Malware Analysis: The Danger of Connecting the Dots

The findings of a lot of malware analysis are not in fact “analysis;” they’re a collection of data points linked together by assumptions whose validity and credibility have not been evaluated. This lack of analytic methodology could prove exceedingly problematic for those charged with making decisions about cyber security. If you cannot trust your analysis, how are you supposed to make sound cyber security decisions?

Question: If I give you a malware binary to reverse engineer, what do you see? Think about your answer for a minute and then read on. We’ll revisit this shortly.

It is accepted as conventional wisdom that Stuxnet is related to Duqu, which is in turn related to Flame. All of these malware have been described as “sophisticated” and “advanced,” so much so that they must be the work of a nation-state (such work presumably requiring large amounts of time and lots of skilled people and the code written for purposes beyond simply siphoning off other people’s cash). The claim that the US government is behind Stuxnet has consequently led people to assume that all related code is US sponsored, funded, or otherwise backed.

Except for the claim of authorship, all of the aforementioned data points come from people who reverse engineer malware binaries. These are technically smart people who practice an arcane and difficult art, but what credibility does that give them beyond their domain? In our quest for answers do we give too much weight to the conclusions of those with discrete technical expertise and fail to approach the problem with sufficient depth and objectivity?

Let’s take each of these claims in turn.

Are there similarities if not outright sharing of code in Stuxnet, Duqu and Flame? Yes. Does that mean the same people wrote them all? Do you believe there is a global marketplace where malware is created and sold? Do you believe the people who operate in that marketplace collaborate? Do you believe that the principle of “code reuse” is alive and well? If you answered “yes” to any of these questions then a single source of “advanced” malware cannot be your only valid conclusion.

Is the code in Stuxnet, etc. “sophisticated?” Define “sophisticated” in the context of malware. Forget about malware and try to define “sophisticated” in the context of software, period. Is Excel more sophisticated than Photoshop? When words have no hard and widely-accepted definitions, they can mean whatever you want them to mean, which means they have no meaning at all.

Can only a nation-state produce such code? How many government-funded software projects are you aware of that work as advertised? You can probably count on one hand and have fingers left over. But now, somehow, when it comes to malware, suddenly we’re to believe that the government has gotten its shit together?

“But Mike, these are, like, weapons. Super secret stuff. The government is really good at that.”

Really? Have you ever heard of the Osprey? Or the F-35? Or the Crusader? Or the JTRS? Or Land Warrior? Groundbreaker? Trailblazer? Virtual Case File?

I’m not trying to trivialize the issues associated with large and complex technology projects, my point is that a government program to build malware would be subject to the same issues and consequently no better – and quite possibly worse – than any non-governmental effort to do the same thing. Cyber crime statistics – inflated though they may be – tell us that governments are not the only entities that can and do fund malware development.

“But Mike, the government contracts out most of its technology work. Why couldn’t they contract out the building of digital weapons?”

They very well could, but then what does that tell us? It tells us that if you wanted to build the best malware you have to go on the open market (read: people who may not care who they’re working for, as long as their money is good).

As far as the US government “admitting” that they were behind Stuxnet: they did no such thing. A reporter, an author of a book, says that a government official told him that the US was behind Stuxnet. Neither the President of the United States, nor the Secretary of Defense, nor the Directors of the CIA or NSA got up in front of a camera and said, “That’s us!” which is what an admission would be. Let me reiterate: a guy who has a political agenda told a guy who wants to sell books that the US was behind Stuxnet.

It’s easy to believe the US is behind Stuxnet, as much as it is to believe Israel is behind it. You know who else doesn’t like countries who don’t have nuclear weapons to get them? Almost every country in the world, including those countries that currently have nuclear weapons. You know who else might not want Iran – a majority Shia country – to have an atomic bomb? Roughly 30 Sunni countries for starters, most of which could afford to go onto the previously mentioned open market and pay for malware development. What? You hadn’t thought about the non-proliferation treaty or that Sunni-Shia thing? Yeah, neither has anyone working for Kaspersky, Symantec, F-Secure, etc., etc.

Back to the question I asked earlier: What do you see when you reverse engineer a binary?

Answer: Exactly what the author wants you to see.

  • I want you to see words in a language that would throw suspicion on someone else.
  • I want you to see that my code was compiled in a particular foreign language (even though I only read and/or write in a totally different language).
  • I want you to see certain comments or coding styles that are the same or similar to someone else’s (because I reuse other people’s code).
  • I want you to see data about compilation date/time, PDB file path, etc., which could lead you to draw erroneous conclusions have no bearing on malware behavior or capability.

Contrary to post-9/11-conventional wisdom, good analysis is not dot-connecting. That’s part of the process, but it’s not the whole or only process. Good analysis has methodology behind it, as well as a fair dose of experience or exposure to other disciplines that comes into play. Most of all, whenever possible, there are multiple, verifiable, meaningful data points to help back up your assertions. Let me give you an example.

I used to work with a guy we’ll call “Luke.” Luke was a firm believer in the value of a given type of data. He thought it was infallible. So strong were Luke’s convictions about the findings he produced using only this particular type of data that he would draw conclusions about the world that flew in the face of what the rest of us like to call “reality.” If Luke’s assertions were true, WW III would have been triggered, but as many, many other sources of data were able to point out, Luke was wrong.

There was a reason why Luke was the oldest junior analyst in the whole department.

Luke, like a lot of people, fall victim to a number of problems, fallacies and mental traps when they attempt to draw conclusions from data. This is not an exhaustive list, but illustrative of what I mean.

Focus Isn’t All That. There is a misconception that narrow and intense focus leads to better conclusions. The opposite tends to be true: the more you focus on a specific problem, the less likely you are to think clearly and objectively. Because you just “know” certain things are true, you feel comfortable taking shortcuts to reach your conclusion, which in turn simply drives you further away from the truth.

I’ve Seen This Before. We give too much credence to patterns. When you see the same or very similar events taking place or tactics used your natural reaction is to assume that what is happening now is what happened in the past. You discount other options because its “history repeating itself.”

The Shoehorn Effect. We don’t like questions that don’t have answers. Everything has to have an explanation, regardless of whether or not the explanation is actually true. When you cannot come up with an explanation that makes sense to you, you will fit the answer to match the question.

Predisposition. We allow our biases to drive us to seek out data that supports our conclusions and discount data that refutes it.

Emption. You cannot discount the emotional element involved in drawing conclusions, especially if your reputation is riding on the result. Emotions about a given decision can run so high that it overcomes your ability to think clearly. Rationalism goes out the window when your gut (or your greed) over-rides your brain.

How can we overcome the aforementioned flaws? There are a range of methodologies analysts use to improve objectivity and criticality. These are by no means exhaustive, but they give you an idea of the kind of effort that goes into serious analytic efforts.

Weighted Ranking. It may not seem obvious to you, but when presented with two or more choices, you choose X over Y based on the merits of X, Y (and/or Z). Ranking is instinctual and therefore often unconscious. The problem with most informal efforts at ranking is that its one-dimensional.

“Why do you like the TV show Homicide and not Dragnet?”

“Well, I like cop shows but I don’t like black-and-white shows.”

“OK, you realize those are two different things you’re comparing?”

A proper ranking means you’re comparing one thing against another using the same criteria. Using our example you could compare TV shows based on genre, sub-genre, country of origin, actors, etc., rank them according to preference in each category, and then tally the results. Do this with TV shows – or any problem – and you’ll see that your initial, instinctive results will be quite different than those of your weighted rankings.

Hypothesis Testing. You assert the truth of your hypothesis through supporting evidence, but you are always working with incomplete or questionable data, so you can never prove a hypothesis true; we accept it to be true until evidence surfaces that suggest it to be false (see bias note above). Information becomes evidence when it is linked to a hypothesis, and evidence is valid once we’ve subjected it to questioning: where did the information come from? How plausible is it? How reliable is it?

Devil’s Advocacy. Taking a contrary or opposing position from what is the accepted answer helps overcome biases and one-dimensional thinking. Devil’s advocacy seeks out new evidence to refute “what everybody knows,” including evidence that was disregarded by those who take the prevailing point of view.

This leads me to another point I alluded to earlier and that isn’t addressed in media coverage of malware analysis: what qualifications does your average reverse engineer have when it comes to drawing conclusions about geo-political-security issues? You don’t call a plumber to fix your fuse box. You don’t ask a diplomat about the latest developments in no-till farming. Why in the world would you take at face value what a reverse engineer says about anything except very specific, technical findings? I’m not saying people are not entitled to their opinions, but credibility counts if those opinions are going to have value.

So where are we?

  • There are no set or even widely accepted definitions related to malware  (e.g. what is “sophisticated” or “advanced”).
  • There is no widely understood or accepted baseline of what sort of technical, intellectual or actual-capital required to build malware.
  • Data you get out of code, through reverse engineering or from source, is not guaranteed to be accurate when it comes to issues of authorship or origin.
  • Malware analysts do not apply any analytic methodology in an attempt to confirm or refute their single-source findings.
  • Efforts to link data found in code to larger issues of geo-political importance are at best superficial.

Why is all of this important? Computer security issues are becoming an increasingly important factor in our lives. Not that everyone appreciates it, but look at where we have been and where we are headed. Just under 20 years ago few people in the US, much less the world, world were online; now more people in the world get online via their phones than do on a traditional computer. Cars use computers to drive themselves, and biological implants are controlled via Bluetooth. Neither of these new developments has meaningful security features built into them, but no one would ever be interested in hacking insulin pumps or pacemakers, right?

Taking computer security threats seriously starts by putting serious thought and effort behind our research and conclusions. The government does not provide information like this to the public, so we rely on vendors and security companies (whose primary interest is profit) to do it for us. When that “analysis,” which is far from rigorous is delivered to decision-makers who are used to dealing with conclusions that have been developed through a much more robust methodology, their decisions can have far reaching negative consequences.

Sometimes a quick-and-dirty analysis is right, and as long as you’re OK with the fact that that is all that most malware analysis is, OK. But you’re planning on making serious decisions about the threat you face from cyberspace, you should really take the time and effort to ensure that your analysis has looked beyond what IDA shows and considered more diverse and far-reaching factors.

Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?

Yeah….

No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

Business Does Not Care About Your Chinese Cyber Problem

If you have spent more than ten minutes tracking cyber security issues in this country you know that if there is a Snidely Whiplash in this business it’s the Chinese. If it’s not the government its “patriotic hackers,” or some variation on those themes. The argument over “APT” rages on (is it a ‘who?’ Is it a ‘what?’) and while not clearly labeled “Chinese” we now have “adversaries” to worry about.

Setting aside issues related to the veracity of such claims, let me just state unequivocally: No one cares.

If you are a regular reader you know me and my background (if you don’t here is a snapshot), so you know that I know the scope and scale of the problem and that I’m not talking about this issue in a state-on-state context. My problem is that too many people are trying to extend that context into areas it is ill-suited. In doing so they are not actually improving security. They may in fact be perpetuating the problem.

Rarely do you talk to someone at the C-level – someone who has profits and Wall Street and the Board on his mind – who gives a shit about who his adversary is or what their motivations are. The occasional former military officer-turned-executive will have a flash of patriotic fervor, but then the General Counsel steps up and the flag would be furled. In the end the course of action they all approve is designed to make the pain go away: get the evil out of the network, get the hosts back online, and get everyone back to work. I haven’t talked to every executive about this issue, so your mileage may vary, but one only need read up on the hack-and-decline of Nortel understand what the most common reaction to “someone is intentionally focused on stealing our ideas,” is in the C-suites of American corporations.

This is not a new problem. You have never, ironically, heard of d’Entrecolles. American industrial might wasn’t a home-grown effort: we did the same thing to our cousins across the pond. Nortel is only a recent example of a worst-case industrial espionage scenario playing out. Ever heard of  Ellery Systems? Of course you haven’t.

IP theft is not a trivial issue, but any number of things can happen to a given piece of IP once it is stolen. The new owners may not be able to make full or even nominally effective use of the information; the purpose or product they apply the IP to has little or nothing to do with what the IP’s creators are using it for; the market the new owner is targeting isn’t open to or pursued by the US; or in the normal course of events, what made the IP valuable at the point of compromise might change making it useless or undesirable by the time its new owners bring it to market.

Companies that suffer the fate of Ellery and Nortel are notable because they are rare. Despite the fact that billions in IP is being siphoned off through the ‘Net, there is not a corresponding number of bankruptcies. That’s not a defense; merely a fat, juicy data point supporting the argument that if the fate of the company is not in imminent danger, no one is going to care that maybe, some day, when certain conditions are met, last week’s intrusion was the first domino to fall.

If you are honestly interested in abating the flow of IP out of this country, your most effective course of action should be to argue in a context that business will not only understand but be willing to execute.  Arguing Us vs. Them to people who are not in the actual warfighting business is a losing proposition. The days of industry re-orienting and throwing their weight behind a “war” effort are gone (unless you are selling to PMCs). “More security” generally comes at the expense of productivity, and that is a non-starter. Security done in a fashion that adds value – or at the very least does not serious impede the ability to make money – has the potential to be a winner.

I say ‘has the potential’ because to be honest you can’t count on business decision-makers caring about security no matter how compelling your argument. Top marks if remember the security company @Stake. Bonus points if you remember that they used to put out a magazine called Secure Business Quarterly that tried to argue the whole security-enabling-business thing. Did you notice I said “remember” and “used to?”

We have to resign ourselves to the very real possibility that there will never be an event so massive, so revealing, that security will be a peer to other factors in a business decision. While that’s great for job security, it also says a lot about what society values in the information age.

Dust off Khrushchev while we’re at it

Kissinger’s call for detente would make a lot more sense if the analog to “cyber” was the cold war, MAD, etc.

It is not.

I have a lot of respect for the former SECSTATE, but to be mildly uncharitable, he doesn’t really have a lot to add to this discussion. None of his cold war ilk do. “Cyber” is pretty much the closest thing to a perfect weapon anyone has seen in history (you can claim “it wasn’t me!” and no one can prove definitively otherwise in a meaningful time frame). Proposed solutions that ignore or give short shrift to this basic fact are a colossal waste of time, which is all cold war retreads have at this point. No one who can use “cyber” as a meaningful weapon for intelligence or combative activities is going to surrender one byte of capability. No security regime that has been proposed stands up to a modicum of scrutiny once the most basic, practical issues are raised. We need to hear proposals that have at least one foot rooted in reality because the threat is here and now; ideas whose success depends on a world that doesn’t currently exist and is unlikely to (did I mention no one in their right might would give up capability? I did, good) are consuming cycles we could be using to come up with something practical.

The Importance of Being There

There is nothing new or special about the “cyber” aspect to the Arab Spring. The use of the Internet and tools that ride on and through it by pro- and anti-regime elements in China, Serbia, Mexico . . . we’ve been seeing this for at least 15 years and every time it surfaces it’s the same breathless coverage about how new, and game changing it all is.

I guess I have different definitions for those words.

“Cyber” might make it easier to organize or communicate if you’re the rebel force, but it’s not going to overthrow the government: that takes people putting themselves in physical danger. To steal a phrase I learned in the Army: If you’re not there, you don’t own it. The difference between “cyber” and pamphleteering? The medium. That’s it.

In the future, it would be great if we focused on what really mattered during events like this: the meat-space strategies and tactics and heroics that actually lead to change, not the fact that the rebels are using the online tool-of-the-month. Actually, it would be better if someone wrote an article about how such tactics alone rarely lead to real-world success, but something tells me that won’t sell a lot of newspapers.

Mission First, People Always

Not going to repeat the now well-worn story of Walter Reed-related issues, merely wanted to take a minute to point out a trend and offer up a lesson.

There was a time when, while serving on active duty, the Army just decided to stop paying me. Never did figure out what happened, the checks just stopped coming. I worked through the chain. I trusted it. I accepted the fact that things move slowly in the Army. I waited. I followed up. I waited some more. I exhausted every internal option available to me as I watched my savings dwindle (the chow hall was great, but I still had other bills to pay).  When loan defaults loomed I wrote my Senator who at the time was Army veteran Daniel Inouye.

Roughly 72 hours later I had a check for all my back pay and a line outside my barracks room door of members of my chain of command from battalion-level on down asking if everything was OK, and would I please work through the chain of command to resolve future problems ’cause we really get the heebie jeebies when Senator’s offices call.

The pay problems of one buck sergeant don’t compare to the woes of outpatients at Walter Reed, but this story – and many others any GI will be happy to relate to you – are indicative of the general mindset of those at the top. Nothing is their problem (“If you sloppy GI’s wouldn’t keep food in your rooms there wouldn’t be a rat problem”)  until someone makes it their problem, and that “someone” is never going to be someone they outrank. The operative phrase is “mission first, people always” until people do what people do and then it becomes “people whenever.”

Under different circumstances I’m sure everyone highest levels of Army medicine and the Department of the Army are great folks, but that they responded in typical Army fashion to this situation is beyond shameful. I hope this serves as a lesson for a wider variety of defense and national security leadership: fat lot of good your big initiatives are going to be if you are undone by the little things.