skip to: onlinetools | mainnavigation | content | footer



Lab News --June 18, 2010

June 18, 2010

LabNews06/18/2010PDF (3 Mb)

Peeling the onion of malware

By Neal Singer

Sun Tzu said it first, in the sixth century: “Know thy enemy.” In The Art of War, Tzu writes that to be successful (or to win 100 battles, in some translations), a warrior must know himself and his enemy. This proverb applies to military strategy, sports
psychology, and internet security.

For the past three years, Jamie Van Randwyk, Ken Chiang, and Levi Lloyd (all 8965) have been working on a Laboratory Directed Research and Development (LDRD) project to understand and develop countermeasures for malware and botnets (see “Malware 101 and botnets, too” at right). To streamline the work of sifting through thousands of instances of malware, they developed the Forensic Analysis Repository for Malware (FARM), a tool that, as Jamie puts it, has taken on a life of its own.

THE FORENSIC ANALYSIS REPOSITORY FOR MALWARE (FARM), created by Jamie Van Randwyk, Ken Chiang, and Levi Lloyd, enables computer security personnel to triage malicious software within minutes, giving them an advantage in the fight against cyber attacks. Here Levi examines FARM’s analysis of a variant of the Waledac botnet. (Photo by Randy Wong)

Looking at each individual piece of malware would take an experienced computer security analyst like Ken or Levi anywhere from 30 minutes to a couple of hours. With FARM, that process is fully automated and takes about five minutes.

“FARM enables malware triage in a true triage timeframe,” Jamie says. “Many government institutions only have a handful of highly skilled analysts, so their time is precious.”

Jamie describes FARM as a basic framework with a nice web interface on the front end, an extensive database on the back end, and a number of hardware resources. Users then plug software resources into the framework, so the tool is fully customizable — for example, one could run separate unclassified and classified versions — and easily upgradeable, an important feature for keeping pace with malware developers. Most of the software resources already existed and were readily available; the key to FARM is harnessing the software resources together with the database.

Ken and Levi, in addition to their research, work in computer security. From that perspective, they immediately saw the practical application of FARM. The tool is now being used across Sandia and at a number of other government agencies.

“As more people use FARM, we can take what they learn and continue to improve the entire package,” Jamie says.

The team chose to investigate Storm and Waledac, two complex, pervasive, and long-lasting botnets. Storm is said to have been responsible for up to 20 percent of the world’s spam at its heyday, infecting up to a million computers by some estimates. Waledac, considered by many to be a second iteration of Storm, infected hundreds of thousands of PCs worldwide and was thought to be capable of sending more than 1.5 billion spam messages a day. Through its Digital Crimes Unit, Microsoft Corporation effectively shut down Waledac last year, a major victory over the malware underworld.

To get at the core of the malicious software, Ken painstakingly worked to defeat multiple protection mechanisms. “The amount of work is asymmetrical,” he explains. “It’s easy to put on the protection mechanisms, but it takes a tremendous effort to take it apart.”

To reverse engineer the malware, Ken used three different technical approaches: static analysis, dynamic analysis, and emulation. Malware authors wrap their code in defensive layers both to obscure their true purpose and prevent reverse engineering. For example, a code may not run linearly, meaning it jumps around seemingly randomly among a million lines. Or, designers modify a program so that parts of the code modify other parts so that its real purpose is not readily apparent. Some malware is designed to detect when it is being run and watched, and alter its behavior.

The researchers learned that quickly disabling protection mechanisms is a key step to understanding and stopping the spread of malware. Ken can now unwrap a piece of malware in about a week, a process that took several months at the start of the LDRD. He’s beginning a late start LDRD that aims to use FARM to automate that unwrapping process — an “everything-but-the-kitchen-sink” tool that would be integrated into FARM.

After three years studying botnets on a small scale — from one to 40 hosts — the researchers now want to look at the other end of the spectrum. “We’re proposing a new LDRD to boot a million windows nodes and study large-scale behavior of bots,” Jamie says. “Things happen at that scale that you just can’t see even with 10,000 instances.”

The work builds on research led by Ron Minnich (8961). Last year, he demonstrated the ability to run more than a million Linux kernels on virtual machines (Lab News, July 31, 2009). The researchers plan to take two approaches: emulating the properties of a Windows system sufficiently to run in a large-scale environment and reducing the size of Windows. “The size of Windows is a significant hurdle in getting to a million nodes,” says Jamie. “Right now for every 10 instances of Windows, you could probably boot a thousand instances of Linux.”

He’s hoping that this research may unlock a new approach to combating malware. “Until there is a fundamental change in the way we do computing — something huge like no longer using the Intel architecture — malware and malicious software are a fact of life,” Jamie says. “There have been lots of good, incremental changes, but we’re looking for a game changer. Automating the process of stripping protection mechanisms might be one. Looking at a Windows botnet from the vantage point of command control could reveal other approaches.” -- Patti Koning

Top of page
Return to Lab News home page

Admiral’s talk at Sandia Labs explores security implications of climate change

By Neal Singer

The US Navy views climate change as a challenge, intends to prepare for it, and would appreciate help from the national labs, Rear Adm. David Titley told an attentive Sandia audience in an unclassified lecture titled “Climate Change and National Security” on June 2 in the Bldg. 810 (CNSAC) auditorium.

The lecture, simulcast to Sandia/California, is the first of a group of lectures intended to explore the national security implications of climate change, says Rob Leland, director of Computation, Computers and Math (1400), whose center arranged the talk under the leadership of John Mitchiner (1430) through Div.8000 VP Rick Stulen’s Energy, Climate and Infrastructure Security SMU.

Titley, the Navy’s oceanographer and navigator, is senior policy adviser to the chief of naval operations for issues relating to national ocean policy and governance, as well as navigation policy and standards.

Mixing humor and environmental charts from the Applied Physics Lab at the University of Washington, Titley said the Navy was concerned that ocean levels would rise “a meter or two” over the next century, the result of the accelerating melting of the Greenland ice sheet and continued melting and thinning of Arctic ice.

“Why does the Navy care about this?” he asked. “We tend to build our bases at sea level. It’s a Navy thing,” he said straightfaced.

Faced with a situation that might require building dykes around its bases, the Navy reacts, he said. Navy oceanography cannot be “just scientifically cool,” it must have a practical outcome that transforms information into decisions. Otherwise, Titley said, imitating an impatient interrogator, “Tell me again why you’re here?”

He said the problems the Navy anticipates over the next century, after engaging nearly 400 people from more than 120 organizations to help gather data, include:

“Where will one billion people who get their protein from the ocean get it when the tiny living beings that form the bottom of their food chain disappear?” he asked.
There was also, he said, “the human dimension that I’m not sure the policy folk always think about: humans want to stay where they are,” regardless of the alteration of the environment about them.

He predicted partnership opportunities and new energy security initiatives.

So, he said, he was interested in partnering with the national labs to develop better operational decision-making capabilities with respect to climate change.

Terry Michalske, who leads Sandia’s Energy and Security Systems Center 6300, chatted with Titley at some length after the talk. Says Terry, “[Titley] had no doubt that climate change was happening. He was interested in our risk-and-consequence approach that we undertake at places like NISAC [National Infrastructure Simulation and Analysis Center].  We’re not worrying about the reasons why the climate is changing, but we accept data that shows it is. So, we need to better understand that change and its impact on society as it may affect us in the immediate future.

 “I think there’s a piece here that fits Sandia well,” he says, ”with our links to the intelligence community, our studies of economic trends, and our technical capabilities all applied together to a massive global event. I think Titley was very encouraged by many of the capabilities he learned about at talks while here at Sandia.”

Says Rob, “While there are many opinions on the large subject of climate change, we’re focused here on the technical and social issues that pertain to national security. The goal is to inform the internal dialogue and seed an understanding more broadly of Sandia’s potential contributions.”

Titley came away with a better knowledge of Sandia’s capabilities, says Rob.  “When we briefed him on our risk framework and probabilistic impact approach, he said, ‘This is the best stuff I’ve seen on the subject.’ I believe his intent is to build a broad coalition across the government sector to address climate change. He’s got high-level military support for that, and we’d like to position Sandia to make a central contribution.” -- Neal Singer

Top of page
Return to Lab News home page

Sandian and former astronaut Sid Gutierrez named 2010 Notable New Mexican

By Heather Clark

Sidney Gutierrez (4100), former NASA astronaut, retired US Air Force colonel and current director of Environment, Safety, and Health and Emergency Management, was named the 2010 Notable New Mexican by the Albuquerque Museum Foundation. He was honored June 2 at the 10th annual award ceremony, where award-winning santero artist Arthur López unveiled a bulto depicting Sid and the story of his life. A bulto is a three-dimensional traditional New Mexican genre of wood carving.

“This is way beyond my wildest expectations,” Sid said as the bulto was unveiled. “It really takes my breath away, and I hope that young people who come to the museum will be encouraged to learn and explore more.”

A NOTABLE MAN — Sid Gutierrez reacts to seeing the bulto in his honor at the 2010 Notable New Mexican Gala on June 2. Artist Arthur Lopez is second from right. (Photo by Jean-Paul Jager) .

The Notable New Mexican award was started as a way to preserve the state’s history and to enhance the museum’s art collection. Every year, the Foundation recognizes an outstanding individual with unique accomplishments and strong ties to the state. Recipients are presented with a commissioned artwork, which is then permanently displayed at the Albuquerque Museum.

“We are so pleased to present this award to such an inspirational figure in the community,” says Debra Romero, executive director of the Albuquerque Museum Foundation. “Sid’s life mirrors the history of Albuquerque, from having roots in agriculture to being a central part of the nation’s high-tech industry. We see the opportunity to celebrate Sid as an opportunity to celebrate Albuquerque.”

Sid’s family heritage can be traced back through 300 years of Duke City history, but his family originally descended from people living in the area more than 30,000 years ago.

 “My family and I are very excited about the art and this award,” says Sid. “I look at this as what it means to my family and my friends. I look back at my ancestors, and my grandfathers in particular, and what they did to get me to where I am today. I look at my teachers who helped me out. I look at my family and friends who supported me, and I have been so fortunate in that regard. This is a great honor, and I am pleased to share it with those who have supported me over the years.”

Sid was born in 1951, just four years after Chuck Yeager tore through the sound barrier, and six years before a beach-ball sized satellite named Sputnik changed the world. He grew up on the same North Valley property where his great-grandfather had farmed and raised sheep and cattle.

Like most children who grew up in the height of the US-Soviet space race, Sid was caught up in the fever of space flight and exploring the unknown. He made a commitment to become an astronaut while in fifth grade at Los Ranchos Elementary School. While his peers only dreamed of flying in space, Sid pursued his goal with fierce determination. He contacted NASA to learn the requirements of the astronaut training program and methodically made his way through the rigorous criteria. 

Sid was accepted to the US Air Force Academy in 1969, the same year that two American men left the first footprints on the moon. Sid studied aeronautical engineering and was a member of the National Collegiate Championship Parachute team. He did more than 550 jumps, and rose to the ranks of master parachutist. Not surprisingly, Sid’s perseverance led him to graduate at the top of his class. He became a fighter pilot and then a test pilot before being selected by NASA for astronaut training in 1984. On his first trip to space in 1991, he served as the pilot for the space shuttle Columbia, and in 1994 was the commander of the space shuttle Endeavor.

Five months after touching down at Edwards Air Force Base, Sid and his family returned to Albuquerque, where he started work at Sandia. He is currently the director of Environment, Safety, and Health and Emergency Management at Sandia.

“Sid is a great New Mexican and a great patriot,” says Executive VP and Chief Operating Officer Al Romig. “I can think of few others who have done as much in their lifetimes to make this country great. Sid is surely deserving of this award.”

Every year for the past 10 years, the Albuquerque Museum Foundation has presented the Notable New Mexican award to celebrate the accomplishments of an extraordinary New Mexican with strong ties to the state and exemplary service to the public good.

All past award recipients have been presented with a portrait, which is permanently displayed at the Albuquerque Museum. This year, Sid chose to be depicted in a bulto, to reflect his family’s New Mexican heritage. The santero artist, Arthur López, is a native of Santa Fe, and has received numerous awards for his work and exhibits his art at shows throughout the Southwest.

A Notable Family Day event, “The Astronaut and the Artist: Storytelling, Inspiration and Craft” will take place July 10, 1-3 p.m., at the Albuquerque Museum and include presentations from Sid and López. This program is free to the public. -- Stephanie Hobby

Top of page
Return to Lab News home page