{"id":7397,"date":"2017-04-20T06:00:35","date_gmt":"2017-04-20T14:00:35","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/20\/news-1188\/"},"modified":"2017-04-20T06:00:35","modified_gmt":"2017-04-20T14:00:35","slug":"news-1188","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/20\/news-1188\/","title":{"rendered":"Combating a spate of Java malware with machine learning in real-time"},"content":{"rendered":"

Credit to Author: msft-mmpc| Date: Thu, 20 Apr 2017 13:02:00 +0000<\/strong><\/p>\n

In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team\u2019s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats.<\/p>\n

Attackers are constantly changing their methods and tools. We know from many years of research into malware and cybercriminal operations that cybercriminals have go-to programming languages for their malicious activities, but they switch from time to time to slip past security solutions. For instance, we recently tracked how cybercriminals have changed how they use NSIS installers<\/a> in order to evade AV and deliver ransomware.<\/p>\n

To help deliver real-time protection, our researchers use the Microsoft intelligent security graph, a robust automated system that monitors threat intelligence from a wide network of sensors. This system includes machine learning models, which drive proactive and predictive protection against fresh threats.<\/p>\n

Tracking malicious email campaigns<\/h2>\n

Our sensors first picked up signs of the Java spam campaigns at the start of the year. Our automated tools, which can sort and classify massive volumes of malicious emails, showed us actionable intelligence about the surge of Java malware-bearing emails.<\/p>\n

These emails use various social engineering techniques to lure recipients to open malicious attachments. Many of the emails are in Portuguese, but we\u2019re also seeing cases in English. They pretend to be notifications for billing, payment, pension, or other financial alerts.<\/p>\n

Here are the most popular subject line and attachment file name combinations used in the email campaigns:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Subject<\/strong><\/td>\nAttachment file name<\/strong><\/td>\n<\/tr>\n
Segue em anexo Oficio Numero: <number><\/td>\nDecis\u00c3\u00a3o-Judicial.zip<\/td>\n<\/tr>\n
Servi\u00e7os de Cobran\u00e7as Imperio adverte, Boleto N<number><\/td>\n2Via_Boleto_N<number>.zip<\/td>\n<\/tr>\n
\u201cCobran\u00e7a Extrajudicial\u201d Imperio Servi\u00e7os de Cobran\u00e7as<\/td>\n2Via_Boleto_N<number>.zip<\/td>\n<\/tr>\n
Payment Advice<\/td>\nPayment Advice.rar<\/td>\n<\/tr>\n
Curriculum Vitae <Date><\/td>\nCurriculum_<name><number>.zip<\/td>\n<\/tr>\n
FGTS Inativo – <number> – Disponivel para saque em <number><\/td>\nSALDO_FGTS_MP_<number>.zip<\/td>\n<\/tr>\n
FGTS Inativo – <number> – Disponivel para saque em <number><\/td>\nFGTS_-_MP_<number>.zip<\/td>\n<\/tr>\n
Extrato_FGTS_disponivel_em_sua_conta_inativa_de_N<number><\/td>\nFGTS_Disponivel_N<number>.zip<\/td>\n<\/tr>\n
NEW PURCHASE ORDER (TOP URGENT)<\/td>\nBLUERHINETECHNOLOGY_EXPORT_PURCHASE_ORDER.zip<\/td>\n<\/tr>\n
NF-e <number>. Emitente <number> – GLOBECALL DO BRASIL LTDA. <number><\/td>\nNF-e-<number>.zip<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Figure 1. Most popular subject line and attachment file name combinations in email campaigns<\/em><\/p>\n

The attachments are usually .zip or .rar archive files that contain the malicious .jar files. The choice of .jar as attachment file type is an attempt by cybercriminals to stay away from the more recognizable malicious file types: MIME, PDF, text, HTML, or document files.<\/p>\n

\"java-malware-sample-email\"<\/p>\n

Figure 2. Sample malicious email carrying Java malware in a .zip file<\/em><\/p>\n

Tracking updates in malicious code<\/h2>\n

In addition to information about the email campaigns, our monitoring tools also showed another interesting trend: throughout the run of the campaigns, an average of 900 unique Java malware files were used in these campaigns every day. At one point, there were 1,200 unique malicious Java files in a single day.<\/p>\n

\"daily-volume-of-unique-java-malware\"<\/p>\n

Figure 3. Volume of unique Java malware used in email campaigns<\/em><\/p>\n

These Java malware files are variants of old malware with updated code that attempt to evade detection by security products.<\/p>\n

The most notable change we saw in these new variants of Java malware is in the way they obfuscate malicious code. For instance, we saw the following obfuscation techniques:<\/p>\n

    \n
  1. Using a series of append operators and a string decryption function
    \"sample-obfuscated-java-malware-code\"
    Figure 4. Sample obfuscated Java malware code<\/em><\/li>\n
  2. Using overly long variable names, making them effectively unreadable
    \"sample-obfuscated-java-malware-code-2\"
    Figure 5. Sample obfuscated Java malware code<\/em><\/li>\n
  3. Using excessive codes, making code tracing more difficult
    \"sample-obfuscated-java-malware-code-3\"
    Figure 6. Sample obfuscated Java malware code<\/em><\/li>\n<\/ol>\n

    Obfuscated codes can make analysis tedious. We use automated systems that detonate the attachments, effectively bypassing obfuscation. When malware is detonated, we see the malicious intent and gain intelligence that we can use to prevent attacks.<\/p>\n

    Our tools log malicious behaviors observed during detonation and use these to detect new and unknown attachments. These malicious behaviors include:<\/p>\n

    \"java-malware-tracer-logs\"<\/p>\n

    Figure 7. Sample Java malware trace logs<\/em><\/p>\n

    From threat intelligence to real-time protection<\/h2>\n

    Through automated analysis, machine learning, and predictive modeling, we\u2019re better able to deliver protection against the latest, never-before-seen malware. These expert systems give us visibility and context into attacks as they happen, allowing us to deliver real-time protection against the full range of threats.<\/p>\n

    Context-aware detonation systems analyze millions of potential malware samples and gather huge amounts of threat intelligence. This threat intelligence enriches our cloud protection engine, allowing us to block threats in real-time. In addition to the Java malware, we also detect the payloads, which are usually online banking Trojans like Banker<\/a> and Banload<\/a>, or Java remote access Trojans (RATs) like Jrat<\/a> and Qrat<\/a>.<\/p>\n

    \"combating-java-malware-automation-machine-learning\"<\/p>\n

    Figure 8. Automated systems feed threat intelligence to cloud engines and machine learning models, which result in real-time protection against threats<\/em><\/p>\n

    Threat intelligence from the detonation system constantly enhances our machine learning models. New malicious file identifiers from the analysis of the latest threats are added to machine learning classifiers, which power predictive protection.<\/p>\n

    This is how we use automation, machine learning, and the cloud to deliver protection technologies that are smarter and stronger against new and unknown threats. We automatically protect Windows PCs against more than 97% of Java malware in the wild.<\/p>\n

    \"detecting-java-malware\"<\/p>\n

    Figure 9. Breakdown of Java malware detection methods<\/em><\/p>\n

    Conclusion: Real-time protection against relentless threats<\/h2>\n

    The email campaigns distributing Java malware account for a small portion of cybercriminal operations that deliver new malware and other threats. Cybercriminals are continuously improving their tools and modus operandi to evade system protections.<\/p>\n

    Our research team is evolving how we combat cybercrime by augmenting human capacity with a combination of sensors, automated processes, machine learning, and cloud protection technologies. Through these, we are better able to monitor and create solutions against these threats.<\/p>\n

    These protections are available in the security technologies that are built into Windows 10<\/a>. And with the\u00a0 Creators Update<\/a>, up-to-date<\/a> computers get the latest security features and proactive mitigation.<\/p>\n

    Windows Defender Antivirus<\/a> provides real-time protection against threats like Java malware and their payloads by using automation, machine learning, and heuristics.<\/p>\n

    In enterprise environments, Office 365 Advanced Threat Protection<\/a> blocks malicious emails from spam campaigns, such as those that distribute Java malware, using machine learning capabilities and threat intelligence from the automated processes discussed in this blog.<\/p>\n

    Device Guard<\/a> locks down devices and provides kernel-level virtualization-based security, allowing only trusted applications to run.<\/p>\n

    Windows Defender Advanced Threat Protection<\/a> alerts security operations teams about suspicious activities on devices in their networks.<\/p>\n

    It is also important to note that Oracle has been enforcing stronger security checks against legitimate applications using Java. For instance, starting with Java 7 Update 51, Java does not allow Java applications that are not signed, are self-signed, or are missing permission attributes<\/a>. Oracle will also start blocking .jar files signed with MD5<\/a>, requiring instead signing with SHA1 or stronger.<\/p>\n

    However, the Java malware discussed in this blog are equivalent to executable files (as opposed to Java applet). Here are some additional tips to defend against Java malware in enterprise environments:<\/p>\n