Scott Register
VP, Product Management
Blog

ThreatARMOR provides Zero-Day Malware Immunity (ZDMI)

August 2, 2016 by Scott Register

Malware authors and security researchers live in a constant game of whack-a-mole; hackers develop a new technology for penetrating network defenses, stealing data, or obscuring their activities, and researchers scramble to bring new products and features to market to counter the new threat. While researchers develop the new defensive technologies, attackers have basically free reign until an offsetting security solution is widely available, at which time they roll out the next iteration of attack and the cycle begins again.

An early example of this cycle was the modest router security feature of allowing “established” connections only, which relied on stateless tracking of TCP flags and could be spoofed fairly easily for some attacks.  A more recent one is Zero Day Mutation, in which malware changes itself to escape detection by signature-based antivirus and IPS systems. Since signature-based systems can only block malware samples they’ve seen before, malware that can mutate itself can evade detection for a long enough period of time to damage servers, steal information, or hold an entire IT infrastructure for ransom.

As part of our ongoing security research, Ixia’s Application and Threat Intelligence (ATI) Research Center captures and analyzes thousands of new malware samples daily. We pay particular attention to their networking activity – what domains they search for, what sites they connect to for downloading new instructions or executables, where they send exfiltrated data.  We cross-reference all of those, and plug them into our big data analytics engine.

One of the things we note in our analysis is that the domain names used by malware cycle very quickly (for example, using Domain Generation Algorithms) because domain names are virtually free and can be generated programmatically and quickly. IP addresses used on the server side of those connections, however, tend to be reused much more often and will often be used by multiple bad actors for different campaigns. Especially with the currently prevalent IPv4 addresses, the addresses themselves are scarce and difficult to procure. Essentially, a hacker who doesn’t want to conceal his identity and motives and pay for an IP range must find and compromise an individual server, one that may be concurrently in use in another malware campaign, or he must hijack a range of IP addresses from their rightful owner via Internet routing manipulation. Neither of these is trivial, which means that malicious IP addresses are relatively scarce – totaling in the tens of millions out of 4.3 billion IPv4 addresses – and Ixia’s ATI Research Center has an extensive capability dedicated to tracking these IP addresses that are used in malware campaigns.

Until recently, Ixia made its Threat Intelligence research available primarily to customers of its security test products such as (BreakingPoint) with up-to-date malware and evasion techniques.  But now, this valuable threat database is available to customers in ThreatARMOR, Ixia’s Threat Intelligence Gateway. ThreatARMOR auto-updates every 5 minutes from the ATI Research Center’s Rap Sheet cloud database so it always has current information about the proliferation of malicious IPs currently in use. Only sites with 100% proof of malicious activity are blocked, clear on-screen proof is shown for any blocked packets, and all blocked sites are re-analyzed daily to see if they’ve been cleaned up. But because of the frequency of IP re-use, with many more live malware variants in the wild than there are distinct IP hosts for them to talk to, the majority of sites that even new malware variants must communicate with to function are already in the Rap Sheet database. This means that ThreatARMOR customers are automatically protected – even though a sophisticated zero-day malware evolution may be completely invisible to every antivirus, sandboxing, or malware detection tool.

In the case of the recent Locky ransomware variant discovered and dissected by the ATI Research Center’s Chuck McAuley, the malware used very advanced obfuscation and evasion techniques to avoid discovery by any AV or IPS tool.  It could sail through any of them completely unimpeded.  However, the malware needed to communicate out to an external server (79.170.44.88) to download the new instructions and code it needed to become effective. Fortunately, this IP address had already been in the Rap Sheet database for months, so all ThreatARMOR customers had complete immunity to the infection. The Rap Sheet for the site (shown below) details specific pieces of malware currently available at that site and also any internal IP addresses that have tried connecting to it – internal systems that should be cleaned up quickly. 

ThreatARMOR ZDMI

ThreatARMOR Rap Sheet for Locky variant controller site.

This is just one example, but it is typical of how ThreatARMOR delivers Zero Day Malware Immunity. ThreatARMOR is not signature-based, blocks only based on IP, and runs at line rate with invariant latency regardless of the size of the Rap Sheet database. It can block any number of IP addresses with no memory or performance impact. Backed by an accurate and expansive Rap Sheet database of IPs used for malicious purposes, ThreatARMOR can protect networks from Zero Day Mutations and other novel attacks that bypass signature-based only systems and wreak havoc on enterprise networks.

If you’d like to see for yourself how ThreatARMOR makes networks safer and improves the efficiency of your security operations, please contact us for a demo.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.