Sandia LabNews

Peeling the onion of malware

Sun Tzu said it first, in the sixth century: “Know thy enemy.” In The Art of War, Tzu writes that to be successful (or to win 100 battles, in some translations), a warrior must know himself and his enemy. This proverb applies to military strategy, sports psychology, and internet security.

For the past three years, Jamie Van Randwyk, Ken Chiang, and Levi Lloyd (all 8965) have been working on a Laboratory Directed Research and Development (LDRD) project to understand and develop countermeasures for malware and botnets (see “Malware 101 and botnets, too” at right). To streamline the work of sifting through thousands of instances of malware, they developed the Forensic Analysis Repository for Malware (FARM), a tool that, as Jamie puts it, has taken on a life of its own.

THE FORENSIC ANALYSIS REPOSITORY FOR MALWARE (FARM), created by Jamie Van Randwyk, Ken Chiang, and Levi Lloyd, enables computer security personnel to triage malicious software within minutes, giving them an advantage in the fight against cyber attacks. Here Levi examines FARM’s analysis of a variant of the Waledac botnet. (Photo by Randy Wong)

Looking at each individual piece of malware would take an experienced computer security analyst like Ken or Levi anywhere from 30 minutes to a couple of hours. With FARM, that process is fully automated and takes about five minutes.

“FARM enables malware triage in a true triage timeframe,” Jamie says. “Many government institutions only have a handful of highly skilled analysts, so their time is precious.”

Jamie describes FARM as a basic framework with a nice web interface on the front end, an extensive database on the back end, and a number of hardware resources. Users then plug software resources into the framework, so the tool is fully customizable — for example, one could run separate unclassified and classified versions — and easily upgradeable, an important feature for keeping pace with malware developers. Most of the software resources already existed and were readily available; the key to FARM is harnessing the software resources together with the database.

Ken and Levi, in addition to their research, work in computer security. From that perspective, they immediately saw the practical application of FARM. The tool is now being used across Sandia and at a number of other government agencies.

“As more people use FARM, we can take what they learn and continue to improve the entire package,” Jamie says.

The team chose to investigate Storm and Waledac, two complex, pervasive, and long-lasting botnets. Storm is said to have been responsible for up to 20 percent of the world’s spam at its heyday, infecting up to a million computers by some estimates. Waledac, considered by many to be a second iteration of Storm, infected hundreds of thousands of PCs worldwide and was thought to be capable of sending more than 1.5 billion spam messages a day. Through its Digital Crimes Unit, Microsoft Corporation effectively shut down Waledac last year, a major victory over the malware underworld.

To get at the core of the malicious software, Ken painstakingly worked to defeat multiple protection mechanisms. “The amount of work is asymmetrical,” he explains. “It’s easy to put on the protection mechanisms, but it takes a tremendous effort to take it apart.”

To reverse engineer the malware, Ken used three different technical approaches: static analysis, dynamic analysis, and emulation. Malware authors wrap their code in defensive layers both to obscure their true purpose and prevent reverse engineering. For example, a code may not run linearly, meaning it jumps around seemingly randomly among a million lines. Or, designers modify a program so that parts of the code modify other parts so that its real purpose is not readily apparent. Some malware is designed to detect when it is being run and watched, and alter its behavior.

The researchers learned that quickly disabling protection mechanisms is a key step to understanding and stopping the spread of malware. Ken can now unwrap a piece of malware in about a week, a process that took several months at the start of the LDRD. He’s beginning a late start LDRD that aims to use FARM to automate that unwrapping process — an “everything-but-the-kitchen-sink” tool that would be integrated into FARM.

After three years studying botnets on a small scale — from one to 40 hosts — the researchers now want to look at the other end of the spectrum. “We’re proposing a new LDRD to boot a million windows nodes and study large-scale behavior of bots,” Jamie says. “Things happen at that scale that you just can’t see even with 10,000 instances.”

The work builds on research led by Ron Minnich (8961). Last year, he demonstrated the ability to run more than a million Linux kernels on virtual machines (Lab News, July 31, 2009). The researchers plan to take two approaches: emulating the properties of a Windows system sufficiently to run in a large-scale environment and reducing the size of Windows. “The size of Windows is a significant hurdle in getting to a million nodes,” says Jamie. “Right now for every 10 instances of Windows, you could probably boot a thousand instances of Linux.”

He’s hoping that this research may unlock a new approach to combating malware. “Until there is a fundamental change in the way we do computing — something huge like no longer using the Intel architecture — malware and malicious software are a fact of life,” Jamie says. “There have been lots of good, incremental changes, but we’re looking for a game changer. Automating the process of stripping protection mechanisms might be one. Looking at a Windows botnet from the vantage point of command control could reveal other approaches.”