Skip to main content

Hitachi

Corporate InformationResearch & Development

Our living environment is rapidly becoming networked, as smartphones and tablet terminals are spreading, realizing a smart society is progressing, and home electronics products are increasingly equipped with telecommunication functions. However, such developments also mean that there are numerous intrusion pathways for "malware," or software with malicious intent.

Malware intrudes devices and systems by employing all means to escape monitoring. Hitachi has developed a new analysis system designed to prevent damage caused by malware.

(Publication: October 31, 2014)

Requirements for defense against increasingly sophisticated and cunning malware

Can you first explain what malware is?

Photo: SHIGEMOTO Tomohiro

SHIGEMOTO"Malware" is short for "malicious software," and represents computer viruses and spyware, etc. Such software or programs had their own categorical names in the past. However, they became gradually diversified and complicated in nature, and their definitions became less distinctive. That is why all software with malicious intent is now referred to as "malware."

Once infected by malware, there may be information leakage, destruction of systems and other damage. So detection and disinfection of malware is very important as a security measure. But recent malware behaves in extremely cunning ways, employing a variety of elaborations to avoid detection.

For example, there is a growing number of malware that persistently conducts "targeted attacks" against specified companies and other selected parties, and this has become a major problem. Such types of malware may operate only in an environment where certain operating systems (OS) or applications are installed, or stay hidden and dormant for some time after successfully invading the targeted organizations. This raises the risk of the targeted parties assuming that "there is no problem as no suspicious activity is observed" and leave the malware untreated.

There are also cases in which malware is embedded in confidential documents. In such cases, the documents cannot be entrusted to outside security vendors for analysis due to the confidentiality. Thus, many problems have arisen that hinder the detection and disinfection of malware.

Figure 1: Example of cunning malware (document-infecting malware)

Malware is designed to take various measures to escape detection?

Photo: NAKAKOJI Hirofumi

NAKAKOJIThat's right. Compared to the past, malware is now developed for different purposes. Earlier, computer viruses were developed so that the developers could demonstrate how great their own techniques were to the general public, and thus they behaved in a showy manner. Such software programs were created with the intention of infecting as many devices and systems as possible.

In contrast, recent malware has different objectives, including stealing money and attacking antagonistic organizations or nations. The attackers are becoming increasingly professional and criminal. In line with this change, the behavior of malware has also changed so that it slowly intrudes the target bit by bit and acts maliciously without being noticed. This is known as a "low-and-slow" approach.

As this shows, malware is becoming more sophisticated and cunning, and detection of malware is becoming more difficult by the day. I know many people have installed anti-virus software into their PCs, but it is said that the rate at which anti-virus software can detect new malware has become about 50% in recent years.

Isn't a 50% rather shocking?

NAKAKOJISure, it has a big impact. It means that about half of new malware programs can no longer be detected by the anti-virus software people currently use. In other words, half of them may have already intruded companies and households. That is why it is advised that future security against malware should take "countermeasures" based on the assumption that intrusion cannot be avoided.

SHIGEMOTOThe malware analysis system we have studied and developed securely analyzes the behaviors of what is suspected to be malware and provides "analysis results that facilitate countermeasures" so that countermeasures may be taken when malware infection occurs. As analysis is conducted automatically, you don't have to be an analysis expert; you can see the results and take countermeasures accordingly.

*
Microsoft Office Word is a product name of Microsoft Corporation of the U.S.
*
Windows PowerShell is a registered trademark or trademark of Microsoft Corporation in the U.S. and other countries.
*
Microsoft Office and Excel are registered trademarks or trademarks of Microsoft Corporation in the U.S. and other countries.

Operation environment for malware

How is the malware analysis system structured?

SHIGEMOTOOne of the major features of the system is that it has approximately 80 types of environments, called sandboxes, to allow malware to operate. They are designed to analyze malware that operates under selected environments. The behavior of malware cannot be grasped unless they are operating. That's why we have prepared "environments in which malware can easily operate" by making different combinations of the operating systems, installed applications, physical environments and virtual environments. Upon selecting the combinations for the execution environments, we utilized Hitachi's accumulated know-how on malware analysis and investigated websites publicizing information on vulnerability.

The system also employs three types of analysis engines to obtain logs of malware behavior in each sandbox. This is because there is malware that will stop operating if it detects a specific analysis engine.

NAKAKOJITo date, professional malware analysts have observed the behavior of malware by manually making it operate in each mode of environment. If the malware does not operate in a certain mode of environment, the environment is changed a bit and another attempt is made. If the malware still does not operate, another attempt is made by again changing the environment. The analysts have had to do this repeatedly. However, this is very difficult work. For example, it takes a lot of time to simply install an OS. People practicing such analysis told us about the difficulties they faced in trying to make the malware operate. And we thought, "If that's the case, things should become easier if we prepare as many operating environments as possible, and test them simultaneously. This was the starting point of our idea.

You were successful in preparing an environment where malware will operate in a short period of time?

SHIGEMOTOExactly. However, as the environments were not sufficient as is, we also prepared virtual network environments. Some types of malware work to avoid detection by first checking if they can communicate with the outside. For example, a certain type of malware accesses an ordinary, non-malicious website in its first communication and, after confirming that communication is in order, it starts to behave as malware. In order to get such malware to operate, the virtual network environments respond to the malware in the same was as if it were connected to the network. This makes it possible for the malware to determine that it can communicate with the outside and start operating.

Figure 2: Overview of the malware analysis system

Photo: NAKAKOJI Hirofumi

NAKAKOJILet me show you by conducting an actual analysis. The malware is selected and input it into the system. Now you can see many small windows on the screen. Each window is a sandbox. Malware behaviors are now being observed simultaneously in each environment, or sandbox. As you can see, displays on some windows have changed, showing that applications have started. These are the environments in which the malware is operating. Windows that show no change mean that they are not a target of the malware. This demonstration may seem to indicate that analysis is fairly simple, but it is because we show you the analysis of malware that brings about changes on the windows in a clear manner. It's not that all types of malware show activity as evidently as in this demonstration.

In this way, we have the malware operate in various environments and obtain behavior observation logs. After observations are completed, the system is automatically cleaned up as it has been infected by the malware. The system is restored to the original state, and accepts the next malware. This is how it works.

Priority of reporting based on "ease of countermeasure"

What does the system do after the malware starts to operate in many sandboxes?

NAKAKOJIThe system automatically analyzes the logs produced by the sandboxes. The volume of the logs is huge, as they describe all behaviors and are produced by each sandbox. When calculated by data volume, the logs of active malware making many actions total approximately 10 gigabytes. For reference, if converted to Japanese manuscript paper (400 characters per page), the data would fill about 12.5 million sheets. Naturally, it would take too much time to read and analyze such logs.

SHIGEMOTOThat's why we have constructed a mechanism for the system to extract and analyze information that would suggest the likelihood of malware from among the logs and display reporting. It was already known that there are several patterns in the characteristics of actions that appear to be those of malware. We recognized that there were various patterns and have collected such know-how as explicit knowledge of patterns. We have also incorporated such know-how as "viewpoints of analysis" on which we made hearings to experts.

How are the analyzed results indicated?

SHIGEMOTOWe have devised it so that a single screen shows the entire picture of the malware's behaviors. Specifically, a sandbox is indicated as a single line, which makes it possible to identify on the single screen at a glance which environments the malware actively operated in along with the characteristics of the operating malware.

NAKAKOJIWhen we take security measures, we assume that the intrusion of malware is unavoidable. So we place emphasis on measures to prevent the malware from connecting to malicious websites or to the attackers. That is why we have arranged that the information on what the malware tried to connect with is shown at the center of the screen.

The next thing that those who prepare countermeasures are concerned about is the environment—with what OS and what applications being installed—the malware operated. This is a concern because they need to caution users who use the same environment. Thus, we have also elaborated on displaying the reports of each environment so that they can be read easily.

Figure 3: Sample screens displaying the analysis results

*
Adobe and Adobe Reader are registered trademarks or trade marks of Adobe Systems Incorporated in the U.S. and other countries.
*
Microsoft Office is a registered trademark or trademark of Microsoft Corporation in the U.S. and other countries.
*
Oracle and Java are registered trademarks of Oracle Corporation and its subsidiaries and affiliates in the U.S. and other countries.
*
VMware and VMware vSphere ESXi are registered trademarks or trademarks of VMware, Inc. in the U.S. and other countries.
*
Windows is a registered trademark or trademark of Microsoft Corporation in the U.S. and other countries.
*
Windows Vista is a registered trademark or trademark of Microsoft Corporation in the U.S. and other countries.

Creating a system that evolves in anticipation of changes in environments

What are the good points about this system?

Photo: SHIGEMOTO Tomohiro

SHIGEMOTOWe have been verifying this system by analyzing about 400 types of malware to date. In doing so, when I actually see malware programs that operate only in certain environments, I find meaning in this system's concept of analyzing malware in parallel by using many sandboxes.

Moreover, the system has automated all operations that had earlier been conducted manually by analysis experts, significantly shortening the time required for analyses. While it took about an hour to manually analyze a single sample, this system can complete the same task in about 15 minutes. So it represents an approximately 75% time reduction.

NAKAKOJIAnother attractiveness of the system is that it is physically configured in a single package. You can carry it around, as the entire system is installed in a single rack. For example, it is possible to bring this system into an organization that is not allowed to move the sample out of the company and to conduct analysis onsite. Customers are able to buy the system and conduct analysis by themselves. I think demand for the system will grow in the future, as there is an increasing number of cases in which confidential information is infected by malware.

SHIGEMOTOOn top of such, the system can identify the environments in which the malware can be operated. This should also be advantageous even for the conventional manual analysis, as they provide a benchmark for how to create the analytical environments.

Are there any issues you are currently working on to improve the system?

SHIGEMOTOThe constructing of the analytical environments of the malware analysis system is a never ending process. We need to keep adjusting the sandboxes, as new OS and applications will emerge going forward. We will also replace the analysis engines with better ones, when necessary.

NAKAKOJIThe same is true for the mechanism of analysis, and improvements are underway even now. If new types of malware appear, the focus of analysis should be changed. Accordingly, we have adopted a system configuration that allows us to add or delete analysis modules easily.

Devotion to creating a secure environment

It seems that there will be no end to the study of network security.

SHIGEMOTOIndeed, you are right. New types of malware will continue to surface one after another. And we must continue our research against them. However, my stance has remained the same since I joined Hitachi. The final goal of protecting the network is to create a safe and secure network. My ideal is to create a world without any malware or, if such exists, a world that is kept secure through a systematic mechanism to autonomously maintain security, like the functions of human immunity.

I said the same thing when I was interviewed for a different development story, and my thinking remains the same. I devote myself to research and development work every day so that I can get closer to my ideal, one step at at time.

Photo: NAKAKOJI Hirofumi

NAKAKOJIIn my thinking, "security" is an area that is hard to tap even if you are good at mathematics or programming. In a sense, it is a world of cheating each other, if I dare say, where the winners are those that are the most cunning. It's just an aside, but there was a news report saying that microchips to diffuse malware had been embedded in electric irons that were recently imported from abroad. Once the irons are connected to power outlets, the chips work to find wireless LAN networks in homes or offices and get connected. The malware then conducts malicious acts. Just an electric iron—it's quite amazing, isn't it? But such are the reality in the world of security.

However, if you can forgive me for saying, I find such to be interesting as I conduct research. I create countermeasures with the thought of "doing this to outwit what my opponent has done," and then the opponent outwits what I have done. I find this attack and defend battle to be really thrilling.

Hitachi is engaged in an extremely extensive scope of business fields. Not only the information-related business but a variety of businesses including social infrastructure that provide a variety of devices and services. This means that there are numerous potential points of malicious attack. While we do not know what may be the victim of the attacks, we must produce ideas regarding security measures, possibly before the attacks are made. I am involved in the research work, pressed by this sense of mission, while enjoying the thrill of the battle.

Notification

  • Publication: October 31, 2014
  • Professional affiliation and official position are at the time of publication.
  • Page top

Related contents

  • Page top