• Unique malware samples broke the 75 million mark in 2011 – Network World
• 500 malware networks available to launch attacks – InformationWeek
• Malware authors expand use of domain generation algorithms – Computerworld
• Zeus/Spyeye variant uses peer to peer network model  -  Infosecurity.com
• Anonymous promises regularly scheduled Friday attacks – Wired

This blog discusses the changing malware threat landscape, challenges faced by intrusion-prevention systems, and limitations with traditional signature-based detection. We also provide the vision of McAfee Labs regarding effective solutions to combat such advanced threats.

Changes to the Threat Landscape

In the last decade we have seen exponential growth in the number of Internet users worldwide. This expanding base provides a lucrative opportunity to criminal organizations to carry out illicit activities. Compared with earlier malware that primarily created nuisance attacks, today’s malware are much more focused on both their victims and goals. Today’s attacks are a major concern for enterprises and organizations. Not only do they risk the loss of intellectual property or data, but any disruption to business continuity can also severely hamper an organization’s productivity and reputation. Protecting networks with a wide variety of Internet-connected devices—desktops, laptops, smart phones, etc.—has become even more of a challenge.

Botnets are the most common form of malware used by cybercriminals to attack enterprises and government organizations worldwide. Botnets, networks of compromised “robot” machines (also known as zombies) under the control of a single botmaster, carry out malicious activities such as distributed denial of service (DDoS) attacks on servers, steal confidential information, install malicious code, and send spam emails. Recent examples are Operation Aurora, ShadyRAT, and DDoS attacks on payment websites in support of WikiLeaks.

Advanced persistent threats, on the other hand, focus on specific targets, such as government organizations, with motives ranging from espionage to disrupting a nation’s core networks, including nuclear, power, and financial infrastructure. Due to the discrete nature of the attacks, these can remain undetected for a long time. Such attacks are also much more complex and sophisticated compared with other malware.  For example, Stuxnet targeted Iranian nuclear facilities and Flame targeted cyberespionage in Middle Eastern countries.

Challenges

Looking at the significance of intellectual property and national secrets as well as the vast potential of monetary rewards gained through these advanced attacks and threats, more and more cybercriminals—often well funded by criminal organizations—are attracted to develop malware. Their authors implement various techniques to make the malware and associated communication channels stealthier to avoid detection by security products on host systems and on the network. For example, encrypting communications between host and control server, using decentralized network architecture to stay undetected and resilient, using domain and IP flux techniques to hide control servers, and obfuscating malicious payloads are some of the techniques widely used by malware these days.

Traditional Detection and Its Limits

A signature-based detection mechanism that looks for unique network patterns has been the traditional method employed by security vendors to provide protection against attacks.

This method, though effective for defending against known threats, has limits.

• It is reactive: To provide coverage, researchers need to monitor and analyze network traffic, and reverse-engineer the attack to provide accurate detection coverage
• It is static: Malicious network patterns observed in previous attacks can change frequently, thus making the existing signatures ineffective to detect new variants of old threats
• It cannot react to unknown (such as zero-day) attacks
• The scope of detection is limited to a single network session and cannot correlate events across multiple network sessions

These limitations severely cripple traditional signature-based detection in protecting against emerging threats.

McAfee Labs

To win the battle and keep customers protected against emerging threats in the future, security vendors must continue to innovate.

Based on the current challenges to and limitations of signature-based detection, McAfee Labs envisions a dynamic solution that can provide proactive protection against future threats.

Such a solution must:

• Provide a behavioral-based detection framework in addition to the traditional approach
• Be capable of integrating various behaviors of the malware/threat lifecycle
• Have the ability to correlate attacks across multiple network sessions to precisely detect a specific type of threat
• Have the ability to do event-based correlation across multiple network sessions to detect unknown malware/threats

Such a framework will primarily be targeted toward providing not only detection to known threats but also providing customers with early warnings of possible infections.

In subsequent blogs, we will talk more about the solution that McAfee Labs believes will be capable of combating malware and advanced persistent threats on our networks.

I would like to thank my colleagues Chong Xu and Ravi Balupari for their contributions to this blog.

Distribution Mechanism

The malicious application comes bundled in legitimate applications distributed by third-party app stores. The malware authors download the legitimate applications, repackage them to contain the Trojan, and upload them again to app stores for users to download. The infected application that we analyzed was related to a wallpaper application called Dandelion.

 Application Characteristics

The application requires Android 2.1 or later to install and execute.

Here is a screenshot of the application once installed:

The installed application has the following permissions:

The application can access contact info, access the Internet, modify/delete SD card contents, and even write access-point settings.

The application executes when one of these conditions is met.

• Two minutes have passed since the OS started/booted
• Change in network connectivity, for example, the device lost network connectivity and then reestablished it
• Call state on the device is changed, for example, receiving a call

A quick look at the AndroidMainfest.xml confirms these conditions.

On Execution

Below is the screenshot of the Trojan when executed:

The Trojan on execution contacts the following remote hosts:

• adrd.xiaxiab.com
• adrd.taxuan.net

and sends the following device info:

• IMEI: International Mobile Equipment Identity
• IMSI: International Mobile Subscriber Identity

The data transmitted is DES encrypted with the key “48734154.”

The next screenshot shows the information being transmitted by an infected Android mobile device:

The encoded data transmitted takes this form:

Encoded String = IMEI + IMSI + Netway + iversion + oversion

where,

iversion = “6” ( Hardcoded)

oversion = “adrd.zt.cw.4” (Hardcoded)

The server then responds with a list of URLs. The Trojan randomly picks one of these URLs and tries to contact it. In response, the server returns a search string that the Trojan uses to perform a web search in the background. It does this by issuing multiple HTTP search requests to the location.

For example:

hxxp://wap.baidu.com/s?word=%e7%83%a9%e5%b9%8a%e5%9a%bd%e7%ba%a7&vit=uni&from=952b

Based on this we suspect that the malware author intends to use the Trojan to perform search engine optimization to increase site rankings for a website. The Trojan can also update itself. It downloads the update and saves it to the /sdcard/uc folder with the filename myupdate.apk.

During our analysis we found traces of code that checked for the Access Point Names CMNET, CMWAP, UNINET, and UNIWAP, which belong to the Chinese Mobile Network. Based on this, we suspect that the Trojan primarily targets Chinese Android mobile users.

User devices infected with Android/DRAD may suffer from data disclosure and higher network bandwidth consumption resulting in high data charges.

McAfee IPS Coverage

McAfee Network Security Platform (formerly called IntruShield) has released coverage for this bot under the attack signature “HTTP: HongTouTou-ADRD Trojan Detected (0x4840b500).” McAfee customers with up-to-date installations are protected against this malware.