Tuesday, February 14, 2012

Ice IX Rising Against SpyEye

As commercial crimeware construction tools go, SpyEye has been king of the hill for the last year or so – with dozens of cybercrime organizations adopting it as their attack platform of choice. But has its time come to an end already? In the competitive ecosystem of crimeware construction tools and attack delivery platforms, to maintain a lead, the engineers behind the tools have to continuously innovate and roll out new features to their subscriber-base. In the case of SpyEye, it looks like they’re falling behind and their customers are already switching platforms and providers.

Ever since the public leaking of the 1.3.45 SpyEye builder and some accompanying cracks, a menagerie of “unauthorized” SpyEye resellers and distributors have flooded the hacker forums with cut-price copies of the malware construction tool. As would-be SpyEye sellers tout their latest extensions, fake updates and fixes, the SpyEye original authors have bunkered down – focusing their attention upon only their most trusted customers, and not actively seeking more. As distrust spreads within the cybercrimal fraternity, a number of notable criminal operators have been moving to a new competitor on the block – “Ice IX”.

Ice IX, like its competitors (SpyEye, Zeus, TDL, Hiloti, Carberp, etc.), offers the same core crimeware construction functionality – malware builders, an attack delivery platform, and a management console – and also makes extensive use of third-party developed Web Inject content to extract valuable data from its victims. What makes Ice IX so interesting to (former) SpyEye customers is that it’s being actively maintained and is proving to be a reliable attack platform against even newly patched victims – not to forget being much cheaper too.

Over the last few months Damballa Labs have been tracking a number of criminal operators as they replace their SpyEye installations and migrate to the new Ice IX platform. It is only a trickle at the moment, but we can probably expect more SpyEye operators to transition to other better-supported crimeware construction platforms throughout the year.

To understand why SpyEye is losing out to Ice IX, my colleague Sean Bodmer has pulled together a Research Note on the topic – where he details the crybercriminal migration between attack platforms and discusses the impact on some of the larger (former) SpyEye-based operators we’re tracking.

The Research Note – “SpyEye, being kicked to the curb by its customers?” can be found at http://www.damballa.com/downloads/r_pubs/RN_SpyEye-Kicked-to-Curb_Bodmer.pdf

Mobile Malware Analysis

Every couple of years there’s a new “hot threat” in security for which vendors abruptly tout newfangled protection and potential customers clamor for additional defense options. Once upon a time it was spyware, a few years ago it was data leakage, and today it’s mobile malware. It’s a reoccurring cycle, analogous to the “blue is the new black” in fashion – if you fancy adopting a certain cynical tone.

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you’ll uncover that the back story to many of these “hot threats” often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today’s hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there’s all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the “Mobile Threat”?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be “what do you define as the mobile threat?”

The term “Mobile Threat” is amorphous – it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all’s usually are. Instead, I’d rather focus on one aspect of the Mobile Threat – that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It’s all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it’s rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the “legacy” threat categories we’re already all too familiar with.

You could spin a lot of cycles looking into the “what if’s” of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things – how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools – of which the most commonly encountered category is “malware” – are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the “Mobile Threat”), it is interesting to note that they’re pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn’t really be a surprise to anyone – it’s all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision – do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there’s an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It’s important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

The Role Damballa Plays

One of the questions I commonly get asked on the topic is “what has Damballa been doing to defend against the mobile threat?”

In a nutshell, if you’re operating at the network level (e.g. Damballa Failsafe and Damballa CSP) the specifics of the compromised device and any application-level interactions are irrelevant – which is a round-about way of saying that Damballa customers have had defenses against mobile threats before the term made its red carpet d├ębut.

What do we do (or have been doing) in combating the mobile threat?

  • Compromised devices that attempt to connect to the servers used by cybercriminals for command and control (C&C) and stolen data drops are identified within customer networks and are alerted upon in real-time. The device operating system, architecture, or communication protocol is irrelevant to this form of detection – and any victim mobile devices are similarly alerted upon.
  • Damballa Labs monitors DNS on a truly global and massive scale. In basic terms, every successful domain to IP resolution around the world is recorded and used to automatically map relationships between Internet infrastructure components. This live “map” is augmented with streaming threat information and training data to automatically group, cluster and label the servers and hosting infrastructure used by cybercriminal entities.
    In practical terms what this means is that every time cybercriminals register a new domain and point it to one of their servers, or remove/add new servers, or change hosting facilities, or modify their DNS settings, Damballa Labs is able to identify and associate these changes with the specific criminal entity.
  • Dynamic reputation systems such as Damballa Lab’s Notos system provide reliable reputation scoring capabilities for DNS. These technologies are used to detect communications to newly integrated cybercrime infrastructure, independent of whether the domain or IP address has previously been observed as providing C&C functionality.
  • Thousands upon thousands of malware samples and suspicious files are harvested by Damballa Labs every day. Automated systems process these files through a mix of dynamic, static and bare-metal analysis systems in order to extract the network behaviors and characteristics of all newly identified malware. By employing a wide variety of clustering and machine learning systems, new C&C domains and IP addresses are automatically identified and associated with malware families, and in turn, the criminal entities that manage them.
    For example, new Android applications (and updates) published to the major international markets are automatically analyzed. For every application identified as “mobile malware”, any new C&C or related communication is in turn associated with a criminal operator and serves as actionable intelligence within the Damballa product range.
  • Threat analysts target the most important cybercriminal entities for manual analysis and counter intelligence surveillance. Using a variety of tools, aliases, and social engineering tactics, Damballa Labs analysts gain an insider view of the criminal entities. This insight is used to not only track the latest changes with their operations, but also to preempt new attacks and attack vectors.
  • Many times, the malware on the infected device has to search for its C&C – either because the static list of built-in potential C&C’s is out of date, or because it is using Domain Generation Algorithms (DGA) to bypass static reputation systems. Damballa technologies are able to identify malware that attempts to locate its C&C even if the cybercriminals’ C&C cannot be found (and before any communications can commence).
  • Damballa Labs has visibility of DNS resolution traffic from multiple authoritative DNS servers. Using technologies such as Kopis, we are able to automatically detect malware-related domains at the upper DNS hierarchy independently of (and a long-time before) malware samples are captured by the security community and analyzed. This technology operates independently of the malware, and is able to forecast domains that are being abused for mobile threats a long time before the mobile application is recognized and classified as malware.

There’s more of course, but these are probably the most significant technologies and approaches that Damballa products use to keep ahead of the mobile malware threat (that I can mention in public). We’re constantly expanding the list of detection and threat tracking/labeling technologies with new research being published by Damballa Labs on a regular basis.

All-in-all, while the much hyped “mobile threat” is likely to bask in the media spotlight for another year or two, it’s comforting to know that defensive technologies are not only already out there but have been successful in combating the threat for several years already.

Static vs. Dynamic Reputation (or, why Blacklists suck more each day)

If you look deep enough, hidden at the darkest recesses of most security technologies deployed within enterprise networks today, you’ll find static reputation systems chugging away doing the grunt work of threat protection. They’re not glamorous and vendors have had a propensity to instruct their sales force (and resellers) to refrain from mentioning them to customers and prospects in recent years. They’re a legacy hangover from the days when cutting-edge security consisted of blacklists and regex signatures.

Static reputation systems are effectively frameworks for managing lists of previously classified goodness or badness – i.e. blacklists and whitelists. Their basic concepts are thoroughly understood and they tend to perform tremendously well as a first-pass filter for many of the most prevalent threat categories. So, despite their aged stature, they are an incredibly valuable tool. In fact, for many threat categories, modern protection products wouldn’t be able to handle traffic volumes if static reputation systems didn’t perform the first pruning of inbound threats. For example, in the world of Anti-Spam up-to-date blacklists of just a few hundred known bad IP addresses can reduce the spam volume that more sophisticated technologies must parse by 90+ percent.

There are however many limitations to static reputation systems. In a world of increasingly agile threats and a fundamentally dynamic (and some would say ‘chaotic’) Internet infrastructure, static reputation systems are simply incapable of keeping pace. Some short-term fixes have been applied – for example, releasing and importing updated blacklists more frequently, or pruning overly long blacklists to the most reliably static data in an attempt to remove “false positives”. Whilst these quick fixes have extended the life of some static reputation systems, the frayed edges have been exposed and are being constantly picked at.

In response to the failures and reducing viability of static reputation systems, a number of dynamic reputation system approaches have come to the fore in recent years. These new approaches seek to be more accurate in discerning goodness and badness, and to dynamically keep pace with agile threats and continuous Internet change.

Dynamic reputation systems aren’t a one-for-one replacement for systems currently dependent upon static reputation. While their protection objectives are similar, their output and delivery are quite different. Static reputation systems are effectively Boolean list technologies; the IP/Domain/URL/etc. is either on the list or it isn’t. Dynamic reputation systems typically operate as a queryable API and provide answers in a “score” format.

These scores can change at a moment’s notice as new intelligence relating to the IP/Domain/URL/etc. are received, features extracted and classified, and are derived in real-time. The scores themselves can often be interpreted as probabilities or confidence in a particular threat classification – and are delivered as values between zero and one, or as a percentage.

If you’re interested in learning more about the limitations of static reputation systems and how dynamic reputation systems have begun to replace them (and why), I’ve released a new reference paper on the topic – “Blacklists & Dynamic Reputation – Understanding Why the Evolving Threat Eludes Blacklists“- and it can be found on the Damballa website.