How the ShapeShifter Botwall Uses Morphing Code to Kill DDoS Attacks

Automation is at the heart of every botnet. This holds true from the most elaborate financial scams to DDoS-powered digital protests. To fight it, the team at Shape Security reasoned, they'd need to create a "botwall" that could deflect automated attacks. With its cloud- and hardware-based ShapeShifter, Shape says it's developed the first botwall of its kind, and the way it works is pretty fascinating.

Botnet-based attacks take on various manifestations, the most well-known being the distributed denial of service (DDoS) attack. Made famous by Anonymous and LulzSec, the DDoS attack loops thousands of computers together to overwhelm websites. Botnets can also be used to distribute malware like the Zeus Trojan, which is used to steal banking information and install CryptoLocker ransomware on an infected computer, or ZeroAccess (aka, max++ and Sirefef), which has been used to mine bitcoins and pull off click fraud.

Building a wall to block automated malware distributed across a network is easier said than done, as modern viruses can mutate to avoid detection. Such malware, whether it's polymorphic or metamorphic, is tough to fight, but Shape Security decided to capitalize on that in developing a defense strategy. According to Shape Security VP of strategy Shuman Ghosemajumder, ShapeShifter's polymorphic code is vital to disrupting malware's automated ability to locate exploits.

Without botnets probing for security flaws, hackers have to rely on more manual methods, if they can pull it off at all, Shuman explained. In our chat, Shuman also talked about breaking malware's economic model, where one hacker can cheaply take on big organizations, and how Shape Shifter's team conceived of the novel "botwall" approach in the first place.

MOTHERBOARD: How did ShapeShifter come into being?

Shuman: The core inventor of the technology is Justin Call, our chief technology officer. Our lead investor Ted Schlein—from Kleiner Perkins Caufield Byers—had noticed, as had co-founders Sumit Agarwal and Derek Smith, that there was some level of automation involved in just about every major sophisticated attack they would see. Criminal organizations are looking for professionalism and efficiency just as legitimate organizations are; and automation is one of the primary tools that they use to achieve it in their various schemes and attacks.

What Ted had been talking about for some time was the need for a "botwall"—something that would be able to deflect automated attacks.Right now, whenever you've got something accessing your website that's automated and of unknown intent, by default it's allowed because that is just the way the web works. The web was designed to be able to facilitate machine-to-machine communication. The way that we mitigate automated accesses which are malicious is by trying to detect their intent, which is really difficult to do. It's difficult to read people's minds when they're accessing your website. If you could block everything that was automated, then that itself would deal with entire classes of attacks because regular people accessing your website are by definition not automated.

Unfortunately, there was no clear way to actually do this. So, Justin was the one that came up with the concept of how you could deal with automation as a class. That is where the idea for real-time polymorphism came from.

Can you describe polymorphism?

Polymorphism had been used for some time by malware to evade detection by anti-virus software. When you think about it, malware was basically using polymorphism as an anti-automation solution, because virus scanning is automated. Anti-virus creators would create different rules to detect malware. They would have signatures and heuristics, and because of the wide variety of malware that's out there, it's not really feasible to detect malware on your computer using a manual approach. It has to be automated. But, as soon as it's automated, then malicious hackers can start to deal with that using polymorphism. So, they change the code every single time they install a piece of malware on a new machine. Suddenly anti-virus has a really difficult or even impossible time being able to detect that infection.

So, we're turning that around and saying, "This has been such an effective tool as wielded by malware creators against anti-virus, so why don't we use it against the malware?" If you change the basic assumptions that are involved with your web application and make it polymorphic, then all of a sudden it becomes really difficult to create a script that applies to malware, botnet, and other types of automated attacks.

Now, what's the advantage of using the ShapeShifter hardware that runs polymorphic software?

All of the technology is really software. The first version we made was a cloud-based prototype. The reason that we've been testing and have now launched a physical appliance is simply because the high end of the marketplace—financial services, healthcare, and major e-commerce players—still have physical data centers and they want to be able to plug something into it, which is the easiest method of deployment. But, we're still supporting the cloud model, and we'll have a virtual installation.

When I originally read about ShapeShifter, I noticed almost immediately that it could be deployed against DDoS attacks. That, of course, got me thinking about Anonymous. However, they don't seem to be the primary opponent that the botwall might encounter, no? 

I think it depends on the industry. As a technology, we are not aimed at one specific type of attack. Folks like Anonymous use automated means to be able to execute DDoS attacks. The way that they typically do it is by getting around even state-of-the-art DDoS defenses, which is done with an application DDoS attack. It actually reaches through the existing DDoS defenses and presses off the origin servers that can't be copied into the content delivery network (CDN).

The traditional DDoS attack just overwhelms the server with traffic. What defenders realized they could do is effectively increase the amount of traffic that their web server could absorb, like making copies of the content on that server onto thousands of different machines that would be distributed around the world. This was an approach that was originally designed to be able to make accessing of a website faster. So, if you copy the content of your web server to an intermediate server that is closer to the user accessing your website, then it's going to be a faster experience for them. The additional benefit of this is if somebody creates a DDoS attack against your website, suddenly you have maybe 1,000 or 10,000 times the capacity you had before to be able to absorb the traffic created by it.

Now, the problem is that there are certain types of content that you can't easily copy to a thousand different web servers around the world. There are things, like your databases, that have to be kept up to date in real-time in one central location. So, what attackers have realized is that rather than trying to just overwhelm a web server with dumb traffic, that they should instead try to create a more sophisticated attack that looks at dynamic parts of the application and then sends those requests, which are a much more efficient way of bringing a web server to its knees.

If you were to just request the front page of a web site a million times, then that's something a CDN could absorb. On the other hand, if the attacker were able to type in a value into a company's store locator, which actually has to communicate with their database, then it might only take a thousand requests instead of a million to bring down the server.

Is the major task now staying one step ahead of hackers? I'd imagine they'll set their sights on either being the one to prove they'd hacked ShapeShifter, or silently circumvent it for financial gain.

Hopefully several steps ahead. We've been working on this for more than two years, and we've tried to anticipate all of the different things that hackers could do in response. Of course, until there is wide adoption, you don't really know what attackers of the entire marketplace are going to do. But, we have a pretty sophisticated team that's dealt with online attacks for some time.

I previously led Google's ad click fraud protection team. Ad click fraud was the primary automated attack that Google would experience. And then Michael Coates led security at Mozilla.

If you're trying to anticipate attacks, did Shape Security simulate large scale DDoS or botnet attacks?

We actually have a relationship with a company that does that for us. I think that being able to create simulated attacks can be helpful in testing, especially experimental techniques. But, what turned out to be even more helpful was seeing whether or not ShapeShifter is effective when you throw actual malware toolkits against it.

How is that done?

There are a couple of different ways that we do that. One of the ways we did it was by getting a copy of the most expensive version of the Zeus framework that is out there. Another way we did it was by testing with one of the major banks that had collected a zoo of malware over their many years of operation. They threw that zoo at our ShapeShifter, and it was able to deflect 100 percent of the attacks.

You might think that this is an astounding claim, but it actually makes sense when you think about it because all of that malware is written on a certain set of assumptions about how a website works; and when you change those assumptions, the malware can't react to that. It needs to be rewritten.

The question then becomes how quickly does the malware get rewritten, and how difficult is it to rewrite? And this is where a change in what has traditionally constituted criminal activity comes into play. In the past, you might have seen more individuals who are interested in the challenge of trying to reverse engineer a new security technology. Now what we're seeing with criminal organizations is if they see even a bit of a barrier associated with attacking a company, they simply focus their resources on all of the other places they can still modify. This is because they are professional organizations.

In Online Trust Alliance's 2013 report, the authors wrote that most companies don't even have the bare minimum of security practices in place. Do you think that will change in 2014?

I think you raise a really good point. We've certainly seen the banks and anybody who has a valuable set of data or applications that they want to protect take security very seriously. They have large, sophisticated security teams. We wanted to start at high end of the market simply because we wanted to be able to demonstrate to the rest of the market that we can deal with the most sophisticated attacks out there.

But the rest of the market does think of security in a different way. In many cases, I think many small businesses do consider it an afterthought, and they're probably not going to invest proactively into it, unless they've had some kind of bad security-related experience. For that portion of the market, I think that the key value proposition we offer isn't necessarily that we will be able to protect you against these extremely sophisticated attacks, but that we'll be able to offer you state-of-the-art security that is easy to install.

A lot of other security technologies produce additional intelligence to be able to help sophisticated security teams. Then they dedicate a few people on their team to be able to deal with the reports coming from that technology, then the team acts on them. But that's not actually how our technology works. By simply deflecting all automated activity and attacks, you get immediate value out of deploying a ShapeShifter, which is value that even a smaller company can get.

One of the things that you guys have been talking about it is that by deflecting automated attacks, ShapeShifter will force hackers to do a lot of the “dirty work” themselves.

That's one of the key points about breaking the economics of those attacks. If you can execute something very efficiently using millions of machines, then you can create an attack that is a lot more profitable than one where you have to have a human being involved in every step. In fact, there are certain types of attacks that aren't even possible using manual methods. Another thing that a lot of folks don't realize about manual attacks is that they also use automated tools to be able to identify targets of opportunity. If you break those automated tools, then even manual attacks become exponentially more difficult.

Right, then an exponential amount of time would have to be spent finding targets, not to mention the time that needs to be spent exploiting a vulnerability.

Exactly. It's easier to do something else. [laughs] There are lots of different scams that people have been running for many years, but if you make it much harder and more expensive to execute those scams using technology, then you can provide some very practical defense for websites that they just don't have right now.