Using Vaccination to Stop Malware in Real-Life Scenarios

May 15, 2017

 |  

Erez Breiman

Caught in the middle of a malware outbreak without sufficient preventative mechanisms, how can the organization contain the malicious program, to give itself the opportunity to remediate the underlying issues and restore business operations? Malware vaccination can play a powerful role in stopping the spread of malware to help the enterprise gain control over the incident.

Malware Vaccination: Stopping the Outbreak

The WannaCry outbreak highlights the challenges of defending legacy systems and services that are hard to patch, isolate and otherwise protect without impeding performance, violating vendor contracts or inconveniencing business users. As we already know, WannaCry uses a well-known exploit to access vulnerable machines via the SMB protocol. Optimized for the speed of propagation, this worm doesn’t attempt to hide itself or attempt to evade detection mechanisms. After all, systems that are missing patches and that are not isolated behind a firewall that blocks unnecessary ports are also missing baseline antivirus and other endpoint security products.  Organizations can contain the spread of malware to such systems by employing malware vaccination to stabilize the situation.

WannaCry Infection Map (credit: @MalwareTechBlog)

Similar to the human immune system where vaccines help develop immunity by imitating an infection, computer systems can be immunized against malware that avoids re-infecting the system so that the malicious program doesn’t crash or encounter other stability or performance issues that might jeopardize its success. However, employing such inoculative techniques in a manner that scales in the enterprise and doesn’t break production applications is difficult to achieve without the underlying framework designed to control how malware “perceives” its environment.

Generating Infection Markers for Production Environments

Shortly after the initial WannaCry outbreak, the security community created several utilities designed to vaccinate systems against this malware. To understand how they work and what limitations they have, we must first understand a common way in which malware infection markers are implemented.

Malware such as WannaCry, which avoids infecting the same system more than once, often generates its infection marker by defining a specific Operating System object called a mutex.

In a user mode Windows environment, each mutex has a context – either session context (it is only visible to processes in the same session) or global context (it is visible to all processes on that machine). When you log on to your Windows machine, you get your own session (typically session #1). However, WannaCry takes advantage of a vulnerability in one of Windows’ services that resides in session #0. As a result, the malware that resides in session #0 can’t see the infection marker that was created in the user’s session and therefore will not terminate itself.

The majority of WannaCry vaccination tools generate the infection marker mutex in session #1, which is the context of the system’s interactive user. While they might appear to stop this malware in a lab environment, they will not stop real-life WannaCry attacks, because outside the lab, the worm will typically not see the mutex outside session #0, which is the one exploited by the campaign. The inoculation might appear effective in a lab environment, but will not stop WannaCry in production environments.

In contrast, the free Vaccinator tool that Minerva released is effective against real-life WannaCry attacks, based on the samples we have seen so far. This is because the utility protects session #0, as long as the user installs the tool according to the instructions in the corresponding readme file. The following is a comparison between our Vaccinator tool and one of the other publicly available tools:

 

Simulating Infection Markers for the Real World

In addition to making sure the infection markers are seen in the context that actually affects malicious programs, the challenges of malware vaccination for the real world include avoiding cluttering the system with the infection markers over time. After all, such artifacts include not only mutex objects, but also file names, registry values, process names etc. The challenges include:

  • ‍Generating infection markers consumes system resources that impact machine performance (e.g. create multiple files, mutexes, etc.) and is particularly a burden for older/weaker systems, like some of those affected by WannaCry.
  • ‍Generating infection markers makes it impractical to monitor when an artifact is being accessed in order to detect attacks and perform forensics.
  • ‍Generating infection markers for all sessions on the system can be technologically challenging.
  • ‍Rapidly deploying, removing and monitoring infection markers across the numerous enterprise systems can be impractical.

Minerva’s core competency at causing malware to disarm itself is grounded in the Minerva VR™ platform, which allows us to control how malicious programs perceive their environment on the endpoint. This capability allows us to simulate infection markers, rather than actually creating the artifacts.

Our centrally managed approach to vaccination does not have the restrictions listed above:

  • It doesn’t utilize system resources that impact machine performance.
  • It monitors access to all simulated artifacts, reporting to the central console and to the other security solutions in your organization to make them work more effectively.
  • It simulates the malware artifacts regardless of the attack vector or exploit being used to execute it (even for fileless attacks).
  • It’s easy to deploy and manage across large, distributed enterprises and regardless how old the legacy systems may be.

Minerva Anti-Evasion Platform allows enterprises to gain control over the malware outbreak in the real world.