A leading antivirus software company outsmarts viruses and malware and makes the Internet safer. Technosoft s Threat Researchers improve detection, reduce customer escalations and are at the forefront of rapid zero day responses. Technosoft Case Study Nov 2012 beyond possible
02 Nov 2012 the client Our client is a global leader in malware detection and anticrimeware solutions and their products are used by over 50,000 businesses and four million consumers worldwide. situation and impact Our client s portfolio of security products comprising antivirus, anti-spyware and anti-malware faced significant competition in a crowded marketplace which in turn was having an impact on its leadership position. The need therefore was continuous improvement in the detection and disinfection rates coupled with a proactive approach to detecting zero day malwares and advanced persistent threats (APTs). This was crucial to their twin objectives of increasing customer satisfaction and winning new customers. The products need to prevent, detect and remove malware of all descriptions employing a variety of techniques. The success of antivirus software (in instances where heuristic detection is employed) depends on achieving the right balance between false positives and false negatives. However the greatest challenge is the threat posed by new malware for which no known signature yet exists. the technosoft approach Early on, we recognized that the four pillars to maintaining leadership position and competitive edge were Improve the detection/disinfection rate without affecting the performance of the engine Reduce both False Positives and False Negatives Detect zero day malwares and advanced persistent threats Handle customer escalations within the specified SLA Technosoft quickly formed a seed team that was ramped up to 18 experts in less than 8 weeks. The team consisted of 1 Project Manager, 7 Senior Researchers and 11 Researchers whose combined skills spanned the entire spectrum of threat research and included static and dynamic analysis of samples including advanced persistent threats (APT) and polymorphic cryptors/ viruses, signature creation (checksum based and generic) for malware, IDS/IPS rules creation and maintenance, Url categorization, malware collection including zero day and APTs. Client interface, requirements scoping & Team oversight.exe Sample.exe As previously mentioned, access was given to the client s Collection Handling System (CHS) which picked up malware samples from various sources and assigned a priority for analysis and signature creation. User emails suspicious file Remote access to suspicious file Honeypot Client s Labs Client s Support Teams Forums Collection Handling System Other Security Vendors Sample Analysis Technosoft s Role Signature Creation Release DAT Files (signature definition update) The CHS (shown above) provided all information on the sample including the checksum, the source, whether it has been detected by other competing products, priority etc. The samples were downloaded and moved to a Dirt Lab, a controlled and isolated virtual environment dedicated for malware research and testing, policy creation and for maintenance of content Vista Virtual Environment Collection Handling System Signature Updating System Research PC1 Research PC2 Research PC3 Red Network (Dedicated network for malware analysis) proposed solution filter/firewall/application control. Over here dynamic analysis was performed and behavior such as registry modifications, file and folder changes, network activity and process creation observed. Physical machine to analyze anti-vm samples Technosoft was chosen as the partner of choice given our track record in threat research that included identifying the latest threats in the wild, active persistent threats and zero day malwares along with expertise in URL categorization and Clean File Collection. We proposed a model in which our team of Threat Researchers would be given access to the malware collection repository, would perform analysis of the sample to determine if they were malicious or not and subsequently develop the signature for detection. Malware analysis, CRC and Generic signatures, Blogs and end customer escalations Senior Researchers Project Manager Researchers Analyzing malware, CRC signatures Tools used included Behavior monitoring tools (Procmon, Regshot, Inctrl5, ProcessExplorer) and (Wireshark, TCPView) Based on the report generated, the threat researcher decided if the sample was a legitimate file or a malware. In certain instances, the malware sample recognized the system as an analysis system and did not exhibit any activity. A workaround then was to run this sample on a physical machine to trigger it. Static analysis is then Clean file collection system performed on the malware sample with the help of debuggers like Olly, IDA Pro, Windbg. Signatures are then developed and can be of two types 1:1 or 1:many (targeting a family). These are written in our client s proprietary language (VDL), it is then compiled and the DAT file is produced. A critical step here is to do a cross-check on Technosoft s clean project factfile Team size of 18, clean file collection database of 200,000 safe files, SLA adherence of 4 hours, over 11,000 signatures developed, dedicated Dirt Lab, Behavior and, VDL (Virus Description Language). 03
04 Nov 2012 beyond possible Went over and beyond what was expected by proactively creating a clean file database of nearly 200,000 safe files which was then scanned by every single signature developed by the team. This dramatically reduced the false positive detection which increased the productivity of our client s teams while reducing customer support calls. file database to ensure no legitimate files are detected as malware (False positive). Once the signature has been signed off by the senior researcher, it is pushed into the signature database which in turned is pushed backlog of undetected files 50 % of all customer escalations handled within stringent SLA of 4 hours Reduced the number of False positives and False negatives Workflow out to end customers twice a day. The expertise and experience is reflected in the rapid pace at which signatures are developed - typically in less than 1 hour with a capability to develop over 600 signatures a week. Till date over 11,000 signatures have been created and several hundred thousand samples analyzed. This team added value in several other ways: Certification support - supported our client for the ITW certification awarded in recognition of a product s detection rate, performance, false positive testing and usability. Thanks to our team, our client s products were able to detect 100% of threats in the wild Creating and maintaining a clean file database of over 200,000 safe files and scanning them against the signatures created on a regular basis to eliminate false positives Updating the virus encyclopaedia with the latest threats and underlying technologies Creating and maintaining process flow documents for various internal processes with expected problems and solutions Periodic posts on our client s blog. Covers new techniques used by malware, zero day responses outcomes realized we can help Provide protection against the most common malware while striking a balance between security and productivity concerns. Seamless security enforcement through dynamic and static analysis of malware including payload and distribution methods and analyzing APTs and zero day threats Superior detection rates of newly discovered malware ensure safe and secure environment. Through one-to-one checksum based and generic signatures Protect critical assets from cyber threats. IDS and IPS engine log monitoring, analysis and reporting of unusual activities detects and foils attempts by attackers to compromise systems, applications and data Minimize false positives and false negatives through internal clean file database and malware samples Increase customer satisfaction and win new business through 24x7, multi-channel support (phone, email and chat) Improve enterprise security by preventing users from accessing malicious and unproductive sites through URL categorization based on content. Leverage existing set of preprocessed URLs Ensure proactive compliance to regulations like PCI, HIPAA, HITECH, NERC CIP and FFIEC through vulnerability assessment and patch management Conclude as clean Not approved NO Set the environment/ Update signatures NO Malicious Take Signature for file Review the signature Approved False-positive Check Not detected Replicate the original Download samples from CHS Scan with updated signature Already detected Replicate the samples Scan payload files Collect the payload files Detected Conclude in CHS Not detected Improved the detection rate by adding nearly 100 generic signatures for major malware families Reduced customer escalations: By processing nearly 15000 samples in less than three months in the process reducing the Update the signature in Client s database 05
06 Nov 2012 Static Analysis Dynamic Analysis 07
About Technosoft Technosoft Corporation is an IT and BPO services provider with headquarters in Southfield, MI, USA and delivery centers in India. We provide information technology, business process outsourcing and consulting services to companies in North America, Australia and New Zealand and Asia-Pacific Regions. As a privately owned company we answer to only two constituencies - our customers and our employees. Our customers rely on us to provide services and solutions that leverage our industry and domain expertise combined with our technology prowess, delivery focus and quality. Our collaborative culture and work environment helps attract and retain exceptional talent which is a key ingredient of our sustained growth. To see how Technosoft can go Beyond Possible for your organizational needs, email us at wecanhelp@technosoftcorp.com or visit us at. Corporate Headquarters 28411 Northwestern Hwy, Suite 640 Southfield, MI 48034 Tel: (248) 603-2600 Fax: (248) 603-2599 Copyright 2012, Technosoft. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Technosoft. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. wecanhelp@technosoftcorp.com