F-Secure DeepGuard
`Proactive on-host protection against new and emerging threats
`
`1. The case for proactive behavioral analysis
`
`One of the most demanding challenges security programs have had to address in the last
`few years has been the increasing diversification of attack vectors through which malware
`can arrive onto a host machine, especially as more applications, networks and services
`become hosted on or accessible over the Internet. This has been of particular concern
`with the growing popularity of online-based attacks that exploit vulnerabilities in applica-
`tions installed on a machine in order to run malicious code.
`
`Some of the difficulties involved in dealing with modern attacks stem from major changes
`in the threat landscape that have taken place in the last ten years or so, including:
`
`Exponential growth in malware
`Since the mid-2000s, when malware creation kits that automated the process of pro-
`ducing malicious programs first became widely available, the numbers of malware
`samples seen by antivirus labs have grown exponentially, with hundreds of thousands
`of new or variant strains being created and propagated every month. In addition to the
`overwhelming numbers, many of these variants are designed to live only for a short
`time, sometimes only days or hours, in a deliberate attempt to overwhelm antivirus
`programs by sheer volume.
`
`Attacks move online
`The days when malware was most commonly distributed via e-mail attachments are
`long gone. Today, the most common attack vector is through a silent drive-by down-
`load during a visit to a compromised legitimate site or a malicious website that hijacks
`traffic from search engines or compromised sites. By moving distribution from direct
`delivery to the target machines to the nebulous online world, malware distributors
`and attackers not only increase their target audience but also make it much harder to
`prevent infections. Without a mechanism to identify the attack site and prevent users
`from visiting it, the user’s machine can be successfully exploited without any overt sign
`that an attack has occurred.
`
`Malware becomes a cybercrime tool
`The consequences of an infection have also changed as organized criminals increas-
`ingly engage in cybercrime. Data and identity theft and monetary fraud are all criminal
`activities that have in recent years been facilitated by malware, in some cases in stag-
`gering amounts. For example, the United States Federal Bureau of Investigation (FBI)
`reported in a 2012 Senate hearing [1] that $14 million in “illegal fees” were generated in
`the 2011 Ghost Click click-bot operation. With most real-world authorities lacking the
`resources or political will to prosecute cybercrimes, there is strong monetary incentive
`for cybercriminals to continue and improve their online activities.
`
`Protecting the irreplaceable | f-secure.com
`
`Overview
`This whitepaper explains the trends and
`developments in computing that have made
`host-based behavioral analysis and exploit
`interception necessary elements of computer
`security and provides an overview of the tech-
`nology and methodology used by DeepGuard,
`the Host-based Intrusion Prevention System
`(HIPS) of F-Secure’s security products.
`
`DeepGuard introduces dynamic proactive
`behavioral analysis technology that efficiently
`identifies and intercepts malicious behavior.
`In 2013, an exploit interception module is
`being introduced that recognizes and blocks
`attempts to exploit vulnerabilities in installed
`programs, preventing malware infection.
`DeepGuard provides lightweight and com-
`prehensive endpoint protection with minimal
`impact to the user experience.
`
`Key Features
`• Updatable scanning engine uses the latest
`detections to protect against emerging
`threats
`• Continued application monitoring
`protects against delayed malicious actions
`• Exploit interception module recognizes
`and blocks exploit attempts, including
`document-based attacks
`
`Benefits
`• Provides immediate on-host protection
`against known and new threats, even
`before signature databases are updated
`Intercepts exploit attacks against programs
`installed on the machine
`• Recognizes and blocks suspicious activity
`• Reduces potential loss of sensitive data or
`privacy due to malware infection
`
`•
`
`

`
`“MALWARE IS CONSTANTLY EVOLVING, WITH NEW TRICKS
`AND FEATURES. BUT ONE THING REMAINS CONSTANT -
`MALWARE WILL ALWAYS EXHIBIT MALICIOUS BEHAVIOR.”
`
`
`Mika Stahlberg
`Chief Technology Officer, F-Secure Labs
`
`Popular software is heavily targeted
`Although almost any software can contain vulnerabilities, of
`particular interest to cybercriminals and other attackers are
`vulnerabilities in popular applications, such as Java Runtime
`Environment (JRE), Adobe Reader, Microsoft Office and web
`browsers. These programs typically have millions of users, mak-
`ing them prime targets for attack.
`
`Many of these applications have multiple known vulnerabilities,
`and though most are fixed by security patches released from the
`vendors, the time needed to develop and deploy these fixes to
`all affected machines still leaves an interval in which the users
`are vulnerable. Additionally, new or zero-day vulnerabilities are
`periodically found for which no patches are yet available, leav-
`ing the users wide open for exploitation.
`
`
`CHART 1: MOST PREVALENT
`EXPLOIT KITS ONLINE, Q1 2013 [2]
`
`Exploit kits make attacking easier
`The advent of commercial-grade exploit kits such as BlackHole,
`Cool Exploit or Sweet Orange, which automate the process of
`scanning and exploiting a user’s machine within seconds of a
`visit to an attack website,
`have significantly lowered
`the level of technical exper-
`tise needed for cybercrimi-
`nals to successfully infect
`new victims with malware.
`
`27%
`
`BlackHole
`
`Identifying clean programs becomes more critical
`The number of clean or non-malicious applications globally
`available today runs into the millions, far more than the normal
`user is likely to be familiar with at any one time. The abundance
`of programs, their easy accessibility over the Internet and the
`need to stay abreast of constant program updates all makes it
`cumbersome for security solutions to depend solely on local
`user-driven white- and black- listing to provide adequate pro-
`tection.
`
`The majority of programs seen on a typical machine are clean,
`so correctly identifying non-malicious software is a significant
`step towards pinpointing truly harmful programs for further at-
`tention. Eliminating false positives on clean files is also critical
`in optimizing a security program’s performance and of course,
`minimizing interference with the user’s experience.
`
`Given the various challenges presented by today’s more complex
`computing realities and more fluid threat landscape, traditional
`signature-based scanning is now just one layer of a multi-tiered ap-
`proach to endpoint security. Cloud-based file and web reputation
`checking, HIPS (Host-based Intrusion Prevention System) and be-
`havior analysis have all become integral components of the mod-
`ern proactive protection system.
`
`2. Multi-layered protection
`
`F-Secure’s multi-layered approach to security is comprised of the
`following modules, each designed to address a particular aspect
`of the threat landscape and work together to provide a complete
`solution:
`
`Browsing Protection
`
`Signature-based scanning
`
`File reputation analysis
`
`Behavioral analysis
`
`Exploit interception
`
`
`DEEPGUARD
`
`As mentioned before, most attacks and malware downloads today
`take place online. Ideally, protection should begin even before the
`machine environment is reached, by preventing exposure to pos-
`sible infection points - and so, enter Browsing Protection.
`
`To prevent users from inadvertently visiting compromised legiti-
`mate or outrightly malicious sites, Browsing Protection provides
`critical assessment of a website’s security. If the site is known to be
`
`44%
`
`other
`kits
`
`18+11+44+2722
`
`18%
`Sweet
`Orange
`
`11%
`Cool
`
`trans-
`Exploit kits have
`formed vulnerability ex-
`ploitation
`from a niche
`activity into a common at-
`tack vector. The increasing
`number of malware being
`distributed using exploit-
`based methods have in turn led to a need for on-host security
`solutions that are able to identify and block attempts to exploit
`vulnerabilities in installed programs, before malware can be
`successfully dropped onto the machine.
`
`Targeted attacks make detection harder
`More focused targeted attacks can involve more obscure ex-
`ploits and delivery mechanisms. These attacks typically use
`document or executable files carefully crafted to fit the profile
`of the intended victim, taking into account their topics of inter-
`est, preferred operating system and any security programs they
`may be using. The highly specific nature of these attacks makes
`them particularly difficult to detect using traditional signature-
`based detections.
`
`2
`
`

`
`malicious, or contains features that render it suspect, the user is cautioned
`against entering it. To deal efficiently with the millions of sites available on the
`Internet and their constantly fluctuating changes in security, Browsing Pro-
`tection’s functionality is based on lookup queries to F-Secure’s Security Cloud
`(see page 4), which includes a database of known safe and malicious files and
`websites. The entries are updated automatically in real-time based on rules
`maintained by response analysts.
`
`Though Browsing Protection is able to prevent most visits to known malicious
`sites, it’s always possible to stumble onto an unrated or newly compromised or
`malicious site, or for malware to be introduced onto the host machine some
`other way, perhaps on removable media. If a suspect file does successfully ar-
`rive on the machine, it is then subjected to multiple layers of security checks.
`
`Whenever a file arrives on a machine, is installed or modified, it is first scanned
`using a traditional signature detection engine to determine if it is a known
`threat. The scanning engine uses custom, family, generic and heuristic detec-
`tions, which respectively identify specific malware, families of malware with
`similar features, and broad ranges of malicious physical features and behavior
`patterns. If the file’s characteristics match those of previously seen malware,
`it is blocked.
`
`Though often overlooked in favor of more sophisticated technology, signa-
`ture-based scanning is still an effective method of identifying and blocking
`the vast majority of malware seen to date, protecting users against lingering
`threats such as Downadup or Melissa, which debuted and peaked years ago
`but are still present in the wild, where they continue to infect new victims.
`The effectiveness of this check depends on keeping the signature database
`updated with the latest detections.
`
`If the file isn’t identified as a known threat, a query is sent to F-Secure’s cloud
`infrastructure to gather the latest metadata available for the file. Analysis is
`subsequently handled by DeepGuard, which collectively handles all the be-
`havioral analysis, process monitoring and exploit interception of suspect files,
`both at the point of application launch and during execution.
`
`3. More about DeepGuard
`
`Put simply, DeepGuard observes an application’s behavior and prevents any
`potentially harmful action from successfully completing. The apparently sim-
`ple nature of this task belies its importance however, as this proactive, on-
`the-fly monitoring and interception serves as the final and most critical line
`of defense against new threats, even those targeting previously unknown
`vulnerabilities.
`
`Behavior-based analysis addresses the Achilles’ heel of signature-based scan-
`ning: the need for analysts to have an actual sample of the malware in order to
`create the signature to identify it. Given the huge numbers of malware con-
`stantly being created and distributed, new threats will often be able to suc-
`cessfully infect at least one victim in the wild before most antivirus labs are
`able to acquire a sample, analyze it and issue a detection.
`
`Behavior-based detection covers that crucial gap between the first appear-
`ance of new malware and the first signature detection being issued for the
`threat. By moving the focus from unique physical characteristics to patterns
`of malicious behavior, DeepGuard can identify and block programs perform-
`ing harmful actions, even before an actual sample has been acquired and ex-
`amined.
`
`THE ROAD TO DEEPGUARD
`
`2006
`Heuristic analysis technology introduced
`DeepGuard 1.0 introduces behavioral analysis to
`complement existing signature-based detection
`technology. When a program is launched, Deep-
`Guard performs two tests - a static check for features
`commonly found in malware and emulation of the
`program in a virtual sandbox to evaluate its behavior.
`Programs that show no features or behavior match-
`ing known malware are allowed to execute as normal;
`those with tell-tale characteristics or malicious rou-
`tines are blocked from execution
`
`2008
`First AV product to incorporate cloud lookups
`In addition to signature scanning and emulation,
`DeepGuard 2.0 queries the Security Cloud for an
`almost instantaneous check of a suspect file’s reputa-
`tion. Response Labs analysts constantly monitor and
`update file reputation information, providing crucial
`human intelligence to the automated process.
`
`2010
`File metadata used in DeepGuard detection logic
`In addition to signature detection and behavioral
`analysis layers, DeepGuard 3.0 includes a component
`that uses a file’s metadata - e.g., the file’s rarity, when
`it was first seen, related objects, and more - to gauge
`its threat potential. This feature allows malware to
`be identified using reputation-based factors such as
`whether the file was downloaded from a known mali-
`cious site, without needing further examination of its
`features or behavior
`
`2011
`Prevalence logic increases effectiveness against rare files
`DeepGuard 4.0 revises the scanning engine to use
`updateable detections and beta detections for false
`alarms reduction. It also improves the prevalence
`logic used to identify files that are both rare and mali-
`cious, a feature that proves decisive in winning both
`AV-Comparative’s 2011 Product of the Year award and
`AV-Test’s 2012 Best Protection Award [3]
`
`2013
`Enhanced protection against exploit-based attacks
`Malware infections facilitated by exploits targeting
`vulnerabilities in common applications have become
`a favored attack vector. DeepGuard 5.0 introduces
`enhanced behavior-based detection logic, including
`a module that monitors the runtime behavior of com-
`monly targeted programs and potential attack files.
`This broad behavioral analysis approach allows Deep-
`Guard to identify and intercept exploit-based attacks,
`regardless of the specific vulnerability targeted
`
`

`
`CHART 2: DETECTION HITS FOR URAUSY RANSOMWARE,
`23 FEB - 5 MAR, 2013
`
`SCANNING ENGINES
`DeepGuard
`Signature
`
`DETECTION HITS
`
`2:00AM
`Feb 23
`
`2:00AM
`Feb 25
`
`2:00AM
`Feb 27
`
`2:00AM
`Mar 1
`
`TIME
`
`2:00AM
`Mar 3
`
`2:00AM
`Mar 5
`
`For example, out of all Zeus crimeware infection attempts report-
`ed in April 2013, 80% involved previously unseen variants. In those
`cases, DeepGuard successfully prevented infection by recognizing
`the file’s malicious behavior and blocking the attack. Subsequent-
`ly, signature databases were updated to identify these samples,
`but for users facing new threats, DeepGuard’s proactive analysis
`provides immediate protection against infection.
`
`In 2011, an entirely rewritten DeepGuard engine was introduced
`that included (among numerous other improvements) a switch
`from using hard-coded scanning logic to an updateable detections
`database. Response Labs analysts constantly monitor the threat
`landscape and analyze the latest threats in order to determine the
`best way to identify malicious behavior. Being able to update the
`scanning engine with the results of this research keeps DeepGuard
`consistently effective against the latest threats.
`
`Given the short-lived nature of most malware variants, signature
`detections tend to have narrow windows of effectiveness before
`the malware they detect ‘expire’. In contrast, DeepGuard detec-
`
`tions can effectively identify malware over a much longer time pe-
`riod, as malware behavior is much less mutable. For example, on 12
`July 2012, DeepGuard was updated with one new detection, while
`the signature database received 600 new additions. Nine months
`on in March 2013, tests run using the same database set against a
`random collection of more recent malicious samples showed the
`DeepGuard detection blocking 12 times more infections of the
`newer malware than the ‘aged’ set of signature detections.
`
`The proactiveness and longevity of DeepGuard detections is il-
`lustrated in Chart 2 (above), which is based on detection statistics
`from F-Secure’s internal systems for Urausy ransomware variants.
`The DeepGuard detection was able to identify variants (and there-
`fore block attempted infections) earlier and continued to do so for
`longer, while the equivalent signature detection peaked and then
`declined rapidly, as newer Urausy variants appeared. (The reason
`for the signature detection’s higher peak is due to it being a previ-
`ous defense layer to DeepGuard. Had those signature detections
`been missed, it would have been DeepGuard with the high peak.)
`
`Security Cloud
`In operation since 2008, the Security Cloud (formerly known as the Real-Time Protection Network) is F-Secure’s cloud network,
`housing the various databases and automated analysis systems that support and enhance the performance of F-Secure security prod-
`ucts installed on client machines. The infrastructure for this network is hosted on servers in multiple data centers around the world.
`
`Client machines that connect to the Security Cloud are able to retrieve the most up-to-date details of threats seen in the wild by other
`protected machines, making response far more efficient and effective. When a new object, such as a file or URL, is encountered on one
`client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to
`query for the object’s reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the
`Security Cloud. These queries are completely anonymous and the IP address is not stored, maintaining the client’s privacy.
`
`By evaluating the metadata sent, together with information drawn from the in-house databases and various other sources, the Se-
`curity Cloud’s automated analysis systems (which make up to 8 million decisions per day) can provide a fully-informed, up-to-date
`risk assessment for the object during DeepGuard’s pre-launch security evaluation stage, immediately blocking a threat that has been
`previously seen by any other machine connected to the Security Cloud. This also removes the need to perform further analysis of the
`object on the client, reducing impact on the user’s experience.
`
`The Security Cloud also allows Response Labs analysts to provide critical human intelligence and judgment to complement the auto-
`mated systems and on-host scanning technology. In addition to creating and maintaining the rules that underpin the databases and
`automated analysis systems, analysts actively monitor the threat landscape and research malware characteristics and behavior patterns
`to find the most effective ways to identify truly malicious programs. Once a threat has been confirmed (or a known file’s reputation is
`modified), the updated details take 60 seconds to replicate across all products connected to the Security Cloud, ensuring up-to-date
`protection.
`
`

`
`DeepGuard’s updateable detection logic is especially useful in
`countering attacks that exploit vulnerabilities in installed pro-
`grams in order to run malware on a machine. In such cases, the
`dropped malware itself can be spotted and blocked by signature
`or behavior-based scanning. To halt the attack at an even earlier
`stage however - that is, at the point of exploitation - Response
`Labs analysts examine the exploit mechanism for tell-tale actions
`or behavior patterns, and then incorporate the research results
`into DeepGuard’s scanning engine. It is then able to pinpoint and
`block suspicious actions that bear the hallmarks of a vulnerability
`exploit attempt, preventing malware from being dropped on the
`machine at all.
`
`By taking into account characteristic exploitation mechanisms as
`well as the features and behavior of malware being dropped on the
`system, DeepGuard can effectively identify and block threats on
`the fly, even when faced with totally new malware targeting zero-
`day vulnerabilities.
`
`4. How DeepGuard works
`
`DeepGuard’s behavioral analysis is activated by two events. When
`a program is launched for the first time, DeepGuard analyses it to
`determine if it is safe to run. Subsequently, DeepGuard continues
`to monitor the program while running.
`
`4.1 Pre-launch analysis
`
`When a program is first executed, regardless of how it is launched
`(the user clicks the file icon, an e-mail attachment or program ini-
`tiates it, etc.), DeepGuard temporarily delays it from executing in
`order to perform the following checks:
`
`File reputation check
`If an Internet connection is available, DeepGuard sends a query to
`the Security Cloud (see page 4) to check for the latest information
`on the program’s reputation in the clean file database, which con-
`tains the latest security evaluations for a vast catalog of commonly
`used applications. This database is maintained and constantly up-
`dated by Response Labs analysts. Programs that have been rated as
`clean in the database are allowed to bypass additional checks and
`launch immediately, whereas known malicious files are blocked at
`once.
`
`For the user, the clean file cloud lookup functionality offers a
`number of advantages. Being able to use the security verdict for a
`known file from the clean file database not only removes the bur-
`den of identifying unknown or unfamiliar programs as legitimate
`or malicious from the user, it also means unnecessary security
`checks on clean files can be avoided. At the same time, by reduc-
`ing to a manageable level the volume of software that needs to be
`individually evaluated, the ability to still white- or black-list select-
`ed programs becomes more meaningful. And finally, even when
`the product’s signature databases are outdated or rarely updated,
`DeepGuard can still use the most up-to-date file reputation infor-
`mation to fine-tune its analysis.
`
`Image 1: DeepGuard blocks a harmful application
`
`Behavioral analysis
`If the program is flagged as suspicious during the file reputation
`check, or if Internet access is unavailable, DeepGuard executes it
`in a virtual environment and observes its behavior for malicious ac-
`tions, such as attempting to self-replicate, edit or delete critical
`system files, and so on.
`
`Response Labs analysts continually research and update Deep-
`Guard’s scanning logic with detections for the most effective be-
`havior patterns needed to spot malware. These detections may
`identify specific malware families (which typically share similar fea-
`tures or behavior) or they may more generally identify suspect ac-
`tions, such as attempting to hide from process enumeration pro-
`grams, which are indicative of malicious intent. The analyst’s ability
`to tweak DeepGuard’s engine in this manner permits an element
`of human discretion and flexibility, to provide a more fine-grained
`and ultimately more accurate analysis.
`
`Prevalence rate check
`DeepGuard includes a module that focuses on a file’s prevalence
`rate. Clean files typically have thousands or millions of users, mak-
`ing them highly prevalent. In contrast, malware samples are com-
`paratively rare. According to statistics generated from F-Secure’s
`internal systems monitoring known threats, in a random sample of
`malicious programs found in the first four months of 2013, 99.7% of
`the threats were rarely seen in our user base. Rare or new files are
`automatically considered more suspect and subjected to greater
`scrutiny during the subsequent process monitoring stage.
`
`5
`
`

`
`Judgement on execution
`Based on the file’s reputation and behavior during emulation,
`DeepGuard makes one of four possible judgements:
`
`a) The file is malicious and blocked
`b) The user is given the option to allow or deny the launch
`c) The file is clean and allowed to execute
`d) The file’s status as clean or malicious is still unknown
`
`If the file is blocked from launching, a notification message is dis-
`played (see Image 1, previous page) providing additional details
`and an option to whitelist the program, if so desired.
`
`If the status of the file is still unknown, DeepGuard allows the file to
`execute but continues to monitor it during the subsequent process
`monitoring stage.
`
`5.1 Monitoring exploit-prone programs
`
`The first method focuses on frequently exploited programs such
`as Java Runtime Environment (JRE), Adobe Reader, Microsoft Of-
`fice and so on. These programs are kept under especially close
`watch and are blocked more aggressively if malicious behavior is
`detected.
`
`Of course, which programs become favored targets is un-
`likely to stay fixed. For example, it was only in the last two
`years that JRE superseded Adobe Reader as the most ex-
`ploited software; in the future, another program may assume
`that unenviable distinction. The specific programs chosen by
`DeepGuard for closer attention can be updated by Response
`Labs analysts when necessary, a responsive approach that al-
`lows DeepGuard to adapt to changes in the threat landscape.
`
`4.2 During application execution
`
`5.2 Monitoring for document exploits
`
`Even after a program has successfully passed pre-launch analysis
`and is executed, DeepGuard continues to monitor its behavior as
`a precaution against delayed malicious routines, a common tactic
`used by malware to circumvent runtime checks. This form of quiet
`vigilance also allows DeepGuard to provide constant protection for
`the user without visibly intruding on their experience by displaying
`excessive prompts.
`
`Process monitoring
`Applications are monitored for a number of suspicious actions, in-
`cluding (but not limited to):
`
`• Modifying the Windows registry
`•
`Editing files in certain critical system directories
`•
`Injecting code in another process’s space
`•
`Attempting to hide processes or replicate themselves
`
`As legitimate programs will also perform such actions from time to
`time, DeepGuard does not red-flag a program on the basis of a sin-
`gle action but instead watches for multiple suspicious operations.
`Once a critical threshold of suspect actions is reached, DeepGuard
`will block the process from continuing.
`
`If available, file reputation and prevalence rating information from
`the Security Cloud is taken into account to determine this critical
`threshold. For example, DeepGuard treats files with a low-preva-
`lence rating more aggressively by lowering the critical threshold of
`suspicious actions that can be performed before the file is blocked.
`
`5. Exploit interception
`
`Starting in 2013, DeepGuard also employs two exploit interception
`methods that extend the dynamic protection of on-host behavio-
`ral analysis by focusing specifically on monitoring the processes
`of programs that are commonly targeted for exploitation and on
`document file types commonly used to deliver exploits.
`
`Some document types, such as Microsoft Word or Adobe PDF, are
`commonly used to deliver exploits. Thus, any software used to
`open these types of documents is also subject to greater atten-
`tion by the second exploit interception method, which scrutinizes
`these programs closely for suspicious behavior caused by mali-
`cious document files.
`
`This form of exploit interception addresses the most common
`form of targeted attacks, which involve sending carefully crafted,
`exploit-loaded documents to the intended victim or organization,
`such as occurred during the 2011 RSA breach and the early 2013 at-
`tacks reported as ‘Red October’ [4]. In these cases, booby-trapped
`Excel and Word files were used to exploit well-known vulnerabili-
`ties in these programs.
`
`By focusing on detecting malicious actions originating from docu-
`ment files, this single method in DeepGuard is able to provide sig-
`nificant breadth of coverage against document-based exploits,
`regardless of the file’s physical features or the specific vulnerability
`being targeted.
`
`6. False positives prevention
`
`A separate beta detections module that was added to DeepGuard
`in 2011 facilitated an understated but important improvement to
`the accuracy of the scanning engine’s performance.
`
`Beta detections contain the full detection logic needed to identify
`and block exploit attempts, but are instead configured by response
`analysts to simply notify the Security Cloud each time the detec-
`tion would have been triggered by a file being analyzed.
`
`This beta-testing process provides response analysts with crucial
`information on the effectiveness of these detections, allowing
`them to fine-tune the logic to prevent potential false positives be-
`fore actually releasing them for real-world use.
`
`6
`
`

`
`CASE STUDY
`
`ZEROACCESS
`
`First reported in 2010, the ZeroAccess rootkit allows remote attackers
`to hijack users’ machines and co-opt them into a botnet that performs
`click fraud and Bitcoin mining. As of 2012, ZeroAccess is one of the
`most frequently detected malware we’ve seen in the wild [5].
`
`The challenges presented
`
`Image 2: Map of ZeroAccess botnet, visualized in Google Earth [7]
`
`ZeroAccess’s propagation strategy is remarkable, as the botnet’s opera-
`tors essentially outsourced distribution to ‘affiliate partners’ [5] recruited
`in underground forums. The affiliates use multiple strategies to spread
`the malware - through exploit kits, on file-sharing services, as spam e-mail file attachments, in a trojan-downloader’s payload, etc. The
`diversity of distribution schemes has not only efficiently increased the botnet’s geographical coverage (see Image 2 above) and made
`it harder for users to avoid encountering ZeroAccess malware, but has also complicated efforts to curtail the malware’s spread, since
`the channels used to distribute it are so varied.
`
`Over the years, the ZeroAccess developers have also actively modified the rootkit to confound analysis and detection, incorporat-
`ing such features as anti-emulation and anti-debugging, encryption and so on [6]. A sophisticated, peer-to-peer (P2P) command and
`control structure was also introduced to prevent researchers from blocking communication between the botnet operators and the
`infected machines. ZeroAccess’s continuous development has inevitably led to something of an arms race between the malware’s
`engineers and antivirus researchers.
`
`Circumventing ZeroAccess’s defenses
`
`DeepGuard works in tandem with the other components of the security product - file reputation checking, signature scanning, etc. -
`to address the various attack vectors ZeroAccess malware is known to use. DeepGuard’s exploit interception modules are particularly
`relevant in stopping attacks that drop ZeroAccess onto a machine, as they recognize and prevent exploit-based intrusion attempts.
`
`CHART 3: DETECTION HITS FOR ZEROACCESS SAMPLE 1,
`23 -25 JANUARY 2012
`
`SCANNING ENGINES
`DeepGuard
`Online
`Signature
`
`DETECTION HITS
`
`If the ZeroAccess file does arrive (and has not been previ-
`ously seen), DeepGuard’s behavioral analysis function then
`comes into play. Though the malware is technically sophis-
`ticated, one fundamental aspect leaves it unavoidably ex-
`posed and vulnerable: the malicious actions it performs on
`the machine. Using detection logic based on the results of
`extensive research into ZeroAccess’s routines, DeepGuard
`is, ironically, able to recognize and block the malware by its
`attempts to conceal itself from detection.
`
`If connection to the Security Cloud (see page 4) is available,
`DeepGuard reports the salient file details to the various
`databases and automated analysis systems in F-Secure’s
`cloud-based infrastructure, which eventually will be used to
`create a signature detection able to identify that particular
`variant. From that point on, the variant will be recognized
`by either file reputation checking or signature scanning.
`
`We can see DeepGuard’s proactive protection in action in the case of a ZeroAccess variant - let’s call it Sample 1 - that appeared in the
`wild late in the evening of 22 January, 2013. As can be seen in Chart 3 (above) o