Prevention is better than cure
Black hat programmers are adapting biological and
social engineering techniques to produce evermore virulent worms and viruses, reports Eric Doyle.
Programmers who develop malicious code or malware
are using techniques drawn from biology and social engineering to trick users into unleashing worms and viruses.
The recent wave of MyDoom attacks used these techniques
to spread rapidly, and left antivirus developers floundering in its wake. Reactions to MyDoom were swift, but not fast enough
to choke off the worm’s spread. This is because current antivirus techniques are reactive. They depend on recognising
specific malware before responding. This means new strains have a small window of opportunity before people develop an antidote,
download and apply it — and that is enough to cause widespread misery.
The main challenge is to find the unique signature
of each malware attack. Earlier, this was simpler because strains used identical chunks of code. But current polymorphic strains
tend to disguise themselves using encryption. Superficially, identical viruses look different; any unique signature may be
only the few bytes of code that decrypt the virus. The antivirus team has to find these common factors, and this sometimes
means getting hold of two examples of the virus to compare code.
The situation is made worse because copycat malware
bases itself on existing successful but recognised strains. Changing the signature allows malicious coders to re-release a
known virus that can attack supposedly immunised systems.
The antivirus vendors’ response has been
to develop methods, such as heuristics, to find and eliminate unknown viruses before they strike. Heuristics is a “successive
best guess” problem-solving technique. At successive stages of a program, it chooses the most appropriate solution of
several found by alternative methods which it then uses in the next step of the program.
But this has drawbacks. Heuristic analysis carries
a high processing overhead. And it often misidentifies harmless code — false positive identification.
Heuristic tactics vary. Some products scan the
suspect file byte by byte looking for signature code. Others use sandboxes, a protected emulation environment, to allow suspect
code to reveal itself.
All this makes it too obtrusive for most customers.
So many vendors have relaxed the rigour of their analysis. Consequently, heuristic analyses are often not very good at catching
new malware, otherwise MyDoom and SoBig would not have flourished.
A new way
Cluley: cure is worse
than the condition
Perhaps the time has come for a new way of looking
at infections. One is to use techniques borrowed from immunology. Graham Cluley, senior technology consultant for antivirus
specialist Sophos, explains, “The idea of comparing computer virology with biological virology has been around for seven
years or so. I think IBM was one of the first companies to suggest it would build some sort of computer immune system. It
never released a product, and sold the technology to Symantec, which seems to have hidden it under a bushel.”
Cluley is sceptical about current immunology-based
approaches. “Look at what happens when you get the flu. Your immune system can fight it successfully but your entire
body suffers. You’re in bed for a few days, you can’t work, you can’t function normally. I suspect that
some of the digital approaches that mimic biology may have a similar effect on computer systems. Maybe the cure is worse than
If an infectious disease is rampant in the real
world, people take precautions against infection. For example, virtually everyone in south-east Asia wore air filtering face
masks during the SARS epidemic. The cyberspace equivalent would be to filter everything that enters the IT system. This would
use firewalls and specialist appliances that connect the system to the Internet and/or external network.
One such example is CipherTrust’s IronMail.
This is an email server appliance that uses traditional virus detection but also looks for anomalies. IronMail checks constantly
for unusual behaviour, such as mass mail-outs, and stops them before there is any external damage.
Grasping for the Holy Grail
Digital immunology promises to prevent many of
the malicious code attacks suffered today and to do it proactively. What more tempting target for hackers could there be?
Experience has shown that, rather than be deterred,
hackers and malware writers are inspired by these “foolproof” systems. For the dubious honour of cracking the
uncrackable, they will find any weaknesses in the logic or the code. These will then be patched, and no doubt other weak spots
Until we can create a true cordon sanitaire around
our information systems, a belt and braces approach seems to be best. This means that the reactive strategy will have a place
in our security plans for some time yet.
The simplest, most effective way of detecting and
removing malware is by using conventional signatures and heuristics, blocking by exclusion and enforcing good practice. Current
intelligent systems may stop the virus from spreading but they act as traps and somehow the malicious code has to be excised.
Isolating the virus is just the first step.
Before the malware game is no longer worth the
candle for hackers, we will see attacks that mimic normal activity to fool the detection systems. This more subtle approach
to malware is just around the corner, and it will be even more difficult to detect and eliminate than the present shape-shifting
viruses. Just as the biological immune system has to adapt its defences to fight new viruses, and can fail, so the digital
world may have to accept that there’s no such thing as 100% protection.
Colin Gray, CipherTrust’s VP and marketing
director for Europe, the Middle East and Africa, says, “Email is probably the most open application there is. Port 25
on the firewall, where SMTP and email traffic comes through, is open by definition. Last year all the major threats were email-borne
viruses or Trojans. Blaster and SoBig infections spread by sending millions of the same email message very quickly. They took
about five hours to spread worldwide, but IronMail recognised this as anomalous behaviour in less than two hours. If our customers
had set their thresholds properly, IronMail was quarantining attachments and dropping connections before any signature identification
was available from the major antivirus firms.”
The weakness of a pure appliance approach is that
it protects only the periphery of the company network. Mobile devices bypass these barriers. Worse, they behave like Typhoid
Mary, carrying infections that do not harm them into systems to which they connect.
Finjan Software produces a range of software that
protects various points of the infrastructure. These include the email and Web gateways, the server, the desktop and the laptop.
Nick Sears, Finjan’s European vice president for sales, says, “There’s an imbalance between the assurance
that antivirus provides and the risk that’s out there. To do that we need something that’s proactive. In other
words, something that will stop a virus the first time it invades.”
Finjan’s technology is called Behaviour Analysis.
Sears says it tracks any downloaded application or applet. “Anything coming into the gateway by Web or email is scanned
for its behaviour,” he explains. “We can detect if, for example, a Java script from an email or a Web page will
try to delete files or change settings in the registry. From pre-determined policy it recognises this as unacceptable behaviour
and stops it before it ever gets to the user. At the desktop, any executable code that comes in from the Web or email is monitored
in real time every time it runs — just in case it is a time bomb that triggers only under certain conditions.”
Choking the virus
Hewlett-Packard is researching yet other ways to
police the network and its hardware. One is called Virus Throttling. This does not seek to kill the virus but to contain it
before it does any damage.
Matthew Williamson, a research scientist at HP
Labs, says, “You’re not trying to stop it categorically in the way that a signature does. A virus like Nimda may
try to contact up to 400 different machines a second, depending on the spec of the infected machine. Let’s say normal
behaviour is about one connection a second. Virus throttling uses this information to limit the number of machines that can
be contacted in a second. If something tries to exceed the limit it is choked back and stopped, containing the virus to that
machine. The machine is still infected, that’s very hard to avoid, but it is not spreading the virus and clogging up
Cluley’s argues that this is not enough.
His position is that the virus has still taken the machine out of service, thus damaging the company. It is equivalent to
a worker’s absence that increases the load on the remaining staff or results in work left undone. Williamson counters
this, saying that the throttling policy covers this base by shutting off, say, port 80, the Internet traffic port. This prevents
Web browsing but allows other work to continue.
Malware coders can trump this strategy by giving
their viruses disk-wiping payloads. Policy could cover this but gradually more and more of the machine will be closed down
and work itself will be throttled — but at least the virus will not escape the machine.
The disruption of normality
Another leader in the immunology field is Steven
Hofmeyr, founder and chief scientist of Sana Security. He is highly critical of traditional antivirus developers. “AV
vendors could find an answer that would make the email problem go away, but they’re locked into a business model that
depends strongly on having a subscription and update process,” he says.
Hofmeyr: AV vendors are locked into a subscription
and update process
Sana Security’s Primary Response system uses
intelligent analysis of the machine it runs on to spot when normal behaviour is disrupted, indicating a problem. This makes
it better suited to servers because they run fewer applications whereas desktop computers typically launch many different
applications in unpredictable combinations.
However, Hofmeyr sees possible extensions to desktop
applications. He explains, “A typical email attachment doesn’t open every address in your address book. If you
understand the normal behaviour of an email client, you’ll know in a heartbeat when something unusual is happening and
stop it. This means you can detect things that you’ve never seen before.”
Primary Response hooks into the operating system
at a low level to record and monitor the normal pattern of system calls. This intimacy allows it to detect anomalies at an
early stage and stop them before they do damage, Hofmeyr says. Because human error and bias are greater problems in security
issues, replacing human judgement with intelligent monitoring based on a knowledgebase is a move in the right direction, he
There are trade-offs in systems like Sana’s,
but Hofmeyr is unconcerned by this. “There’s obviously some overhead in the extra processing time and the disk
space it requires, but it is negligible. The true overhead is in human resources,” he says. “How much does it
cost to have people interact with the systems? Do you really need human operators to do all the clean ups, download patches,
install virus signature updates and all the rest of it?
“The basis of current practice is the assumption
that people know and understand what is going on in the system. This may have worked once when we had very simple systems
but our systems have grown so complex and become so interconnected that no-one really knows what’s going on —
which is why you need the things we are doing or that Matt is looking at in HP Labs.”
Curiously, Primary Response is not sold as a malware
detection system but as an intrusion detection application to keep hackers out. This positioning underlines the convergence
of intrusion detection, antivirus and even systems failure detection.
A system that automates the analysis, diagnosis
and correction process is the Holy Grail. We are not there yet; in fact the complete solution may still elude us years hence.
But as we learn more about the people who write malware and the processes they invent, so the industry will build a more secure
Eric Doyle Doyle is an IT journalist who writes
for titles that include Computer Weekly and the Guardian.