The Modern Malware Review. Analysis of New and Evasive Malware in Live Enterprise Networks 1st Edition, March 2013

Transcription

1 The Moder Malware Review Aalysis of New ad Evasive Malware i Live Eterprise Networks 1st Editio, March 2013

2 THE MODERN MALWARE REVIEW MARCH 2013 TABLE OF CONTENTS Backgroud ad Goals 3 A Focus o Actioable Research 3 Separatig the Kow-Ukows from the Ukow-Ukows 3 About the Data ad the Methodology 4 About WildFire 5 Summary of Key Fidigs 5 Web Traffic Is Where the Problems Are 5 90% of Ukow Malware Delivered Via Web-Browsig 6 5 Days to Coverage for , 20 Days For Everythig Else 7 Challeges of Web-Based Malware 8 Coclusios ad Recommedatios 8 Idetifiers i Ukow Malware 9 40% of Samples Retaied Idetifiers i the Payload 9 30% of Samples Geerated Custom or Ukow Traffic 10 Suspicious Malware Traffic 11 Summary, Coclusios ad Recommedatios 12 Malware Traffic o No-Stadard Ports 13 FTP 13 Web Browsig 13 Custom ad Ukow TCP ad UDP 14 HTTP Proxy 14 Malware Behaviors o the Host 15 Aalysis Avoidace 16 Persistece 17 Hackig ad Data Theft 17 Summary 18 PAGE 2

3 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS BACKGROUND AND GOALS The Moder Malware Review presets a aalysis of 3 moths of malware data derived from more tha 1,000 live customer etworks usig WildFire (Palo Alto Networks feature for detectig ad blockig ew ad ukow malware). The review focuses o malware samples that were iitially udetected by idustry-leadig ativirus products. A FOCUS ON ACTIONABLE RESEARCH The goal of focusig o ukow or udetected malware is ot to poit out deficiecy i traditioal ativirus solutios but rather to better uderstad the problems, ad hopefully idetify practices that ca help. As such, the report provides aalysis of the malware, but also icludes recommedatios based o the fidigs. Some of these recommedatios are commo sese, ad we do t propose they are a paacea for moder malware ad APTs. The goal is simply to share iformatio that ca help security teams be more proactive i their fight agaist moder malware ad advaced threats. SEPARATING THE KNOWN-UNKNOWNS FROM THE UNKNOWN-UNKNOWNS Part of the problem whe talkig about advaced malware is agreeig what we really mea by moder malware. There is a icredible amout of malware diversity eve whe we focus o ew ad ukow malware. There are highly sophisticated, highly targeted sources of custom malware ad APTs (e.g. APT1, Stuxet, ad Flame). But there are also legios of more traditioal malware operatios that geerate malware at scale that are also able to get by traditioal defeses (e.g. Zeus, Zero Access, Kelihos). Both of these categories preset security risks that eed to be maaged, but obviously vary cosiderably i volume ad the risk posed to the eterprise. The latter, more commo type of malware stads to potetially overwhelm security teams if each ew variat of kow malware requires a maual respose from the security team. If too much ormal malware goes udetected, the security teams will obviously have a very difficult time fidig the truly targeted ad uique threats i their etworks. As a result we believe that it s crucial for eterprises to reduce the overall volume of ifectios from variats of kow malware, so that security teams have the time to focus o the most serious ad targeted threats. Oe of the key values of beig able to aalyze real-world malware at a large scale is the ability to distiguish betwee commo ad repeated threats ad those that are uique. As such, i the report we take a look both at the large-scale treds, but also at some of the samples that quite literally were exceptioal. We hope the results of this aalysis will help security maagers to ot oly reduce the impact of the kow-ukows, but also to reveal the presece of the ukow-ukows as well. PAGE 3

4 THE MODERN MALWARE REVIEW MARCH 2013 ABOUT THE DATA AND THE METHODOLOGY Malware samples were collected i live eterprise etworks as part of the WildFire fuctioality for cotrollig moder malware. As part of our ormal aalysis we test malware samples collected by WildFire agaist fully updated ativirus products from 6 idustry-leadig eterprise ativirus vedors. This review focuses solely o all malware collected i a 3-moth period that iitially had o coverage from ay of the tested vedors. This icluded more tha 26,000 malware samples. Agai, the itet is ot to poit out that some malware gets by traditioal ativirus, but rather to provide actioable isight ito the problem what malware strategies are the most successful, why, ad how ca security teams do to respod. Summary of Data Sources 3 moths of WildFire data. 1,000+ live eterprise etworks. Samples were tested agaist 6 fully-updated, idustry-leadig ativirus products. 26,000+ samples had o coverage at the time they were detected i live eterprise etworks. For the 26,000+ ukow/udetected samples, we used the applicatio level visibility of the extgeeratio firewall i cojuctio with the behavioral aalysis of WildFire to provide as complete a view as possible of the malware lifecycle. This icludes: A applicatio level aalysis of the ifectig malware sessio: Samples were origially captured by the Palo Alto Networks firewall withi customer deploymets. Ay ifectig biaries were uploaded to Palo Alto Networks WildFire malware aalysis cloud for further ivestigatio. I most cases, biaries were accompaied by data cocerig the ifectig sessio such as a webbrowsig sessio to provide isight ito the ifectio strategy used by the attacker. It is importat to ote that these are oly ifectio attempts observed by the firewall ad does ot mea that the ifectio was successful o the actual target. The behavior of the malware o the host: After the iitial collectio of the malware, all further aalysis was performed i the WildFire cloud. This icludes a active aalysis of the malware i a virtualized host eviromet, allowig Palo Alto Networks to observe exactly how the sample behaves o a target ad ay techiques used by the malware. A applicatio level aalysis of traffic geerated by malware: The vast majority of moder malware will make use of a etwork to steal data, orchestrate a ogoig attack agaist the etwork or dowload additioal malicious payloads. For this reaso, we closely aalyzed the traffic geerated by the malware itself i order to better uderstad the techiques used by malware to commuicate. PAGE 4

5 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS ABOUT WILDFIRE WildFire is a optioal feature of Palo Alto Networks ext-geeratio firewall that eables users to detect ad block ew ad otherwise ukow malware. The solutio leverages the firewall to look withi etwork traffic for files that are ukow (either kow good, or kow bad). Whe a ukow file is detected, the file is copied ad executed i Palo Alto Networks cloud-based eviromet where the file ca be aalyzed as malicious or beig based o the behavior of the malware. Whe a malicious file is detected, WildFire geerates ew protectios based o the iteral idetifiers withi the malware, which are delivered back to the firewall where eforcemet occurs. SUMMARY OF KEY FINDINGS 1. THE WEB IS THE FRONT LINE OF THE FIGHT AGAINST UNKNOWN MALWARE 90% of fully udetected malware was delivered via web-browsig. It took ativirus vedors 4 times as log to detect malware from web-based applicatios as opposed to (20 days for web, 5 days for ). 2. FTP WAS OBSERVED TO BE EXCEPTIONALLY HIGH-RISK Samples from FTP were uique (94% of samples were see oly oce). Samples from FTP were rarely gaied coverage by AV (95% ever gaied coverage). Highly evasive ad port idepedet 97% of FTP samples used oly o-stadard ports. 3. AN OPPORTUNITY TO TAKE ACTION 70% OF MALWARE SHOWED INDICATORS IN THE PAYLOAD OR TRAFFIC 40% of ukow samples were related based o specific idetifiers i the malware header ad body. A sigle idicator was liked to more tha 1,200 uique SHA values. 30% of samples were observed to geerate custom UDP or TCP traffic. Custom or ukow traffic was the 3rd most commo type of traffic geerated by malware, trailig oly web-browsig ad DNS traffic. More tha 30% of samples coected to ew or ukow destiatios o the Iteret. Uregistered or ewly registered domais. Newly registered DNS servers or dyamic DNS domais. 4. MALWARE SPENDS SIGNIFICANT EFFORT AVOIDING SECURITY 52% of observed malware behaviors focused o evadig security or aalysis, compared to oly 15% focused o hackig ad data theft. Attemptig a log sleep to avoid aalysis was the #1 most commo malware behavior overall. PAGE 5

6 THE MODERN MALWARE REVIEW MARCH 2013 WEB TRAFFIC IS WHERE THE PROBLEMS ARE It is t eough to simply kow that there are threats that get by our traditioal security. If we are goig to actually improve i this area, the we eed to lear what makes these more moder classes of malware differet ad how they actually work. I this sectio, we start with the basics ad set out to get a better uderstadig of the characteristics of this malware ad how it gets delivered. Sice the ascet days of the Iteret, has bee the vector of choice for attackers deliverig malware to a target, but that tred is rapidly chagig. While certaily cotiues to be a major source of malware, attackers are icreasigly turig to real-time, web-eabled applicatios to deliver malware that is udetectable by traditioal ativirus solutios. These real-time applicatios provide practical ad techical advatages for a attacker, ad the data shows that they are disproportioally successful at avoidig traditioal ativirus as compared to . To better uderstad this pheomeo, we regularly test all malware samples captured by WildFire agaist fully updated ativirus products from 6 leadig ativirus vedors. This provides a simple method for idetifyig malware samples that are udetectable by traditioal AV, ad thus pose particular risk to a eterprise. Over a 3-moth period, WildFire aalyzed 68,047 samples that were determied to be malware, ad roughly 40% of those samples (26,363) were ot detected by ay of the tested ativirus products at the time the samples were captured i customer etworks. * Note: It is importat to remember that all malware aalyzed for this report was captured by customer firewalls, ad may ot represet all -bore malware depedig o where the firewall is deployed. As such, the data should be used to show which applicatios are relatively the most successful at deliverig ukow malware, ot which delivers the most total volume of malware. 90% OF UNKNOWN MALWARE DELIVERED VIA WEB-BROWSING Give that the samples were captured by the firewall, we were able to idetify the applicatio that carried the malware. While web-browsig was foud to be the leadig source of malware both i terms of total malware* as well as udetected malware, the applicatio mix was very differet betwee the two groups. For example, SMTP accouted for 25% of the total malware, but oly 2% of the fully udetected malware. Comparatively, web-browsig domiated both categories, accoutig for 68% of total malware, but over 90% of udetected samples. This clearly shows that ukow malware is disproportioally more likely to be delivered from the web as opposed to . All Malware Detected by WildFire All Malware Detected by WildFire - No Coverage 68,047 Malware Samples 26,363 Malware Samples 68% Delivered via Web-Browsig 90% Delivered via Web-Browsig 25% Delivered via 2% Delivered via PAGE 6

7 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS 5 DAYS TO COVERAGE FOR , 20 DAYS FOR EVERYTHING ELSE To exted the aalysis, we cotiually retest ewly idetified samples o a daily basis (for up to 30 days) to observe how idustry coverage chages over time. This showed that ot oly are traditioal AV solutios far less likely to detect malware outside of , but also it takes far loger to get coverage. For ukow malware delivered by , it took a average of 5 days for vedors to provide coverage compared to a average of 20 days for other applicatios, with may samples remaiig udetected for the etire 31 day period. Several applicatios delivered samples that remaied udetected for 30 days or more, but had far fewer samples. Social media ad file-sharig were commo vectors i this category. The fact that these applicatios were used rarely by malware should ot be cofused with beig low-risk. The more rare sources of malware were also more uique ad ofte targeted i ature. The chart below shows a list of specific applicatios ad their relative times to coverage by traditioal ativirus. Applicatios with sigificatly high times-to-detectio should be closely moitored by security teams. FTP had the igomiious distictio of beig both a commo source of ukow malware as well as oe of the sources that rarely received coverage. PAGE 7

8 THE MODERN MALWARE REVIEW MARCH 2013 CHALLENGES OF WEB-BASED MALWARE There are a variety of reasos why web-based malware presets such a challege for traditioal ativirus products. First, web-browsig ad other web-based applicatios are real-time by ature, ulike where a malicious file ca be aalyzed at rest o a mail server. This has the effect of sigificatly shrikig the timescale i which detectio ad eforcemet decisios must be made. However a potetially more sigificat factor is that web-based malware easily leverages server-side polymorphism, which simply meas that the webserver that delivers the malware ca automatically re-ecode the malware payload to appear uique. This has the effect of geeratig vast amouts of uique malware o demad, which vastly reduces the likelihood that AV vedors will be able to capture the sample ad create a sigature. This is obviously very differet from based malware, which are ofte set out i bulk ad are easily captured by ativirus vedors. CONCLUSIONS AND RECOMMENDATIONS I order to better address ukow malware, we first have to better uderstad where our traditioal defeses are failig. The data shows that web-based applicatios are sigificatly more successful at both avoidig traditioal ativirus ad remaiig ukow for exteded periods of time. This meas that orgaizatios eed to cotiue to expad their ati-malware strategies to iclude real-time etwork-based cotrols desiged for these threats. These cotrols ca come i a variety forms that are ot limited to ext-geeratio firewalls. I the comig sectios, we will dig deeper ito more specific idicators ad techiques that ca be put to use. However, at a architectural level, orgaizatios should cosider the followig steps, if ot already implemeted. Brig atimalware techologies ito the etwork: For may years, atimalware techologies lived o the desktop ad etwork security lived i the etwork. The data shows that malware has foud particular success by movig to a more real-time use of the etwork, ad as such security teams should expect ad be prepared to eforce at the etwork as well. This meas that we will eed to ot oly icorporate atimalware techologies i ew places, but we must also do it at ew speeds. Expect ukows, ad add the ability to defiitively idetify malware: Ukow malware is rapidly becomig ormal ad ot the exceptio, ad security must ackowledge this shift. The malware i this report was idetified by actively executig ukow samples i order to see what they actually do. While this is ot the oly solutio to the problem, the more importat poit is that teams eed a automated way to determie if ukow files are malicious or beig that ca be itegrated ito large etworks. Real-time detectio ad blockig wheever possible: I may ways security has experieced a regressio from a midset focused o prevetio to oe based o detectio. Detectio is always the importat first step, but prevetio is key to a maageable security process. Malware is beig geerated at scale by malicious web-servers, with each variat beig slightly uique. If each oe of these variats requires a maual respose, the security staff will remai behid the curve, ad have little chace of catchig the more truly targeted ad sophisticated attacks. We will address some first steps ad strategies i the comig sectios. PAGE 8

9 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS Eforce User ad Applicatio-based Cotrols o Applicatios That Ca Trasfer Files: Orgaizatios should attempt to reduce their exposure ad attack surface based o user ad applicatio cotrols i additio to improvig the ability to detect ad block ukow malware. For example, HTTP-proxies were a commo source of malware. Orgaizatios should esure that oly their corporate proxies are allowed ad ed-users are preveted from usig their ow web-proxies, which are ofte used to circumvet security policy. I the case of Facebook, teams may allow Facebook, but specifically limit the Facebook file trasfer feature. Such basic steps ca limit some of the exposure to both geeric ad targeted malware eterig the etwork. IDENTIFIERS IN UNKNOWN MALWARE 70% of ukow malware retaied potetially actioable idetifiers i either the malware payload or traffic. While malware has prove the ability to avoid traditioal AV sigatures, the ews is ot all bad. Our aalysis combied a applicatio level aalysis of malware traffic (both iboud ad outboud), the malware payload itself, as well as the malware behavior o a virtual host to fid patters that ca be used to reduce a orgaizatio s exposure to ukow malware. Our aalysis shows that of the more tha 26,000 malware samples aalyzed, 70% retaied distict idetifiers or behaviors that ca be useful for real-time cotrol ad blockig. While every idicator will ot be appropriate for every etwork, the goal is simply to provide the research that security maagers ca adapt to their eviromets. 40% OF SAMPLES RETAINED ACTIONABLE IDENTIFIERS IN THE PAYLOAD Eve though whe malware is modified i order to chage the hash value of the file, the data shows that uique iteral idetifiers remaied visible i more tha 40% of the samples, which ca be used to block malware dowloads i real time. I short, a sigle sigature was foud to be able to protect agaist multiple variats of udetected malware each with uique sha256 values. This tred was cosistet across web-browsig ad other web-based applicatios that pose the greatest challege to traditioal ativirus products. The idetifiers were specifically visible i the header ad body of the ifectig file. This is sigificat because may etwork-based atimalware solutios will idetify malware based o a hash value or URI, which would likely be ieffective i these cases. While blockig 40% of ukow malware does ot solve the problem, it is ecouragig to see techiques that ca potetially reduce the volume of ukow malware, especially from web-based sources. 26,363 total uique malware samples (SHA256). 1,575 uique idetifiers were observed i more tha 1 piece of malware. These idetifiers were observed i 10,616 uique malware samples. 40% of total uique malware had the potetial to be blocked. PAGE 9

10 THE MODERN MALWARE REVIEW MARCH 2013 Oe of the most commo malware idicators was the use of customized traffic by malware. 30% OF SAMPLES GENERATED CUSTOM OR UNKNOWN TRAFFIC As malware has evolved, it has grow more ad more depedet o the ability to ifect, persist ad maage itself over a etwork. I this regard, a uderstadig of how malware commuicates is just as importat as uderstadig the behaviors of the malware o the host. By combiig iformatio captured at the eterprise firewall i cojuctio with traffic aalyzed i the WildFire virtual eviromet, we were able to establish a very complete ad uique view ito malware traffic. Agai, the aalysis was focused o the more tha 26,000 samples that were iitially udetected by ativirus, with a particular focus o evasive techiques observed i the malware traffic as well as distiguishig characteristics i the traffic that ca provide a idicator of a threat or compromise. Oe of the most commo malware idicators was the use of customized traffic by malware. Malware will ofte customize well-kow protocols for their ow purposes. This may iclude modifyig stadard protocols such as HTTP or DNS, but peer-to-peer, istat messagig ad remote desktop protocols ad applicatios are commo targets as well. Ay type of applicatio that provides commuicatio, resiliece ad the ability to trasfer files is potetially valuable to malware. Sice the ext-geeratio firewall positively classifies all traffic, its relatively easy to idetify custom or ukow traffic i the etwork. Complemetary studies i the Palo Alto Networks Applicatio Usage ad Threat Report have clearly show a strog correlatio betwee custom traffic ad malware, ad that tred held true i this study. Custom TCP ad UDP couted as oe of the most commoly idetified behaviors observed i malware, as well as some of the most commoly geerated traffic overall. 30% of ukow malware samples geerated ukow traffic. This was the 4th most commo malware behavior out of more tha 100 observed behaviors. Custom/Ukow Traffic was the 3rd most commo traffic type behid oly web-browsig ad DNS. PAGE 10

11 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS While security teams may ot wat to block all traffic to ad from a ew domai, they may wat to eforce tighter cotrols such ever allowig executables from these sites. SUSPICIOUS MALWARE TRAFFIC I additio to lookig at the actual malware traffic, it is ofte helpful to look at where the malware is comig from ad goig to. Idetifyig domais ad sites that have served malware has bee a log-stadig compoet of URL filterig solutios. To stay ahead of these solutios, malware operators will geerate custom domais for the attacks, use large umbers of essetially disposable domais, as well as dyamic DNS ad fast-flux domais i order to avoid be blocked. As part of the aalysis we tracked the umber of samples that coected to these domais as well as samples that coected to kow malware sites. 33% of samples coected ew domais, DNS or fast-flux: Newly registered domais, fast-flux domais ad dyamic DNS ca be also be blocked or blocked i cojuctio with custom traffic or other idicators. 20% of samples geerated s: These samples were observed direct coectios over the etwork. As a result, etwork policy should oly allow protocols to ad from the corporate mail server, ad block direct to the Iteret. 12% used HTTP-POST: HTTP-POST methods are very commo i malware, but are also ofte used by web-applicatios. As a result, teams will likely ot wat to block HTTP-POST altogether, but it may make sese to block goig to uregistered or ewly registered domais. PAGE 11

12 THE MODERN MALWARE REVIEW MARCH 2013 SUMMARY, CONCLUSIONS AND RECOMMENDATIONS The aalysis showed that while malware may be ukow to traditioal security solutios, idetifiers still remai. These idetifiers ca preset i the payload of the malware itself or i the etwork traffic that the malware geerates. Some idicators ca be coclusive o their ow, while others may be best used i cojuctio with additioal idicators. The suggestios below, should be used as geeral guidace, but will obviously eed to be customized to the realities of a particular etwork. Stream-based aalysis of file headers ad payloads for malicious idicators: Needless to say that recogizig ad blockig variats of malware i real-time is far preferable to detectig a remediatig. The data shows that at least 40% of ukow malware were observable variats. This puts a very high priority o aalyzig the actual malware payload, ad timely delivery of ewly idetified malware itelligece. Establish ad update a solid baselie for the etwork: Malware behaviors are ofte (but ot always) aomalous, ad these behaviors ca be used to root out ukow malware quickly. However, malware techiques ad strategies will always chage, ad as such it is critical to kow what is ormal for your etwork as opposed to the idustry i geeral. A detailed baselie ca provide the poit of referece that exposes malware. Ivestigate ad remediate ukow traffic: Ukow or custom traffic ca be several thigs i additio to malware. As part of establishig a baselie, security teams should seek out ukow traffic ad idetify it coclusively goig forward. It should quickly be possible to reduce the amout of ukow traffic to very low levels, where malware ca easily be idetified. Restrict rights to ukow, ewly registered domais ad dyamic DNS domais: The Iteret is obviously a dyamic place, ad it may ot be that ucommo to ecouter a uclassified or ew domai. So while security teams may ot wat to block all traffic to ad from a ew domai, they may wat to eforce tighter cotrols such ever allowig executables from these sites, decrypt SSL traffic for ispectio, or blockig HTTP-POSTs to these ukow sites. Oly allow traffic to the corporate server: A sigificat umber of malware samples geerated directly to destiatio o the Iteret. This is very commo behavior amog spammig botets, ad behavior that ca be easily cotrolled. traffic that does ot go to the corporate server ca be easily blocked, ad ay users sedig such traffic ca be ivestigated as a potetial malware ifectio. PAGE 12

13 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS MALWARE TRAFFIC ON NON-STANDARD PORTS No-SSL traffic o port 443 was the most commo o-stadard port behavior. Malware was observed sedig traffic over o-stadard ports i both iboud ad outboud traffic. The prevalece of this o-stadard behavior varied widely by applicatio as show below. Usig o-stadard ports ca allow malware to evade some security measures, which look for specific types of threats o particular ports. No-SSL traffic o port 443 was the most commo o-stadard traffic behavior. This makes sese give that port 443 is almost always allowed o a etwork, ad some orgaizatios will ot ispect traffic o 443 assumig that it is ecrypted. The sectio below provides a summary of some of the more sigificat types of malware traffic icludig the relative use of o-stadard ports: FTP FTP was oe of the most iterestig ad cocerig applicatios that we observed i the course of the report. It was the 4th most commo source of ukow malware, the malware it delivered was rarely detected (average of 30 days out of 31), ad almost always operated o a o-stadard port. FTP is of course very flexible ad light-weight, makig it a powerful tool for attackers that may ot get the attetio it deserves from security teams. FTP was the most evasive applicatio Observed FTP traffic o 237 o-stadard ports (either side of the coectio usig port 20 or 21). 97% of malware FTP sessios wet over o-stadard ports. Led all applicatios i terms of o-stadard behavior. i terms port evasio, ad had oe of the lowest detectio rates i terms of malware. WEB BROWSING Web-browsig was the workhorse applicatio for ukow malware throughout the lifecycle. It was #1 source of malware, ad the #1 type of traffic geerated by malware. It was also observed to be oe of applicatios used extesively for dowloadig additioal payloads to the host. Malware delivered by web-browsig took 20 days o average i order to gai coverage. However, webbrowsig o o-stadard ports was relatively rare, accoutig for oly about 10% of sessios ad 14% of badwidth. Observed web traffic o 90 o-stadard web ports (server operatig o a port other tha port 80). Relatively ucommo, accoutig for oly 10% of malware web-browsig sessios. Use of o-stadard ports was slightly higher for browsig sessios that dowloaded data. No-stadard ports accouted for 14% of dowloaded badwidth related to web browsig. PAGE 13

14 THE MODERN MALWARE REVIEW MARCH 2013 CUSTOM AND UNKNOWN TCP AND UDP Custom traffic was predictably heavily tied to the traffic geerated by the malware itself. Custom traffic was the 3rd most commo traffic type after web-browsig ad DNS. The use of o-stadard ports varied cosiderably betwee TCP ad UDP, with about half of ukow TCP usig seemigly radom ports ad UDP stayig o well-kow ports. Observed custom TCP traffic o 19 o-stadard ports (server operatig o a port other tha web, mail or proxy ports). 43% of ukow TCP traffic was observed o ports ot associated with ay well-kow applicatios. Coversely, custom-udp was foud exclusively o well-kow ports 53, 80, ad 443. HTTP PROXY HTTP-Proxy traffic was the 2d most commo source of ukow malware after web-browsig. Proxies showed behavior very similar to web-browsig i terms of time to detectio, requirig 19 days for coverage o average. Proxies were more likely to use o-stadard ports that simple web-browsig (17% for proxies, 10% for web-browsig). Observed HTTP-Proxy traffic o 29 o-stadard web ports (server operatig o a port other tha port 80, 443, 1080, 3128, 8000, 8080). Accouted for 17% of malware http-proxy sessios. PAGE 14

15 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS MALWARE BEHAVIORS ON THE HOST Needless to say, a great deal of the malware life-cycle is focused o the ifected host. Malware must be able to persist o the target for it to be useful i a log-term attack, ad this requires the malware to bled i o the host while avoidig or disablig ay security measures preset. I total, behaviors desiged to avoid aalysis ad persist o the host accouted for more tha half of the behaviors observed by malware. As part of aalyzig potetial malware, WildFire will execute a sample file ad observe it for more tha 100 malicious or suspicious behaviors. These behaviors have bee broadly categorized as follows: Aalysis Avoidace: Specific steps to avoid aalysis either i a malware sadbox or other security solutio (e.g. attempt to sleep for a log period of time). Persistece: This icludes a variety of tasks required for the malware to exist o the host for log periods icludig how the malware will be ru the host ad avoid host-based security. Hackig: These behaviors are directed outside of the ifected host ad typically ivolve figerpritig the surroudig etwork, ad idetifyig earby vulerable hosts. Data Theft: Traffic that is specifically observed stealig iformatio from the compromised host such as passwords or simply device cofiguratio iformatio. Outboud Commuicatio: Icludes malware commad-ad-cotrol ad a variety of behaviors refereced i the previous sectio cocerig malware traffic The table below shows the percetage of behaviors observed i each category. PAGE 15

16 THE MODERN MALWARE REVIEW MARCH 2013 ANALYSIS AVOIDANCE Aalysis avoidace behaviors were some of the most commo behaviors observed, yet were the least diverse. I short, we observed a hadful of techiques i a large percetage of samples. The attempt by the malware to sleep (avoid executig iitially to avoid attetio) was the most commo avoidace behavior ad also the most commo behavior overall regardless of category. Code ijectio was observed i 13.5 percet of samples. This techique is otable i particular because it allows malware to hide withi aother ruig process. This has the effect of the malware out of view if a user checks the task maager ad ca also foil some attempts at applicatio white-listig o the host. While quite rare, it was iterestig to see malware that attempted to check its exteral IP address. This likely idicates a attempt by the malware to determie if it is truly i the target etwork or if its etwork coectio is beig proxied. The attempt by the malware to sleep (avoid executig iitially to avoid attetio) was the most commo avoidace behavior ad also the most commo behavior overall regardless PERSISTENCE The Persistece category was oe of the most active categories of behaviors as malware employed a wide variety of techiques to remai embedded o the host. I all WildFire observed more tha 26 persistece behaviors. Commo strategies where to ivade or overwrite key compoets or directories of the operatig system, cofigurig the malware to ru automatically whe the host is booted up ad disablig host security compoets. of category. PAGE 16

17 ANALYSIS OF NEW AND EVASIVE MALWARE IN LIVE ENTERPRISE NETWORKS Some behaviors were rare, but still quite otable. A small umber of samples were observed to ifect the Master Boot Record, which is a key requiremet for a bootkit. Other rare but iterestig behavior altered the host to prevet a system restore, esurig the ifected system could t be rolled back to a good state. Other modificatios icluded tamperig with operatig system to allow files to be ru eve with ivalid sigatures. HACKING AND DATA THEFT While persistece ad avoidace are meas to a ed, hackig ad data-theft are the eds. Predictably, this category was highly varied i terms of observed behaviors. Give the prepoderace of malware delivered via web-browsig, it was ot surprisig to see the browser as a commo target. Theft of passwords stored i the browser ad maipulatio of cookies were both commo behaviors. PAGE 17

18 THE MODERN MALWARE REVIEW MARCH 2013 SUMMARY Malware has become the key eabler for moder sophisticated attacks due to its ability to avoid traditioal ativirus solutios, ad provide a persistet iteral foothold for log-term iformatio attack oce iside. As attackers ad malware evolve, so to must our security resposes. Moder malware presets a uique challege i that the most sophisticated attacks will cotiue to require traied ad diliget security professioals to ivestigate ad aalyze. O the other had, the sheet volume of ukow malware ca easily overwhelm eve well-staffed security teams. As a result, security must aggressively seek out methods to automate the blockig of ukow malware wherever possible, while actively ivestigatig the ukows that get through. This report has hopefully provided some isight ito the ature of the ukow malware problem, ad provided some basic steps that security teams ca use to protect their etworks. ABOUT PALO ALTO NETWORKS Palo Alto Networks is the etwork security compay. Its ext-geeratio firewalls eable uprecedeted visibility ad graular policy cotrol of applicatios ad cotet by user, ot just IP address at up to 20Gbps with o performace degradatio. Based o patet-pedig App-ID techology, Palo Alto Networks firewalls accurately idetify ad cotrol applicatios regardless of port, protocol, evasive tactic or SSL ecryptio ad sca cotet to stop threats ad prevet data leakage. Eterprises ca for the first time embrace Web 2.0 ad maitai complete visibility ad cotrol, while sigificatly reducig total cost of owership through device cosolidatio. Most recetly, Palo Alto Networks has eabled eterprises to exted this same etwork security to remote users with the release of GlobalProtect ad to combat targeted malware with its WildFire service. For more iformatio, visit Olcott Street Sata Clara, CA Mai: Sales: Support: Copyright 2013, Palo Alto Networks, Ic. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID ad Paorama are trademarks of Palo Alto Networks, Ic. All specificatios are subject to chage without otice. Palo Alto Networks assumes o resposibility for ay iaccuracies i this documet or for ay obligatio to update iformatio i this documet. Palo Alto Networks reserves the right to chage, modify, trasfer, or otherwise revise this publicatio without otice. PAN_TMMR_032213