avast! AutoSandbox 7.3 and the Polymorphic Infection

Cloud Services is now a must

In avast! 7.3, gone is the prompt asking to run in the sandbox. The addition of the Cloud Services adds a highly mature white listing / black listing database with tens of millions of files. This database is too large to be housed on the PC, and requires the Reputation Services to be enabled. The AutoSandbox learns from every user, everyday! With 180 million users, this database is the most extensive of its type in the world. Removing known code from white/black listing, unknown code is then analyzed for other variables, including file prevalence/reputation, origin, source URL, signature, and static analysis. Streaming Updates allow avast! to always stay up-to-date against the latest threats.

Polymorphic code is the real problem

There are three types of files; Known, New, and Rare. Known files are easily identified using existing DAT technology and Cloud Services. Most Rare files are Polymorphic, which is impossible to detect using DAT technology. Injection of random characters and code scramblers guarantee that each sample is significantly unique (Microsoft uses code scramblers on Service Packs to prevent reverse engineering). With Polymorphism, the programmer, and the program, does not need to know the payload in advance. The exact behavior is only determined at execution. Final stage of assembly includes encryption into a self expanding executable. The packer information is embedded at the end of the file. Before the packer algorithm is understood, all initial scans see no decipherable code. So far, our antivirus has really had nothing to go. When the packer is known, the AutoSandbox will now decrypt the file using an appropriate decompression algorithm. If the file is not deemed safe, or it uses an unknown packer, then the file must be executed in the sandbox. As this code executes, it is interrupted at different levels for structural checks, undergoing analysis for viral characteristics and behavior. Did “start, run” open; was the registry modified?). If at any time the code is confirmed as malicious, it is moved directly to the virus chest. Under full analysis, the user will see “This code is being analyzed” for a maximum of 15 seconds. If at any time the code is deemed safe, it is allowed to fully execute. This type of code analysis will change antivirus software as we know it!

DAT detection, as we have known it, is basically dead, and here’s why. The Polymorphic infection engine guarantees that every sample will have a different DAT. They prevent analysis by halting multiple downloads to the same location. Some samples, such as the “Storm” worm, have a “self-defense” module. It will attack any Internet address that trips this module, and cause a denial-of-service towards any investigation. This intelligent “anti-analysis” technology hinders antivirus vendors, as they can only obtain just a few samples at best.
Every organized crime syndicate and terrorist organization has a cyber division. It is their number one monetary source of income to fund their organization. A single virus writer, with a single Polymorphic engine, can produce over 30,000 unique samples per day. Multiply this times: how many Polymorphic engines can he do, and how many servers he controls, times how many of his peers have this job, times how many organizations, and this number of unique infections is growing exponentially every day.
The sheer effort required for data entry to obtain and insert all these new definitions becomes theoretically impossible. The only real advantage to “brute Force” definitions is higher rankings in antivirus tests. The more definitions you have, the more samples you catch, the higher your ratings. The problem is that current antivirus testing does not mimic real life occurrences. How can you test, what you haven’t seen. How can you test what doesn’t exist yet. This is why, DAT detection, as we have known it, is dead!

How can we protect ourselves against Polymorphism?

1) Unplug the Ethernet cable and go offline – This defeats the whole idea of Internet, cloud applications, and email. Can’t we find a happy medium?
2) Virtualize your browser – This technology was slow to be adopted. Some functions / websites wouldn’t operate properly. The browsing experience was slowed, and you couldn’t save / install the way you normally did. This step offered no protection for email (my Outlook would not run in the sandbox).
3) AutoSandbox 7.3 is the only logical conclusion that I can see. Even adding a superior antispyware application, like Malwarebytes, or SuperAntiSpyware, does not completely prevent the possibility of infection.

 

J.R. Guthrie

 

3 comments for “avast! AutoSandbox 7.3 and the Polymorphic Infection

  1. J.R. Guthrie
    February 19, 2013 at 5:45 PM

    Besides what P.K. said, there’s one more innovation with respect to those Dyna detections. We call it snxsql and it basically allows us to use the full richness of SQL queries to detect viruses in the sandbox. That is, the whole execution trace from the sandbox is stuffed to an in-memory SQL database and we consequently make queries to that DB (including some pretty complex/rich ones). This allows the detections to be fairly sophisticated, while minimizing the FP rates.

    While the actual creation of these dyna detections / sql queries is now still a manual process (done by our virus analysts), we are close to actually implementing an automated generator for this – technically, this would be sort of “Evo-gen” for dyna detections.

    Pretty fascinating stuff, especially if you see the results.

    So, please, stay tuned, more stuff is coming.

    Thanks
    Vlk

  2. J.R. Guthrie
    February 18, 2013 at 10:10 PM

    Autosandbox improvements in v8:
    User interface wasn’t changed (in fact I didn’t have idea how to improve it), only detection rates. As you know, autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes, modify system components, install hooks, network connections, etc etc. Avast has over 1500 generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). Autosandbox reports 50 000 Dyna infections every day. Our viruslab analyses ~40k unique malwares every day in autosandbox and collect the logs, running on 180 virtual machines in ramdisk for 24hrs a day. In A7, malware attempts to inject itself into different processes were blocked. In A8, we duplicate & sandbox target’s process on different desktop and allow injections, so malware isn’t stopped early and we continue monitoring activity from the injection payload. Since we started to analyze a lot of malwares in our viruslab, every machine crash is reported to me & fixed. Autosandbox/sandbox should be therefore quite stable in avast! Ver. 8.

    Peter Kurtin (P.K.)

  3. J.R. Guthrie
    February 18, 2013 at 10:08 PM

    Complete analysis of the autosandboxed application is done on user’s computer. Autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes/modify system components/install hooks/create a network connections, etc etc. Avast has over 1500+ generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). We receive only some statistics to see false positives, # of autosandboxed processes, etc. Binary file is never uploaded to avast! servers.

    Peter Kurtin (P.K.)

Leave a Reply to J.R. Guthrie Cancel reply

Your email address will not be published. Required fields are marked *