Information

The following is a guest post by email. This is the third part in a series of articles on his view of hacking. If you are interested in writing for CyberCROW, click Here. Otherwise, Enjoy.

Saturday, November 6, 2010

The problems of classification with Viruses

Posted by glewoCROW 8:27 AM, under ,, | No comments

The problems of classification


One of the main issues in contemporary mobile malware research is
classification; specifically, labeling new samples correctly and
grouping them into the appropriate classes that reflect their behavior.
The main difficulty is that most new malicious programs for mobile
devices are hybrids, containing functionality from two or more different
types of malware.


The Kaspersky Lab classification system is clearly structured:


  • Behaviour: this shows what the program is, and what it does. Examples include Email-Worm, Trojan-Downloader, Trojan-Dropper.
  • Environment – i.e. the operating system or specific application
    within which the malicious program functions. Examples include Win32,
    MSWord, Linux, VBS
  • The family name and the variant identifier (letters).

There are few, if any, problems when it comes to the family name and
variant ID. Occasionally it is difficult to choose a family name, but
this is discussed in more detail below.


Sometimes it is difficult to identify the environment. Currently,
most cases of mobile malware involve malicious programs written for the
Symbian operating system, which we denote with “SymbOS”. However, more
and more frequently users are wanting to know which particular Symbian
Series a particular piece of malware is coded for. “Will a given Trojan
only function in Symbian Series 60 SE, or will it also attack devices
running under Series 80?”, and so on. In our classification system for
computer malware, we do identify the specific Windows version: Win16,
Win9x, Win32. So it’s possible that in future we will need to include
numbers in our Symbian classification as well.


In terms of mobile malware, identifying the Symbian series is the
least of our problems. Things get much more complicated when we examine
Windows Mobile.


For instance, there are viruses that were written for Windows CE
2003. We named this environment WinCE. However, malware written for
Windows Mobile 5.0 doesn’t function under Windows CE. Moreover, Windows
Mobile does not fully replace Windows CE, since we also have Windows
Pocket PC. Mobile and Pocket PC both use a set of functions which are
also used by Windows CE, but then have their own specific applications
and peculiarities.


As a result, it is very difficult to use the existing classification
system to give a specific piece of malware a precise name that reflects
its behavior.


Additionally, a number of viruses require that .NET for WinCE/
Windows Mobile be installed in order for them to function. In such
cases, we use the designation MSIL for the environment, which does not
underline the fact that the malware was coded for mobile devices.


Confused yet? This is just the tip of the iceberg. The most
complicated part of naming mobile malware is choosing the behavior.
This is where serious complications are caused by hybridization, as well
as cross platform mobile malware and the different naming conventions
used by different antivirus vendors.


A look at some examples will make the issue clearer.


Let us assume that we have a certain sis file (which in essence is an
archived installer). This file contains the files from Cabir, Comwar,
the Pbstealer Trojan, several Skuller.gen files and several empty files
(0 bits), which are a hallmark of Locknut. And if this wasn’t enough,
this file also installs a Win32 virus to the phone’s memory card (just
like the Cardtrap Trojan).


Based on our current classification system, we would call this a
Trojan-Dropper. But not in this case! Cabir, once installed, will send
the sis file via Bluetooth. Does this mean the sis file is a worm?
And if so, what do we call it? Cabir? Impossible. We can’t call it
Cabir and give it a new variant ID because 90% of the sis file contents
have nothing to do with Cabir. Naming it Cabir would only confuse users.


What about Skuller, Locknut or Cardtrap? But none of these names
alone are applicable, since the new sample is a hybrid. As a result,
the sis file is most likely to be called a Trojan and given a family
name of an existing family from our collection. This name will be chosen
on the basis of secondary traits, such as being written by the same
author.


Such complex situations are rare for computer viruses, but are the
norm for mobile malware. It’s possible that as primitive vandal Trojans
become fewer, (as mentioned above) as described above, the world of
mobile malware will become more structured.


Let’s examine another case. We have a worm that runs under Win32.
When it is launched on a PC, among other things, it creates a sis file
on the E: \ drive. As a rule, Symbian phones connect to PCs via this
drive. The sis file contains several blank/empty files and these are
used to overwrite a number of the phone’s system applications. This sis
file also contains the same Win32 worm, which copies itself onto the
phone’s memory card together with an autorun.inf file. If the infected
phone is connected to a clean computer and an attempt is made to access
the memory card from the PC, the worm will be launched and the clean
computer infected.


This is an example of a cross-platform virus which is capable of
running under two operating systems: Symbian and Windows. A worm like
this exists - it's called Mobler. But how should it be classified?


For cross-platform viruses, we used the “Multi” identifier.
Worm.Multi.Mobler? Unfortunately, users can’t tell from this name that
the virus poses a threat to Symbian smartphones. We believe that the
best way to classify this program is in accordance with its two
components: the win32 file is classified as Worm.Win32.Mobler, and the
sis file as Worm.SymbOS.Mobler.


However, other antivirus companies don't classify the sis file either
as Mobler, or as a worm. They call this program Trojan.SymbOS.Cardtrap,
because, according to their classification systems, any malicious
program which installs a Win32 malicious program to the memory card is
Cardtrap. But this malicious program doesn’t install a random Trojan, it
installs its own main component and sends a copy of itself only to
other operating systems. However, the strict criteria imposed by
antivirus companies' classification mean that the square pegs have to be
forced into round holes. And at the end of the day this means everybody
loses - both the users and the antivirus companies themselves.


If we start from the assumption that the propagation methods and
behaviours of many mobile viruses will be fundamentally different from
anything we’ve seen before, this means that we will have to create new
classes in order to reflect this. For instance, Cabir (or any worm which
propagates via Bluetooth) could logically be classified as a
Bluetooth-Worm (as could Inqtana, a worm for Mac OS). A worm which
propagates via MMS could be classified as an MMS-Worm. But what if the
worm sends itself via Bluetooth and via MMS? Which of these two
propagation methods is the most important? Kaspersky Lab would see MMS
as being the main propagation methods, but other antivirus companies
might think differently, giving priority to Bluetooth.


Sooner or later the antivirus industry will have to face the fact
that it’s essential to create a unified classification system for mobile
malware. This should be done as soon as possible before the situation
becomes critical, and before the confusion that reigns in terms of
classifying PC viruses (with viruses being given totally different names
by individual vendors) takes over the mobile malware world.
Unfortunately, the failure to create a unified classification system for
PC viruses does not leave much hope for the future in terms of mobile
malware classification.

0 comments:

Post a Comment