Artemis Backstage #1: Malware Mapping

News about the Artemis project has been out for a little while. As the rollout continues we want to post some of juicy backstage gossip here, making you some of the first people to see this outside of the core project team!

If you’ve not heard about the Artemis technology yet, it’s our “in-the-cloud”-based malware detection; head over to the McAfee Artemis micro-site. I highly recommend the podcast (hidden on the right-hand side) as my colleague Dimitry Gryaznov outtalks our communications guru Dave Marcus.

One of the things Artemis provides to researchers is very clear telemetry on active malware campaigns, and I want to share a few interesting examples. All the “measles maps” below show a one-day period and were all taken at the same time earlier today.

First up is today’s typical ecard malware:

As you might expect, there are lots of hits all around the globe, sent very quickly. [Take note ISP's: You're the first line of defense and you delivered this to our users.]

This is a previous ecard campaign from a week ago:

(There’s always one.) This isn’t saying that the campaign is over and protection is no longer required. Since Artemis gets queries only for those without current detection in the DATs, this simply means that the map shows endpoint(s) that need to update.

Sex (still) sells. The current “tits.exe” campaign:

This picture looked like the first one on Friday. Protection is relatively new for this threat and we’re seeing the queries tail off as customers update. This is exactly the point of Artemis, providing protection for new threats between updates, and efficiently, too. (I’ve no idea why this one appears to be more popular in Australia.)

This is the current data from the “tits.exe” campaign from last weekend (21 September):

Yes it’s a blank map. In fact, the last query was at 00:45 on 25 September from an ISP in California. This is quite a revelation: Artemis fills a gap far wider than I first envisaged.

Dimitry’s podcast also explains how we are able to deploy Artemis without an upgrade and that Artemis has been dormant in the DATs for quite a few months already. Those on the Artemis-enabled beta programs have been enjoying its added protection for months as well.

A quick note about privacy before the vultures circle. The dots on the map roughly represent ISPs rather than individual users (we couldn’t read it otherwise). We use the data purely on a statistical basis and we don’t keep it longer than we need to. The dots are geolocated by a service that has well-understood accuracy “limits,” so relax. Artemis does not know where you live, or what color the car on your driveway is. For that, you need to ask Google; they have pictures of it. Artemis queries are short checksums or fingerprints. Those wishing to disable Artemis should unplug themselves from the Internet at this point. It’s far easier to track our blog readers, for instance.

Some other trivia about Artemis:

• Queries are not sent for every file, just the suspicious ones.
• It will probably be invisible in the consumer products. (It’s a special driver.)
• A query and a response is around 340 bytes.
• It’s checksum/fingerprint independent, too.
• Actionable responses are cryptographically strong.
• Telemetry can be used to prioritize sample processing.
• Today Artemis should gain about 1.5 million new users.

Enterprise customers, please feel free to call Platinum Support if you want to test out Artemis early.

Lastly, any malware authors who want free third-party real-time telemetry on their campaigns should contact us ASAP! Our legal hounds are waiting to take your calls.

Tags: in the cloud, malware, maps, tools