The road from malware sample to antivirus alert... Kaspersky style!

[0x00] The problem

Today I woke up and the twitter was full of news about the new undetected sample of SpyEyes. VirusTotal reported that no antivirus could detect it, yet. I got a sample (thank you Ben Koehl and Chae Jong Bin) and sent a sample to Kaspersky. I then waited and waited and waited. I just pushed the manual update of my KIS 2010 (produced by Kaspersky), but still undetected. So I started to do my reasearch...

[0x01] Who is Kaspersky?
Kaspersky Lab is a computer security company, co-founded by Natalya Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (now acquired by Microsoft), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, and others. Altogether, more than 120 companies are licensing technology from Kaspersky.
Also, in my point of view Kaspersky Lab does the best job when it comes to detecting malware.

[0x02] Their problems
As seen on viruswatch, they receive a lot of e-mails. Frankly, I would not like to be in their skin. A security researcher has thousands malware samples to analyze per day, if you count only the e-mails received, not including what their honeypot intercepts. It's a massive amount of work.

[0x03] The path to detection
The process is not as simple as you would think. First a malware is out in the wild. Somebody gets it and sends it to them. They scan it with their own tools. They confirm it's indeed a malware. They release a signature. The signature gets pushed on their servers. The end user's antivirus checks automatically for update, and only after that the malware if detected/deleted/disinfected from the users PC.

[0x04]  Internal structure
When a user's antivirus updates, it check's for a Kaspersky Lab server. There are 22 servers spread across all over Europe (yes, i live in Europe) and can be browsed starting from http://dnl-eu1.kaspersky-labs.com-http://dnl-eu22.kaspersky-labs.com. All 22 servers are perfect synchronized every second, so what's on one server, you can find on all other 21 servers.

[0x05] Getting the actual update
The signature it's on the server. Your antivirus first checks to see if there are any new updates since the previously update (it uses the u0607g.xml.dif file for this), then it checks what components exactly are updates (Malware, Banners, Phishing sites, Spam, Malicious scripts, Suspicious sites, Network attacks, Rules for security analyst). If there are new malware signatures on the server (the file 2.kdb-i386-0607g.xml.dif is used), then the antivirus gets the new signatures files (usually apuXXXX.dat files) and finally updates the new informations about the database (time of update, number of threats detected, etc.). After this, if you scan your file, it's finally detected as a malware.

[0x06] The SkyEyes problem
After doing other things, I've checked Kaspersky's database again and scaned my malware sample. It now detected as Trojan-Spy.Win32.SpyEyes.nj, but as seen here, new variants have been written and detected by KIS 2010. Good job guys!

[0x07] The TotalVirus report
The report can be found here and at the moment of writing only Comodo and Kaspersky detect the malware (Heur.Suspicious for Comodo and Trojan-Spy.Win32.SpyEyes.nj for Kaspersky). At least we're safe for now!

[0x08] Conclusions
1. It's hard to get a good sample as an individual. It's almost as hard to get it as an AV company. No sample, no analysis, no signature, no quality.
2. The bad guys are always a few steps ahead. If you take my samples example, the time when it was first detected is 08:07 and the time when the signature was pushed on server was 16:39. This means that the sample has 8h 32m to create havoc on the victim computers. This means good $ for the bad guys.
3. Even now, only 2 AV's detect it. This is bad. There should be some kind of help between the AV companies. I know that it's a competition for the best antivirus, but the one that finally suffers is the user, the one that actually pays for the AV. This is not fair at all.

[0x09] Final conclusions
We need better heuristic methods. Instead of taking the time to release a signature, the heuristic scan should have detected the malware sample as a threat from scan no.1, push the result on the server and release it to all other users that use the same AV. This is of course idealistic, because the size, the costs and the time to scan for an AV would grow up exponentially. Still, as everything related to human kind, we are the weak link in this chain!

[Disclaimer: This article is written for educational purposes only. I'm not affiliated with any AV company, nor do I advertise for one. I just write my ideas freely, as this was the intent when I started blogging]

PS: Feedback is always welcomed, or just say hi at this e-mail: klaudyus|at|gmail.com

No comments:

Post a Comment