Internet Security Systems - AlertCon(TM)

Behavioral Detection and ATM Theft

Posted by Mark Vincent Yason on July 26, 2007 at 4:52 PM EDT.

Recently, one of our honeypots received a password stealer targeting users of Tibia, a Multi-user Online Role Playing Game (MORPG).  The malcode was around 5kb and packed by UPX 3.0.

 

 

We knew that it was a brand new sample, because the major AV vendors did not yet have detection for the sample and the time stamp in the PE header was July 11 2007 09:07:39.

 

Based on the time-date stamp, the attacker compiled the malcode on July 11 (a Wednesday morning), ready to be released in the wild at any moment. But, what he didn't know is that at the moment he had finished preparing his creation, our Virus Prevention System (VPS) was able to detect it. How? Simply because what he created behaves/acts like a malcode allowing VPS to detect it at the moment it was released.

As an analogy, we can compare VPS to a police officer arresting an ATM thief.  Instead of waiting until a thief actually steals money from the ATM, the officer is able to predict and prove the theft precognitively--even if the criminal has no prior history and the officer knows nothing about the individual in advance.

How could the smart police officer do this? He simply tested the potential thief (in the case of VPS, an executable file) against a "fake ATM" (virtual machine/OS).  If he does steal some money (malicious behaviors) on the "fake ATM", he will be tagged (detected) as a thief (malcode).  At that moment, he would be arrested without having a chance to rob the "real ATM" (real machine/OS).

This is the very concept why VPS is able to detect 0-day malcode.  Similar to criminals; malcode has malicious behaviors which can easily be identified by a behavioral engine via virtualization. How about packers/obfuscation?  Well, no matter what disguise the thief may wear to hide his identity, he will still rob the ATM, and thus, still get caught.

A white paper on VPS can be found on the following link:
Virus Prevention Without Signatures

 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.