Embed Size (px)
Citation preview
Programmers who develop malicious code or malware are using
techniques drawn from biology and social engineering to trick
users into unleashing worms and viruses.
The recent wave of MyDoom attacks used these techniques to
spread rapidly, and left antivirus developers floundering in its
wake. Reactions to MyDoom were swift, but not fast enough to
choke off the worm’s spread. This is because current antivirus
techniques are reactive. They depend on recognising specific
malware before responding. This means new strains have a small
window of opportunity before people develop an antidote,
download and apply it — and that is enough to cause widespread
misery.
The main challenge is to find the unique signature of each
malware attack. Earlier, this was simpler because strains used
identical chunks of code. But current polymorphic strains tend to
disguise themselves using encryption. Superficially, identical
viruses look different; any unique signature may be only the few
bytes of code that decrypt the virus. The antivirus team has to find
these common factors, and this sometimes means getting hold of
two examples of the virus to compare code.
The situation is made
worse because copycat
malware bases itself on
existing successful but
recognised strains.
Changing the signature
allows malicious coders
to re-release a known
virus that can attack
supposedly immunised
systems.
The antivirus vendors’
response has been to
develop methods, such
as heuristics, to find and
eliminate unknown
viruses before they
strike. Heuristics is a “successive best guess” problem-solving
technique. At successive stages of a program, it chooses the most
appropriate solution of several found by alternative methods
which it then uses in the next step of the program.
But this has drawbacks. Heuristic analysis carries a high
processing overhead. And it often misidentifies harmless code —
false positive identification.
Heuristic tactics vary. Some products scan the suspect file byte
by byte looking for signature code. Others use sandboxes, a
protected emulation environment, to allow suspect code to reveal
itself.
All this makes it too obtrusive for most customers. So many
vendors have relaxed the rigour of their analysis. Consequently,
heuristic analyses are often not very good at catching new
malware, otherwise MyDoom and SoBig would not have
flourished.
A new wayPerhaps the time has come for a new way of looking at infections.
One is to use techniques borrowed from immunology. Graham
Cluley, senior technology consultant for antivirus specialist
Sophos, explains, “The idea of comparing computer virology with
biological virology has been around for seven years or so. I think
IBM was one of the first companies to suggest it would build some
sort of computer immune system. It never released a product, and
sold the technology to Symantec, which seems to have hidden it
under a bushel.”
Cluley is sceptical about current immunology-based
approaches. “Look at what happens when you get the flu. Your
immune system can fight it successfully but your entire body
suffers. You’re in bed for a few days, you can’t work, you can’t
function normally. I suspect that some of the digital approaches
that mimic biology may have a similar effect on computer systems.
Maybe the cure is worse than the condition.”
If an infectious disease is rampant in the real world, people take
precautions against infection. For example, virtually everyone in
fe
at
ur
e
Prevention is better than cureEric Doyle
Black hat programmers are adapting biological and social engineering techniques to produce evermorevirulent worms and viruses, reports Eric Doyle.
Info
security To
day
March/A
pril 200442
south-east Asia wore air filtering face masks during the SARS
epidemic. The cyberspace equivalent would be to filter everything
that enters the IT system. This would use firewalls and specialist
appliances that connect the system to the Internet and/or external
network.
One such example is CipherTrust’s IronMail. This is an email
server appliance that uses traditional virus detection but also looks
for anomalies. IronMail checks constantly for unusual behaviour,
such as mass mail-outs, and stops them before there is any external
damage.
Colin Gray, CipherTrust’s VP and marketing director for
Europe, the Middle East and Africa, says, “Email is probably the
most open application there is. Port 25 on the firewall, where
SMTP and email traffic comes through, is open by definition. Last
year all the major threats were email-borne viruses or Trojans.
Blaster and SoBig infections spread by sending millions of the
same email message very quickly. They took about five hours to
spread worldwide, but IronMail recognised this as anomalous
behaviour in less than two hours. If our customers had set their
thresholds properly, IronMail was quarantining attachments and
dropping connections before any signature identification was
available from the major antivirus firms.”
The weakness of a pure appliance approach is that it protects
only the periphery of the company network. Mobile devices
bypass these barriers. Worse, they behave like Typhoid Mary,
carrying infections that do not harm them into systems to which
they connect.
Finjan Software produces a range of software that protects
various points of the infrastructure. These include the email and
Web gateways, the server, the desktop and the laptop. Nick Sears,
Finjan’s European vice president for sales, says, “There’s an
imbalance between the assurance that antivirus provides and the
risk that’s out there. To do that we need something that’s
proactive. In other words, something that will stop a virus the first
time it invades.”
Finjan’s technology is called Behaviour Analysis. Sears says it
tracks any downloaded application or applet. “Anything coming
into the gateway by Web or email is scanned for its behaviour,” he
explains. “We can detect if, for example, a Java script from an
email or a Web page will try to delete files or change settings in the
registry. From pre-determined policy it recognises this as
unacceptable behaviour and stops it before it ever gets to the user.
At the desktop, any executable code that comes in from the Web or
email is monitored in real time every time it runs — just in case it
is a time bomb that triggers only under certain conditions.”
Choking the virusHewlett-Packard is researching yet other ways to police the
network and its hardware. One is called Virus Throttling. This
does not seek to kill the virus but to contain it before it does any
damage.
Matthew Williamson, a research scientist at HP Labs, says,
“You’re not trying to stop it
categorically in the way that a
signature does. A virus like
Nimda may try to contact up
to 400 different machines a
second, depending on the spec
of the infected machine. Let’s
say normal behaviour is about
one connection a second. Virus
throttling uses this information to
limit the number of machines
that can be contacted in a
second. If something tries to
exceed the limit it is choked back
and stopped, containing the
fe
at
ur
e43
Info
security To
day
March/A
pril 2004
AV vendors are locked into amodel that depends on
having a subscription andupdate process.
Grasping for the Holy GrailDigital immunology promises to prevent many of the malicious code attackssuffered today and to do it proactively. What more tempting target forhackers could there be?
Experience has shown that, rather than be deterred, hackers and malwarewriters are inspired by these “foolproof” systems. For the dubious honourof cracking the uncrackable, they will find any weaknesses in the logic orthe code. These will then be patched, and no doubt other weak spotsfound.
Until we can create a true cordon sanitaire around our information systems,a belt and braces approach seems to be best. This means that the reactivestrategy will have a place in our security plans for some time yet.
The simplest, most effective way of detecting and removing malware is byusing conventional signatures and heuristics, blocking by exclusion andenforcing good practice. Current intelligent systems may stop the virus fromspreading but they act as traps and somehow the malicious code has to beexcised. Isolating the virus is just the first step.
Before the malware game is no longer worth the candle for hackers, we willsee attacks that mimic normal activity to fool the detection systems. Thismore subtle approach to malware is just around the corner, and it will beeven more difficult to detect and eliminate than the present shape-shiftingviruses. Just as the biological immune system has to adapt its defences tofight new viruses, and can fail, so the digital world may have to accept thatthere’s no such thing as 100% protection.
Cluley: cure is worse than the condition
virus to that machine. The machine is still infected, that’s very
hard to avoid, but it is not spreading the virus and clogging up the
network.”
Cluley’s argues that this is not enough. His position is that the
virus has still taken the machine out of service, thus damaging the
company. It is equivalent to a worker’s absence that increases the
load on the remaining staff or results in work
left undone. Williamson counters this, saying that the throttling
policy covers this base by shutting off, say, port 80, the Internet
traffic port. This prevents Web browsing but allows other work to
continue.
Malware coders can trump this strategy by giving their viruses
disk-wiping payloads. Policy could cover this but gradually more
and more of the machine will be closed down and work itself will
be throttled — but at least the virus will not escape the machine.
The disruption of normality Another leader in the immunology field is Steven Hofmeyr,
founder and chief scientist of Sana Security. He is highly critical of
traditional antivirus developers. “AV vendors could find an answer
that would make the email problem go away, but they’re locked
into a business model that depends strongly on having a
subscription and update process,” he says.
Sana Security’s Primary Response system uses intelligent
analysis of the machine it runs on to spot when normal behaviour
is disrupted, indicating a problem. This makes it better suited to
servers because they run
fewer applications whereas
desktop computers typically
launch many different
applications in unpredictable
combinations.
However, Hofmeyr sees
possible extensions to
desktop applications. He
explains, “A typical email
attachment doesn’t open every address in your address book. If
you understand the normal behaviour of an email client, you’ll
know in a heartbeat when something unusual is happening and
stop it. This means you can detect things that you’ve never seen
before.”
Primary Response hooks into the operating system at a low level
to record and monitor the normal pattern of system calls. This
intimacy allows it to detect anomalies at an early stage and stop
them before they do damage, Hofmeyr says. Because human error
and bias are greater problems in security issues, replacing human
judgement with intelligent monitoring based on a knowledgebase
is a move in the right direction, he claims.
There are trade-offs in systems like Sana’s, but Hofmeyr is
unconcerned by this. “There’s obviously some overhead in the
extra processing time and the disk space it requires, but it is
negligible. The true overhead is in human resources,” he says.
“How much does it cost to have people interact with the systems?
Do you really need human operators to do all the clean ups,
download patches, install virus signature updates and all the rest
of it?
“The basis of current practice is the assumption that people
know and understand what is going on in the system. This may
have worked once when we had very simple systems but our
systems have grown so complex and become so interconnected
that no-one really knows what’s going on — which is why you need
the things we are doing or that Matt is looking at in HP Labs.”
Curiously, Primary Response is not sold as a malware detection
system but as an intrusion detection application to keep hackers
out. This positioning underlines the convergence of intrusion
detection, antivirus and even systems failure detection.
A system that automates the analysis, diagnosis and correction
process is the Holy Grail. We are not there yet; in fact the complete
solution may still elude us years hence. But as we learn more about
the people who write malware and the processes they invent, so the
industry will build a more secure future.
Eric Doyle Doyle is an IT journalist who writes for titles thatinclude Computer Weekly and the Guardian.
fe
at
ur
e44
Info
security To
day
March/A
pril 2004
Hofmeyr: AV vendors arelocked into a subscriptionand update process
If you understand the normalbehaviour, you’ll know in aheartbeat when somethingunusual is happening.
Cluley — maybe the cure isworse than the condition
