1. The case for proactive behavioral analysis

2. Multi-layered protection

3. More about DeepGuard

4. How DeepGuard works

5. Exploit interception

6. False positives prevention

7. Conclusion



1. The case for proactive behavioral analysis 主动行为分析的必要性

One of the most demanding challenges security programs have had to address in the last few years has been the increasing diversification of attack vectors through which malware can arrive onto a host machine, especially as more applications, networks and services become hosted on or accessible over the Internet. This has been of particular concern with the growing popularity of online-based attacks that exploit vulnerabilities in applications installed on a machine in order to run malicious code.

Some of the difficulties involved in dealing with modern attacks stem from major changes in the threat landscape that have taken place in the last ten years or so, including:

Exponential growth in malware

Since the mid-2000s, when malware creation kits that automated the process of producing malicious programs first became widely available, the numbers of malware samples seen by antivirus labs have grown exponentially, with hundreds of thousands of new or variant strains being created and propagated every month. In addition to the overwhelming numbers, many of these variants are designed to live only for a short time, sometimes only days or hours, in a deliberate attempt to overwhelm antivirus programs by sheer volume.

Attacks move online

The days when malware was most commonly distributed via e-mail attachments are long gone. Today, the most common attack vector is through a silent drive-by download during a visit to a compromised legitimate site or a malicious website that hijacks traffic from search engines or compromised sites. By moving distribution from direct delivery to the target machines to the nebulous online world, malware distributors and attackers not only increase their target audience but also make it much harder to prevent infections. Without a mechanism to identify the attack site and prevent users from visiting it, the user’s machine can be successfully exploited without any overt sign that an attack has occurred.

Malware becomes a cybercrime tool

The consequences of an infection have also changed as organized criminals increasingly engage in cybercrime. Data and identity theft and monetary fraud are all criminal activities that have in recent years been facilitated by malware, in some cases in staggering amounts. For example, the United States Federal Bureau of Investigation (FBI) reported in a 2012 Senate hearing [1] that $14 million in “illegal fees” were generated in the 2011 Ghost Click click-bot operation. With most real-world authorities lacking the resources or political will to prosecute cybercrimes, there is strong monetary incentive for cybercriminals to continue and improve their online activities.
感染发生之后的后果也随着有组织的罪犯参与进入网络犯罪而发生了变化。这几年恶意软件参与窃取数据,身份信息,参加涉及钱财的诈骗已是数见不鲜,有些情况下数额还特别巨大。例如美国联邦调查局在2012年的一次参议会听证会上报告指因为Ghost Click click-bot 攻击所引起的犯罪金额就超过了1400万美元。大多数现实中的政府机构都缺乏技术和决心来整治网络犯罪,而这也是罪犯不停改进和推进自己在线犯罪活动的主要动机。

Popular software is heavily targeted

Although almost any software can contain vulnerabilities, of particular interest to cybercriminals and other attackers are vulnerabilities in popular applications, such as Java Runtime Environment (JRE), Adobe Reader, Microsoft Office and web browsers. These programs typically have millions of users, making them prime targets for attack.
Many of these applications have multiple known vulnerabilities, and though most are fixed by security patches released from the vendors, the time needed to develop and deploy these fixes to all affected machines still leaves an interval in which the users are vulnerable. Additionally, new or zero-day vulnerabilities are periodically found for which no patches are yet available, leaving the users wide open for exploitation.
虽然几乎任何软件都可能存在漏洞,让罪犯尤其感兴趣的是在常用软件中的漏洞,比如Java运行环境,Adobe Reader,Office和网页浏览器。这些软件大多拥有超过百万的用户,这使得他们成为了主要的受攻击目标。

Exploit kits make attacking easier

The advent of commercial-grade exploit kits such as BlackHole, Cool Exploit or Sweet Orange, which automate the process of scanning and exploiting a user’s machine within seconds of a visit to an attack website, have significantly lowered the level of technical expertise needed for cybercriminals to successfully infect new victims with malware.  
随着商业级的漏洞侦测包(BlackHole, Cool Exploit 和 Sweet Orange)的诞生,自动化扫描用户软件漏洞并开始攻击的过程在用户访问被攻击的网站后几秒钟内就可以开始。这无疑大大降低了漏洞类攻击的技术要求。

Exploit kits have transformed vulnerability exploitation from a niche activity into a common attack vector. The increasing number of malware being distributed using exploitbased methods have in turn led to a need for on-host security solutions that are able to identify and block attempts to exploit vulnerabilities in installed programs, before malware can be successfully dropped onto the machine.  

Targeted attacks make detection harder

More focused targeted attacks can involve more obscure exploits and delivery mechanisms. These attacks typically use document or executable files carefully crafted to fit the profile of the intended victim, taking into account their topics of interest, preferred operating system and any security programs they may be using. The highly specific nature of these attacks makes them particularly difficult to detect using traditional signaturebased detections.

Identifying clean programs becomes more critical

The number of clean or non-malicious applications globally available today runs into the millions, far more than the normal user is likely to be familiar with at any one time. The abundance of programs, their easy accessibility over the Internet and the need to stay abreast of constant program updates all makes it cumbersome for security solutions to depend solely on local user-driven white- and black- listing to provide adequate protection.
The majority of programs seen on a typical machine are clean, so correctly identifying non-malicious software is a significant step towards pinpointing truly harmful programs for further attention. Eliminating false positives on clean files is also critical in optimizing a security program’s performance and of course, minimizing interference with the user’s experience.

Given the various challenges presented by today’s more complex computing realities and more fluid threat landscape, traditional signature-based scanning is now just one layer of a multi-tiered approach to endpoint security. Cloud-based file and web reputation checking, HIPS (Host-based Intrusion Prevention System) and behavior analysis have all become integral components of the modern proactive protection system.

2. Multi-layered protection 多层防护

F-Secure’s multi-layered approach to security is comprised of the following modules, each designed to address a particular aspect of the threat landscape and work together to provide a complete solution:

As mentioned before, most attacks and malware downloads today take place online. Ideally, protection should begin even before the machine environment is reached, by preventing exposure to possible infection points - and so, enter Browsing Protection.
To prevent users from inadvertently visiting compromised legitimate or outrightly malicious sites, Browsing Protection provides critical assessment of a website’s security. If the site is known to be malicious, or contains features that render it suspect, the user is cautioned against entering it. To deal efficiently with the millions of sites available on the Internet and their constantly fluctuating changes in security, Browsing Protection’s functionality is based on lookup queries to F-Secure’s Security Cloud (see page 4), which includes a database of known safe and malicious files and websites. The entries are updated automatically in real-time based on rules maintained by response analysts.
为了防止用户无意识地进入已中招的合法网站和本来就不怀好意的网站,浏览防护承担了网页安全的重要组成部分。如果网站已知有害,或者包含可疑的特征,用户会在进入网站时收到警告。为了高效分类每天新上线的几百万个网站以及已有网站的各种变化,浏览防护的功能会连接F-Secure Security Cloud,它包含一个已知安全和恶意的网址库。库中的条目来自每天实时更新的规则,规则本身由响应分析师负责维护。

Though Browsing Protection is able to prevent most visits to known malicious sites, it’s always possible to stumble onto an unrated or newly compromised or malicious site, or for malware to be introduced onto the host machine some other way, perhaps on removable media. If a suspect file does successfully arrive on the machine, it is then subjected to multiple layers of security checks.
Whenever a file arrives on a machine, is installed or modified, it is first scanned using a traditional signature detection engine to determine if it is a known threat. The scanning engine uses custom, family, generic and heuristic detections, which respectively identify specific malware, families of malware with similar features, and broad ranges of malicious physical features and behavior patterns. If the file’s characteristics match those of previously seen malware, it is blocked.
Though often overlooked in favor of more sophisticated technology, signature-based scanning is still an effective method of identifying and blocking the vast majority of malware seen to date, protecting users against lingering threats such as Downadup or Melissa, which debuted and peaked years ago but are still present in the wild, where they continue to infect new victims. The effectiveness of this check depends on keeping the signature database updated with the latest detections.  
虽然与更加复杂的技术相比容易被忽视,但是特征库检测仍然是检测当前大量恶意软件的有效方式。它能够阻拦一些久经沙场却仍然在造成恶劣影响的病毒家族,比如几年前即开始传播的Downadup 和 Melissa。这种检测技术的有效性依靠的是及时保持特征库为最新版本。

If the file isn’t identified as a known threat, a query is sent to F-Secure’s cloud infrastructure to gather the latest metadata available for the file. Analysis is subsequently handled by DeepGuard, which collectively handles all the behavioral analysis, process monitoring and exploit interception of suspect files, both at the point of application launch and during execution.  


3. More about DeepGuard DG更多细节

Put simply, DeepGuard observes an application’s behavior and prevents any potentially harmful action from successfully completing. The apparently simple nature of this task belies its importance however, as this proactive, onthe-fly monitoring and interception serves as the final and most critical line of defense against new threats, even those targeting previously unknown vulnerabilities.

Behavior-based analysis addresses the Achilles’ heel of signature-based scanning: the need for analysts to have an actual sample of the malware in order to create the signature to identify it. Given the huge numbers of malware constantly being created and distributed, new threats will often be able to successfully infect at least one victim in the wild before most antivirus labs are able to acquire a sample, analyze it and issue a detection.

Behavior-based detection covers that crucial gap between the first appearance of new malware and the first signature detection being issued for the threat. By moving the focus from unique physical characteristics to patterns of malicious behavior, DeepGuard can identify and block programs performing harmful actions, even before an actual sample has been acquired and examined.

For example, out of all Zeus crimeware infection attempts reported in April 2013, 80% involved previously unseen variants. In those cases, DeepGuard successfully prevented infection by recognizing the file’s malicious behavior and blocking the attack. Subsequently, signature databases were updated to identify these samples, but for users facing new threats, DeepGuard’s proactive analysis provides immediate protection against infection.

In 2011, an entirely rewritten DeepGuard engine was introduced that included (among numerous other improvements) a switch from using hard-coded scanning logic to an updateable detections database. Response Labs analysts constantly monitor the threat landscape and analyze the latest threats in order to determine the best way to identify malicious behavior. Being able to update the scanning engine with the results of this research keeps DeepGuard consistently effective against the latest threats.

Given the short-lived nature of most malware variants, signature detections tend to have narrow windows of effectiveness before the malware they detect ‘expire’. In contrast, DeepGuard detections  can effectively identify malware over a much longer time period, as malware behavior is much less mutable. For example, on 12 July 2012, DeepGuard was updated with one new detection, while the signature database received 600 new additions. Nine months on in March 2013, tests run using the same database set against a random collection of more recent malicious samples showed the DeepGuard detection blocking 12 times more infections of the newer malware than the ‘aged’ set of signature detections.

The proactiveness and longevity of DeepGuard detections is illustrated in Chart 2 (above), which is based on detection statistics from F-Secure’s internal systems for Urausy ransomware variants. The DeepGuard detection was able to identify variants (and therefore block attempted infections) earlier and continued to do so for longer, while the equivalent signature detection peaked and then declined rapidly, as newer Urausy variants appeared. (The reason for the signature detection’s higher peak is due to it being a previous defense layer to DeepGuard. Had those signature detections been missed, it would have been DeepGuard with the high peak.)

DeepGuard’s updateable detection logic is especially useful in countering attacks that exploit vulnerabilities in installed programs in order to run malware on a machine. In such cases, the dropped malware itself can be spotted and blocked by signature or behavior-based scanning. To halt the attack at an even earlier stage however - that is, at the point of exploitation - Response Labs analysts examine the exploit mechanism for tell-tale actions or behavior patterns, and then incorporate the research results into DeepGuard’s scanning engine. It is then able to pinpoint and block suspicious actions that bear the hallmarks of a vulnerability exploit attempt, preventing malware from being dropped on the machine at all.

By taking into account characteristic exploitation mechanisms as well as the features and behavior of malware being dropped on the system, DeepGuard can effectively identify and block threats on the fly, even when faced with totally new malware targeting zeroday vulnerabilities.

4. How DeepGuard works DG的工作方式

DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.

4.1 Pre-launch analysis 启动前分析
When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:

File reputation check 文件信誉检查
If an Internet connection is available, DeepGuard sends a query to the Security Cloud (see page 4) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by Response Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.
如果网络连接可用,DG会发送请求至Security Cloud,查看程序在白名单数据库中的信誉信息。数据库中则包含针对一个巨大的常见软件库的最新安全评估信息。数据库本身也是由分析师一直维护的。被分类为干净的程序被允许立即跳过其它检查,直接启动,但已知的危险文件则会被阻挡。

For the user, the clean file cloud lookup functionality offers a number of advantages. Being able to use the security verdict for a known file from the clean file database not only removes the burden of identifying unknown or unfamiliar programs as legitimate or malicious from the user, it also means unnecessary security checks on clean files can be avoided. At the same time, by reducing to a manageable level the volume of software that needs to be individually evaluated, the ability to still white- or black-list selected programs becomes more meaningful. And finally, even when the product’s signature databases are outdated or rarely updated, DeepGuard can still use the most up-to-date file reputation information to fine-tune its analysis.

Behavioral analysis 行为分析
If the program is flagged as suspicious during the file reputation check, or if Internet access is unavailable, DeepGuard executes it in a virtual environment and observes its behavior for malicious actions, such as attempting to self-replicate, edit or delete critical system files, and so on.  
Response Labs analysts continually research and update DeepGuard’s scanning logic with detections for the most effective behavior patterns needed to spot malware. These detections may identify specific malware families (which typically share similar features or behavior) or they may more generally identify suspect actions, such as attempting to hide from process enumeration programs, which are indicative of malicious intent. The analyst’s ability to tweak DeepGuard’s engine in this manner permits an element of human discretion and flexibility, to provide a more fine-grained and ultimately more accurate analysis.

Prevalence rate check 共用率检测
DeepGuard includes a module that focuses on a file’s prevalence rate. Clean files typically have thousands or millions of users, making them highly prevalent. In contrast, malware samples are comparatively rare. According to statistics generated from F-Secure’s internal systems monitoring known threats, in a random sample of malicious programs found in the first four months of 2013, 99.7% of the threats were rarely seen in our user base. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage.

Judgement on execution 运行时的决策
Based on the file’s reputation and behavior during emulation, DeepGuard makes one of four possible judgements:

a) The file is malicious and blocked -程序有害,拦截
b) The user is given the option to allow or deny the launch -用户会收到提示,并选择允许或阻止运行
c) The file is clean and allowed to execute -文件安全,允许运行
d) The file’s status as clean or malicious is still unknown -文件的状态仍然未知

If the file is blocked from launching, a notification message is displayed (see Image 1, previous page) providing additional details and an option to whitelist the program, if so desired.

If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.

4.2 During application execution 程序运行中

Even after a program has successfully passed pre-launch analysis and is executed, DeepGuard continues to monitor its behavior as a precaution against delayed malicious routines, a common tactic used by malware to circumvent runtime checks. This form of quiet vigilance also allows DeepGuard to provide constant protection for the user without visibly intruding on their experience by displaying excessive prompts.

Process monitoring Applications are monitored for a number of suspicious actions, including (but not limited to):
•        Modifying the Windows registry -修改注册表
•        Editing files in certain critical system directories -在关键系统目录编辑文件
•        Injecting code in another process’s space -在另一个进程的内存空间插入代码
•        Attempting to hide processes or replicate themselves -尝试隐藏自身,或复制自身

As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.

If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked.


5. Exploit interception

Starting in 2013, DeepGuard also employs two exploit interception methods that extend the dynamic protection of on-host behavioral analysis by focusing specifically on monitoring the processes of programs that are commonly targeted for exploitation and on document file types commonly used to deliver exploits.   

5.1 Monitoring exploit-prone programs

The first method focuses on frequently exploited programs such as Java Runtime Environment (JRE), Adobe Reader, Microsoft Office and so on. These programs are kept under especially close watch and are blocked more aggressively if malicious behavior is detected.
第一个方法是重点关注经常被发现漏洞的程序,比如java运行环境,Adobe Reader, Microsoft Office等等。这些程序会受到格外的密切监控,如果检测到恶意行为,阻拦的标准也更加靠前。
Of course, which programs become favored targets is unlikely to stay fixed. For example, it was only in the last two years that JRE superseded Adobe Reader as the most exploited software; in the future, another program may assume that unenviable distinction. The specific programs chosen by DeepGuard for closer attention can be updated by Response Labs analysts when necessary, a responsive approach that allows DeepGuard to adapt to changes in the threat landscape.  
当然,这类程序的列表也不是固定的。比如java运行环境超越Adobe Reader成为最常被攻破的软件也就是这一两年的事。在将来,可能会有其他程序遭此厄运。被DG特殊关照的特定程序会在需要的时候由响应实验室的分析师进行更新,这是响应实验室根据网络威胁趋势做出应对的一种方式。

5.2 Monitoring for document exploits

Some document types, such as Microsoft Word or Adobe PDF, are commonly used to deliver exploits. Thus, any software used to open these types of documents is also subject to greater attention by the second exploit interception method, which scrutinizes these programs closely for suspicious behavior caused by malicious document files.
This form of exploit interception addresses the most common form of targeted attacks, which involve sending carefully crafted, exploit-loaded documents to the intended victim or organization, such as occurred during the 2011 RSA breach and the early 2013 attacks reported as ‘Red October’ [4]. In these cases, booby-trapped Excel and Word files were used to exploit well-known vulnerabilities in these programs.
By focusing on detecting malicious actions originating from document files, this single method in DeepGuard is able to provide significant breadth of coverage against document-based exploits, regardless of the file’s physical features or the specific vulnerability being targeted.

6. False positives prevention

A separate beta detections module that was added to DeepGuard in 2011 facilitated an understated but important improvement to the accuracy of the scanning engine’s performance.
Beta detections contain the full detection logic needed to identify and block exploit attempts, but are instead configured by response analysts to simply notify the Security Cloud each time the detection would have been triggered by a file being analyzed.
This beta-testing process provides response analysts with crucial information on the effectiveness of these detections, allowing them to fine-tune the logic to prevent potential false positives before actually releasing them for real-world use.
beta版检测过程包含检测和阻挡漏洞攻击的完整的流程,但是会在文件分析每一次需要阻挡一个文件时向Security Cloud发送告知。

7. Conclusion

F-Secure’s security products use a multi-tiered approach comprised of multiple components that address challenges presented by threats seen in the real world. The behavioral analysis and process monitoring functions performed by DeepGuard are critical in identifying and blocking the most sophisticated malware prevalent today.
DeepGuard provides immediate, proactive on-host protection against new and emerging threats by focusing on malicious application behavior, rather than through static identification of specific known threats. This shift in focus allows DeepGuard to identify and block even previously unseen malware based on their behavior alone, neatly providing protection until security researchers are able to analyze and issue a detection for that specific threat.
Through cloud lookups to F-Secure’s Security Cloud, DeepGuard is also able to use the latest file reputation information available for any previously encountered object to fine-tune its security evaluations, reducing the risk of false positives or redundant analyses that can interfere with the user’s experience.
通过调用Security Cloud分析,DG同样能够利用以往文件最新的文件信誉信息来调整安全评估,不仅降低了误报的风险,更免去了可能干扰用户使用体验的无谓检测。
DeepGuard’s on-host behavioral analysis also extends to intercepting attacks attempting to exploit vulnerabilities in popular programs in order to install malware onto the machine. DeepGuard is able to identify and block routines characteristic of an exploit attempt, preventing exploitation and in turn, infection. Exploit interception safeguards users from harm even when vulnerable programs are present on their machine.
DeepGuard combines sophisticated scanning engine technology with the technical expertise of F-Secure Response Labs analysts to perform accurate, fine-grained on-host behavior- and reputationbased analysis that ultimately significantly improves the user’s security.


Heuristic analysis technology introduced -引入启发分析
DeepGuard 1.0 introduces behavioral analysis to complement existing signature-based detection technology. When a program is launched, DeepGuard performs two tests - a static check for features commonly found in malware and emulation of the program in a virtual sandbox to evaluate its behavior. Programs that show no features or behavior matching known malware are allowed to execute as normal; those with tell-tale characteristics or malicious routines are blocked from execution
DG 1.0引入了启发分析,用行为分析对特征库检测进行弥补。当一个程序开始运行时,DG会进行两个检测:一是针对恶意软件常见特征的静态检测,二是在虚拟沙箱中对行为的评估。正常和包含已知恶意特征的程序会按照通常的方式处理;而具有恶意行为或者是标志性特征的程序会被阻止运行。

First AV product to incorporate cloud lookups -业界首先加入云鉴定的反病毒产品
In addition to signature scanning and emulation,  DeepGuard 2.0 queries the Security Cloud for an almost instantaneous check of a suspect file’s reputation. Response Labs analysts constantly monitor and update file reputation information, providing crucial human intelligence to the automated process.
除了特征检测和虚拟技术,DG2.0会对未知文件的信誉立刻询问Security Cloud。响应分析师持续监控和更新文件信誉信息,为自动化的过程添加了重要的人工调校。

File metadata used in DeepGuard detection logic -文件元数据加入DG检测过程
In addition to signature detection and behavioral analysis layers, DeepGuard 3.0 includes a component that uses a file’s metadata - e.g., the file’s rarity, when it was first seen, related objects, and more - to gauge its threat potential. This feature allows malware to be identified using reputation-based factors such as whether the file was downloaded from a known malicious site, without needing further examination of its features or behavior

2011 Prevalence logic increases effectiveness against rare files -针对稀有文件的补救机制
DeepGuard 4.0 revises the scanning engine to use updateable detections and beta detections for false alarms reduction. It also improves the prevalence logic used to identify files that are both rare and malicious, a feature that proves decisive in winning both AV-Comparative’s 2011 Product of the Year award and AV-Test’s 2012 Best Protection Award  [3]  

2013 Enhanced protection against exploit-based attacks 针对漏洞攻击的增强防护
Malware infections facilitated by exploits targeting  vulnerabilities in common applications have become a favored attack vector. DeepGuard 5.0 introduces enhanced behavior-based detection logic, including a module that monitors the runtime behavior of commonly targeted programs and potential attack files. This broad behavioral analysis approach allows DeepGuard to identify and intercept exploit-based attacks, regardless of the specific vulnerability targeted

