Rethinking how we look at malware

Among all the things we looked at when we started thinking about Deepviz, the main concept was that security products are struggling with malicious data correlation, they are focused on the single threats and don’t have a holistic overview and all the context of the threat to help responders make the best decisions. It’s not uncommon that a targeted attack is only partially detected (when you’re lucky enough, otherwise it’s totally misssed!) just because it wasn’t included in the threats database in its current shape.

Public (and private) runtime packers, body polymorphic engines and many other tricks are able to bypass security products have raised the bar in threat detection. This allows for targeted attacks to easily bypass existing defenses and infect networks, largely undetected.

The main problem here is that security companies are still looking at data correlation in the wrong way: either by trying to correlate PE files (similar variant? signature?) or by correlating network activity (connecting to the same domain? same IP addresses?).

With Deepviz we wanted to build a cloud based, cost-effective, powerful environment to analyze malware and extract as many useful details as possible from it, but we also wanted to provide our customers with the needed intelligence to correlate all the extracted data and to finally give a definitive name to the various threats. Let me provide you with a simple example:

the sample with MD5 50f9583908cd2e5e1abd9525698d6d25 is detected with the following antivirus names:

Crypt4.CMVI
Win32:Dropper-gen [Drp]
TR/Crypt.Xpack.293167
Gen:Variant.Kazy.575686
HEUR:Trojan.Win32.Generic
Ransom.CryptoWall
Worm:Win32/Gamarue!rfn

the sample with MD5 8324b49ee62ef9b10cf0f70da7316bd4 is detected with the following antivirus names (same antiviruses as before):

Downloader.Small.PYA
Win32:Teerac-R [Trj]
TR/Dldr.Agent.110592.71
Trojan.AgentWDCR.ENM
Backdoor.Win32.Androm.hliy
Trojan.Kovter
Worm:Win32/Gamarue.AR

the sample with MD5 2757bd4f42a23eee534e27cb802d38e6 is detected with the following antivirus names (same antiviruses as before):

Win32/Cryptor
Win32:Androp [Drp]
TR/AD.Gamarue.Y.972
Trojan.GenericKDZ.30369
Backdoor.Win32.Androm.ihcs
Trojan.Crypt.Delf
Worm:Win32/Gamarue

However, if you look at our dynamic analysis reports of the 3 samples, they all show similarities:

– Create msiexec.exe process
– inject code into msiexec.exe (28.672 byes)
– Drop itself under C:\ProgramData\msnqalbnf.exe
– Disable Windows security settings
– Setup Autorun registry key

What changes is the network communication with the C&C center, which are:

46.161.30.225
sabadellcam.tk
pono11.eu
pro7778.com

Indeed only one antivirus was able to identify the same family (Gamarue). With our intelligence API (which will be part of our intelligence SDK offering), we successfully identified and classified over 300 different MD5s in our database, all part of the same family. Their C&C servers – in addition to the ones already listed above – are:

testingandra29221.com
testingandra291.com
and4.junglebeariwtc2.com
and4.junglebeariwtc1.com
and4.junglebeariwtc5.com
and4.junglebeariwtc4.com
dnswow.com
dnswow2.com
dnswow3.com

[…]

 

Deepviz Threat Intelligence

 

This very short example was to show how you can – and should – care about data correlation if you want to successfully defend your perimeter.

This is what Deepviz is all about, really – tying it all together so you get the full picture.

It’s not just a malware analysis service, nor is it just a huge database of data aggregated by external inputs. It’s a unique self-learning, self-expanding threat intelligence database able to automatically extract malware data using our sandboxes, feed the database, correlate the known and unknown to finally identify new malware in a smarter and quicker way.

In the next posts we’ll cover more about the infrastructure behind Deepviz and our capabilities.

Stay tuned!