone – it’s all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision – do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there’s an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It’s important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

The Role Damballa Plays

One of the questions I commonly get asked on the topic is “what has Damballa been doing to defend against the mobile threat?”

In a nutshell, if you’re operating at the network level (e.g. Damballa Failsafe and Damballa CSP) the specifics of the compromised device and any application-level interactions are irrelevant – which is a round-about way of saying that Damballa customers have had defenses against mobile threats before the term made its red carpet début.

What do we do (or have been doing) in combating the mobile threat?

  • Compromised devices that attempt to connect to the servers used by cybercriminals for command and control (C&C) and stolen data drops are identified within customer networks and are alerted upon in real-time. The device operating system, architecture, or communication protocol is irrelevant to this form of detection – and any victim mobile devices are similarly alerted upon.
  • Damballa Labs monitors DNS on a truly global and massive scale. In basic terms, every successful domain to IP resolution around the world is recorded and used to automatically map relationships between Internet infrastructure components. This live “map” is augmented with streaming threat information and training data to automatically group, cluster and label the servers and hosting infrastructure used by cybercriminal entities.
    In practical terms what this means is that every time cybercriminals register a new domain and point it to one of their servers, or remove/add new servers, or change hosting facilities, or modify their DNS settings, Damballa Labs is able to identify and associate these changes with the specific criminal entity.
  • Dynamic reputation systems such as Damballa Lab’s Notos system provide reliable reputation scoring capabilities for DNS. These technologies are used to detect communications to newly integrated cybercrime infrastructure, independent of whether the domain or IP address has previously been observed as providing C&C functionality.
  • Thousands upon thousands of malware samples and suspicious files are harvested by Damballa Labs every day. Automated systems process these files through a mix of dynamic, static and bare-metal analysis systems in order to extract the network behaviors and characteristics of all newly identified malware. By employing a wide variety of clustering and machine learning systems, new C&C domains and IP addresses are automatically identified and associated with malware families, and in turn, the criminal entities that manage them.
    For example, new Android applications (and updates) published to the major international markets are automatically analyzed. For every application identified as “mobile malware”, any new C&C or related communication is in turn associated with a criminal operator and serves as actionable intelligence within the Damballa product range.
  • Threat analysts target the most important cybercriminal entities for manual analysis and counter intelligence surveillance. Using a variety of tools, aliases, and social engineering tactics, Damballa Labs analysts gain an insider view of the criminal entities. This insight is used to not only track the latest changes with their operations, but also to preempt new attacks and attack vectors.
  • Many times, the malware on the infected device has to search for its C&C – either because the static list of built-in potential C&C’s is out of date, or because it is using Domain Generation Algorithms (DGA) to bypass static reputation systems. Damballa technologies are able to identify malware that attempts to locate its C&C even if the cybercriminals’ C&C cannot be found (and before any communications can commence).
  • Damballa Labs has visibility of DNS resolution traffic from multiple authoritative DNS servers. Using technologies such as Kopis, we are able to automatically detect malware-related domains at the upper DNS hierarchy independently of (and a long-time before) malware samples are captured by the security community and analyzed. This technology operates independently of the malware, and is able to forecast domains that are being abused for mobile threats a long time before the mobile application is recognized and classified as malware.

There’s more of course, but these are probably the most significant technologies and approaches that Damballa products use to keep ahead of the mobile malware threat (that I can mention in public). We’re constantly expanding the list of detection and threat tracking/labeling technologies with new research being published by Damballa Labs on a regular basis.

All-in-all, while the much hyped “mobile threat” is likely to bask in the media spotlight for another year or two, it’s comforting to know that defensive technologies are not only already out there but have been successful in combating the threat for several years already.

No comments:

Post a Comment