Security in Dog Years, Malware Analysis in Minutes
A few weeks ago, the security community had its security blanket ripped firmly away as the WannaCry ransomware ripped through hospitals, rail systems, telecommunication companies and more as it made its way around the globe.
While the dust settles and researchers figure out the initial infection vector and develop recommendations for preventing future incidents, I wanted to take a step further back for some longer term malware analysis. After all, cyberattacks feel like they are accelerating, much like aging in dog years compared to human years.
The Dog Days of Malware Analysis
Rewind to 2000, the year the ILOVEYOU worm infected 50 million machines in 10 days. Compared to the infection statistics of other infamous malware such as Code Red and Conficker, and more recent ransomware such as CryptoWall and WannaCry, ILOVEYOU wins top marks for running rampant.
When I started drafting the above chart, I was hoping to see that the number of infected machines per minute would make a nice straight line going from the bottom right to top left. Then I remembered what the smart people at X-Force keep telling us: Attackers have gotten smarter and more refined in their attacks so as not to draw as much attention. This increases the longevity of malware, because if security researchers don’t notice it, they won’t spend as much time developing protection strategies to stop the spread.
This makes my comparison a bit of a fruit salad. However, it’s not just apples and oranges — there’s apparently a mango and a broccoli spear thrown in. WannaCry and CryptoWall were relatively targeted in their attack vectors compared to ILOVEYOU, which basically hit anyone who opened an attachment in Microsoft Outlook. Although WannaCry grabbed more headlines than your average highly contagious malware, the total number of infected machines pales in comparison to larger historical attacks.
Cybersecurity Obedience School
Much of the security industry’s focus is on speed — namely, faster detection, faster response and shorter impact timelines. We are like a dog with a bone about artificial intelligence, with the hope that it will turn security solutions practically precognizant. As more threats and even more helpful data shows up, we need to prioritize integrated solutions that don’t add more data or alerts unnecessarily. Touting the benefits of threat intelligence is not helpful if there is neither time nor resources to take action on it. Enter malware analysis in minutes.
We debuted IBM X-Force Malware Analysis in the aftermath of WannaCry. Since then, we’ve encouraged companies to sign up for the free 30-day trial to see if it works for them. With a simple drag-and-drop interface on IBM X-Force Exchange, security analysts can easily submit suspicious files for analysis.
Prefiltering for known bad files speeds the analysis. With over 500 known bad MD5 hashes for WannaCry in the current public collection on X-Force Exchange, time is knocked off the malware analysis. If a file isn’t readily identified as malware, it’s sent for analysis in the cloud-based sandbox for execution and monitoring.
The malware analysis results are returned quickly with a clear indication of whether your suspicious file should be immediately sent to the doghouse. This sample report shows the results of analysis of a WannaCry-infected file — the risks are known command-and-control (C&C) traffic and ransomware code.
Source: IBM X-Force Malware Analysis on Cloud