Adaptive Behavior-Based Malware Protection

Transcription

1 WHITE PAPER: ENTERPRISE SECURITY Adaptive Behavior-Based Malware Protection Who should read this paper Enterprise Information Security executives and teams can use this document to understand a new behavior-based security technology that automatically identifies and blocks even highly obfuscated malicious code with no user intervention or meaningful impact on system performance.

2

3 Content Executive summary The new threat environment Malware s critical weakness and a new approach Inside SONAR Real-time behavior-based protection Classification of application behaviors Behavioral policy lockdown SONAR in action the Symantec advantage Take the next step

4 Executive summary A new generation of customized, tightly targeted, and byte-level obfuscated malicious code (malware) disguises its appearance to evade reactive security measures of all kinds, specifically signature-based antivirus solutions. But while each new instance in a malware "family" may appear different, its behavior can't be disguised. Symantec SONAR technology takes advantage of this weakness to create a new, final line of defense against even sophisticated, highly obfuscated malware. SONAR monitors every process running on a protected computer for patterns identified during an exhaustive, worldwide classification of application behaviors and then blocks or removes them in real time, without any user intervention, measurable performance impact, or meaningful risk of false alarms. Qualitatively different even from emulation and other behavior-based approaches, SONAR is already analyzing more than 50 million application instances every month, blocking more than 73,000 malicious files every day, and protecting more than 50 million enterprise and consumer systems worldwide. IT organizations should carefully consider upgrading their IT security solutions to include SONAR protection, and to enable SONAR protection if they are not already using it. The new threat environment As documented by the Symantec Internet Security Threat Report, 1 online malicious code malware is undergoing a qualitative change. The first wave of malware designed to steal financial assets, intellectual property, or sensitive information broadly distributed a few threats to compromise the most vulnerable among millions of targets. But a second generation of customized, precisely-targeted threats is a far greater challenge to today s security technologies and the businesses that depend on them. These new families of threats are cloned from established malware and then obfuscated at the byte level using automated tools. Hacker tools that disguise malware from all signature-based antivirus solutions are billed as 100% FUD (for Fully UnDetectable ) crypters, and command premium prices in online criminal markets. Criminal organizations, political hactivists, and state-sponsored organizations use them to create new malware instances as needed to steal money and intellectual property, mislead users into purchasing useless or dangerous "FakeAV" software, infiltrate or compromise critical infrastructure, or disclose information they hope will embarrass their targets. New enterprise and consumer threats follow vectors including: Advanced Persistent Threats (APTs), remote-access Trojans, spyware, and keyloggers Social-engineering exploits disguised as antivirus software, key generators, and video codecs to trick users into installing malware Bot software and drive-by downloads that automatically add systems to botnets Non-process threats injected into running system processes to make removal difficult and risky Zero-day threats Drive-by downloads and web attacks that install malware without requiring any user action Malware designed to be buried silently in rootkits to evade detection Byte-level obfuscation or encryption disguises new malware variants from antivirus software that relies on signatures to recognize and block every newly-encrypted clone. Customized malware can easily reach its target often a single endpoint before security vendors can find it to create and distribute a signature. And customized threats are multiplying fast: every year, Symantec sees hundreds of millions of malware variants, and blocks billions of attacks. 1-Symantec Corporation. Symantec Internet Security Threat Report Volume 17. (Mountain View, CA. April, 2012). 1

5 Malware s critical weakness and a new approach The new generation of malware disguises its appearance to evade signature-based detection. But the goals of malware creators fraud, theft, vandalism, and defamation haven t changed. And so their new malware exhibits the same narrow range of behaviors as the old keyloggers and password stealers access and export information, spambots send , rogue antivirus programs pop up misleading messages, and so on. Unlike the tidal wave of unique signatures from customized malware, malicious behaviors are few in number, highly stable over time, and consistent within malware families. The behavioral consistency of malware is a weakness that Symantec has taken advantage of to create a new protection technology. SONAR Symantec Online Network for Advanced Response technology blocks and removes malware in real time, based on what it attempts to do, regardless of how well it is disguised. Built into Symantec Endpoint Protection 12.1 and Norton 360, and Norton Internet Security consumer products from 2010 onwards, SONAR uses real-time behavioral monitoring to block and disable even highly obfuscated malicious code with no user intervention of any kind. SONAR is the innermost of multiple layers of protection: signature-based antivirus delivers efficient, effective protection against widely distributed, routine threats. SONAR, working with and complementing Symantec engines like Network Intrusion Detection and Insight reputation-based security, creates a critical final line of defense against new malware aimed at business endpoints, desktops, and users. Now in its fourth generation, SONAR technology uses Proactive Threat Protection that has been completely redesigned from the earlier generation of behavioral detection featured in Symantec Endpoint Protection 11. Inside SONAR SONAR technology detects threats based on their behaviors, with no reliance on signatures. It is effective even against brand-new clones of sophisticated malware such as Duqu, StuxNet and Hydraq/Aurora, and malware-embedding rootkits from sources like TidServ and ZeroAccess. In order to minimize performance impacts on the system, definitions of suspect behaviors are created in offline labs using exhaustive machine and human analysis, and distributed through Symantec LiveUpdate. SONAR combines: Real-time behavioral monitoring of all processes running on a computer Exhaustive automated and human classification of behaviors Removal or blocking, depending on threat behavior and likely system impact Let s review the operation and advantages of each component: Real-time behavior-based protection SONAR monitors the behaviors of processes as they run, for example attempts to change a browser home page, install a browser toolbar, monitor keystrokes, and almost 1,400 others. It puts each behavior in full context by also considering process: Origin was the original file downloaded from a trusted site, copied from a network share, installed from portable media, etc.? Contents was the original file encrypted and packed and disguised using high-entropy encryption? 2 What Windows functions does it import? Was the code compiled using a commercial solution or one of the low-end, non-mainstream compilers hackers favor? Relationships has the process created any executables that were identified as malicious? 2-Robert Lyda and James Hamrock. Using Entropy Analysis to Find Encrypted and Packed Malware, IEEE Security and Privacy, volume 5 issue 2. (Piscataway, NJ: IEEE Educational Activities Department, March 2007). 2

6 The resulting inventory of behaviors, presented in full context, is ready for evaluation using classification rules developed in the laboratory and distributed through LiveUpdate. By monitoring processes in real time, SONAR catalogues application behavior including behavior of heavily obfuscated malware clones and even threats that have yet to be created. Context information helps the solution work even faster and suppress false alarms. Classification of application behaviors The large number of behaviors monitored by SONAR creates a broad statistical base for rules that distinguish malicious from benign processes but the quality and efficiency of the rules themselves are equally important. Rule-based solutions that attempt to evaluate processes on the fly within client systems pit quality and efficiency against one another: greater precision consumes more processing power; less performance degradation means higher risk of misses, false alarms, or both. SONAR takes a different approach, maximizing effectiveness without sacrificing productivity. Systems and experts analyze behaviors of application instances collected online hundreds of millions to date offline in Symantec laboratories, creating classification rules that client systems can apply with virtually no performance impact. Symantec has developed more than 1,000 such simple and compound rules; basic examples include: Signed by VeriSign (Good) Terminates Symantec process (Bad) Modifies Browser Home Page BUT Not Developed in Visual Basic (Good) Other rules classify code that reads or writes to sensitive areas of the registry, creates executables, modifies DNS settings, and much more. Collecting and analyzing all this information relies on unique Symantec strengths, including the world s largest repository of application instances and a network of hundreds of millions of listening posts distributed worldwide, 3 to deliver a constant supply of new instances. Two other strengths deserve special mention. First, the broad coverage and wide distribution of other Symantec security technologies provides context and analysis for SONAR classifications available from no other source including: Antivirus does this code create executables recognizable as viruses? Intrusion Prevention does this application show bot-like behaviors, or attempt to create bots? Reputation-based Security is the application classified as malicious by the advanced analytics of the Symantec Insight reputation system that calculates community reputation for all files? 4 Second, Symantec Technology and Security Response extends classification rules in useful ways, by: Identifying behavior sequences that define threat families, for example members of the PC Scout fake antivirus software family, all of which launch from the Temp folder, write AVE to the Windows Registry, create a hostinfo.txt file, and modify the Browser Home Page, in that order Reviewing and certifying machine-authored classification rules to categorize them into family groups that IT security administrators can better understand and use 3-Christian A. Christiansen, Chris Liebert, and Charles J. Kolodgy. Worldwide and U.S. Security Services Threat Intelligence Forecast: Out of the Basement and into the Clouds (Market Analysis). (Framingham, MA: IDC. November, 2011.) 4-For complete details on Symantec Insight, please review the companion White Paper, Turning the Tables on Malware: a Comprehensive Approach to Unique and Targeted Attacks. 3

7 Publishing malware descriptions that integrate information from SONAR, other Symantec protection technologies, and Symantec human intelligence see, for example, write-ups on RougueAV!gen20 and Zbot!gen1 Human classification improves response time because it s faster to test, analyze, and release rules family-by-family than instance-byinstance. It also reduces false positives compared with machine-only classification, since each rule is backed not only by a greater volume of evidence, but by the know-how and experience of seasoned security professionals. Behavioral policy lockdown Symantec distributes new or changed classification rules when they re certified and ready, with no delays introduced by fixed update schedules or slow patch cycles. Client computers start using the rules immediately to identify and remove malware. In a small minority of cases, however, identification and removal isn t enough. Non-process threats like attempts by the Windows Print Spooler Server to modify the partition table under control by the Tidserv rootkit can t be distinguished from innocent code in other words, can t be identified as malware. And parasitic threats infecting key Windows system files can t be removed without risking system instability. In these cases, SONAR locks down the suspect code, intercepting and counteracting illegitimate registry changes, file deletion, folder creation, and more, while permitting execution of operations that pose no risk to the system, user, or network. This approach prevents overreactions that might compromise application utility or system stability, while still providing excellent protection against even heavily encrypted, single-instance customized or Zero-day malware. The combination of real-time behavioral monitoring, machine and human classification, and blocking or lockdown of suspicious code delivers a highly effective final line of defense against sophisticated malware that has been engineered to evade traditional signature-based AV technology. It removes or isolates threats at the moment of execution without deleting high-trust files, tying up system resources in complicated emulations, or relying on users to distinguish real from fake malware alerts, or genuine s from socially engineered phishing attacks. SONAR in action the Symantec advantage SONAR is the only security solution in wide deployment that uses real-time behavioral monitoring to block even new and single-instance malware with no user intervention at all. It combines extreme accuracy with minimal impact on system resources including no userperceivable delays during everyday tasks like boot-up and shutdown, launching applications, browsing the web, reading , playing music and videos, ripping DVDs, and editing documents. The SONAR experience base now covers more than 134 million machines, with analysis of more than 1.3 billion application instances. The technology has identified and blocked more than 24 million threats in 2011 alone while maintaining a 0.02% false-positive rate among files submitted for evaluation. And blocking is enabled automatically on tens of millions of installed systems, protecting them with no requirement for user intervention or commitment of IT resources. 5 Most rewarding to Symantec security professionals is confirmation of the technology s effectiveness in dozens of hacker communications intercepted online. SONAR is more than an incremental advance it is a qualitatively different way of classifying and blocking or isolating malicious code. Considered point-by-point against alternative technologies, the advantages of SONAR are compelling: 5-Symantec Security Technology and Response. STAR Malware Protection Technologies (Web page). (Mountain View, CA: Symantec Corporation. May 1, 2012). 4

8 Emulation-based behavioral engines monitor processes in an emulator at launch or scan time, not in real time. This delays launch of legitimate processes and extends scan times. Local emulation also has significant impact on system resources, forcing tradeoffs between effectiveness and performance. Machine-only evaluation and classification risks false alarms that human security experts would screen out. And hackers are adapting by enhancing their malware with anti-emulation features that they test against security software before release. Host-based Intrusion Prevention/Shields/System Change Monitors keep track of running processes, but alert users to every suspicious action, including perfectly benign changes to RUN keys, driver updates, modifications to the hosts file, and so on. They leave it up to users to evaluate risks and decide on appropriate actions in response to every alert. While sophisticated users appreciate the high degree of control this provides, it is intrusive and annoying to most users, who may ignore alerts or push to have the solution turned off entirely. Simple heuristics with Cloud lookup use a two-stage process to balance protection and performance. First, to avoid a time-consuming lookup, they screen files on the client for simple characteristics like packing. When malware is deliberately engineered to evade screening criteria, for example by releasing it unpacked, the threat may be passed through undetected. And when screening detects a risk and refers files to a cloud service for in-depth evaluation, the round trip has significant impact on process launch times. Incidental characteristics like signatures, packing, and even reputation are correlates that help streamline identification and removal of malware but process behaviors define it. Because SONAR monitors, blocks, and sequesters process behaviors in real time, it provides a final line of defense against threats to IT infrastructure and information assets. Because SONAR classification rules are immune to even 100% FUD obfuscation, the solution escapes the delays, Zero-day vulnerabilities, and protection/performance tradeoffs of signaturebased, on-client heuristic, and hybrid solutions. Hackers know it Symantec Security Response monitoring of underground information networks confirms the real-world effectiveness of SONAR technology. And SONAR capabilities have been proven superior in published comparisons of behavioral-detection solutions. Building on the market-leading strength of the Symantec family of security solutions, SONAR also has compelling advantages of scale, including: More than 50 million active participants worldwide contributing application instances to the SONAR information repository More than 50 million executables, dll s, and applications analyzed every month Conviction and blocking of more than 73,000 malicious files every day (averaged over 90 days ending in December, 2011) 6 Deep integration with other Symantec protection technologies in worldwide use, including Network Intrusion Prevention, Antivirus, and the Symantec Insight reputation engine. The growth path of SONAR has documented dramatic improvements in protection to date against the most serious threats aimed at individual and enterprise systems today. Because SONAR technology is adaptive, constantly evaluating and then monitoring and blocking new malware variants, protection stays effective without time-consuming or performance-sapping user and IT intervention. And Symantec investments position SONAR technology to continuously improve the protection and performance it delivers over many years to come. Take the next step Organizations currently using Symantec Endpoint Protection 11 or alternative technologies should strongly consider upgrading to SONAR advanced behavioral protection, included with Symantec Endpoint Protection Organizations using Symantec Endpoint Protection Star Malware Protection Technologies. 5

9 that are not utilizing the SONAR technology should evaluate the use of SONAR for improved protection with less commitment of user and IT resources. For an in-depth review of what SONAR can do for your organization, visit the SONAR technology page or contact a Symantec Sales representative in your country. 6

10

11 About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security, and application security solutions. Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 5/