"Black hat programmers are adapting biological and social engineering techniques to produce evermore virulent worms and viruses"



Prevention is better than cure

Eric Doyle

Black hat programmers are adapting biological and social engineering techniques to produce evermore virulent worms and viruses, reports Eric Doyle.

Programmers who develop malicious code or malware are using techniques drawn from biology and social engineering to trick users into unleashing worms and viruses.

The recent wave of MyDoom attacks used these techniques to spread rapidly, and left antivirus developers floundering in its wake. Reactions to MyDoom were swift, but not fast enough to choke off the worm’s spread. This is because current antivirus techniques are reactive. They depend on recognising specific malware before responding. This means new strains have a small window of opportunity before people develop an antidote, download and apply it — and that is enough to cause widespread misery.

The main challenge is to find the unique signature of each malware attack. Earlier, this was simpler because strains used identical chunks of code. But current polymorphic strains tend to disguise themselves using encryption. Superficially, identical viruses look different; any unique signature may be only the few bytes of code that decrypt the virus. The antivirus team has to find these common factors, and this sometimes means getting hold of two examples of the virus to compare code.

The situation is made worse because copycat malware bases itself on existing successful but recognised strains. Changing the signature allows malicious coders to re-release a known virus that can attack supposedly immunised systems.

The antivirus vendors’ response has been to develop methods, such as heuristics, to find and eliminate unknown viruses before they strike. Heuristics is a “successive best guess” problem-solving technique. At successive stages of a program, it chooses the most appropriate solution of several found by alternative methods which it then uses in the next step of the program.

But this has drawbacks. Heuristic analysis carries a high processing overhead. And it often misidentifies harmless code — false positive identification.

Heuristic tactics vary. Some products scan the suspect file byte by byte looking for signature code. Others use sandboxes, a protected emulation environment, to allow suspect code to reveal itself.

All this makes it too obtrusive for most customers. So many vendors have relaxed the rigour of their analysis. Consequently, heuristic analyses are often not very good at catching new malware, otherwise MyDoom and SoBig would not have flourished.

A new way

Cluley: cure is worse than the condition

Perhaps the time has come for a new way of looking at infections. One is to use techniques borrowed from immunology. Graham Cluley, senior technology consultant for antivirus specialist Sophos, explains, “The idea of comparing computer virology with biological virology has been around for seven years or so. I think IBM was one of the first companies to suggest it would build some sort of computer immune system. It never released a product, and sold the technology to Symantec, which seems to have hidden it under a bushel.”

Cluley is sceptical about current immunology-based approaches. “Look at what happens when you get the flu. Your immune system can fight it successfully but your entire body suffers. You’re in bed for a few days, you can’t work, you can’t function normally. I suspect that some of the digital approaches that mimic biology may have a similar effect on computer systems. Maybe the cure is worse than the condition.”

If an infectious disease is rampant in the real world, people take precautions against infection. For example, virtually everyone in south-east Asia wore air filtering face masks during the SARS epidemic. The cyberspace equivalent would be to filter everything that enters the IT system. This would use firewalls and specialist appliances that connect the system to the Internet and/or external network.

One such example is CipherTrust’s IronMail. This is an email server appliance that uses traditional virus detection but also looks for anomalies. IronMail checks constantly for unusual behaviour, such as mass mail-outs, and stops them before there is any external damage.

Grasping for the Holy Grail

Digital immunology promises to prevent many of the malicious code attacks suffered today and to do it proactively. What more tempting target for hackers could there be?

Experience has shown that, rather than be deterred, hackers and malware writers are inspired by these “foolproof” systems. For the dubious honour of cracking the uncrackable, they will find any weaknesses in the logic or the code. These will then be patched, and no doubt other weak spots found.

Until we can create a true cordon sanitaire around our information systems, a belt and braces approach seems to be best. This means that the reactive strategy will have a place in our security plans for some time yet.

The simplest, most effective way of detecting and removing malware is by using conventional signatures and heuristics, blocking by exclusion and enforcing good practice. Current intelligent systems may stop the virus from spreading but they act as traps and somehow the malicious code has to be excised. Isolating the virus is just the first step.

Before the malware game is no longer worth the candle for hackers, we will see attacks that mimic normal activity to fool the detection systems. This more subtle approach to malware is just around the corner, and it will be even more difficult to detect and eliminate than the present shape-shifting viruses. Just as the biological immune system has to adapt its defences to fight new viruses, and can fail, so the digital world may have to accept that there’s no such thing as 100% protection.

Colin Gray, CipherTrust’s VP and marketing director for Europe, the Middle East and Africa, says, “Email is probably the most open application there is. Port 25 on the firewall, where SMTP and email traffic comes through, is open by definition. Last year all the major threats were email-borne viruses or Trojans. Blaster and SoBig infections spread by sending millions of the same email message very quickly. They took about five hours to spread worldwide, but IronMail recognised this as anomalous behaviour in less than two hours. If our customers had set their thresholds properly, IronMail was quarantining attachments and dropping connections before any signature identification was available from the major antivirus firms.”

The weakness of a pure appliance approach is that it protects only the periphery of the company network. Mobile devices bypass these barriers. Worse, they behave like Typhoid Mary, carrying infections that do not harm them into systems to which they connect.

Finjan Software produces a range of software that protects various points of the infrastructure. These include the email and Web gateways, the server, the desktop and the laptop. Nick Sears, Finjan’s European vice president for sales, says, “There’s an imbalance between the assurance that antivirus provides and the risk that’s out there. To do that we need something that’s proactive. In other words, something that will stop a virus the first time it invades.”

Finjan’s technology is called Behaviour Analysis. Sears says it tracks any downloaded application or applet. “Anything coming into the gateway by Web or email is scanned for its behaviour,” he explains. “We can detect if, for example, a Java script from an email or a Web page will try to delete files or change settings in the registry. From pre-determined policy it recognises this as unacceptable behaviour and stops it before it ever gets to the user. At the desktop, any executable code that comes in from the Web or email is monitored in real time every time it runs — just in case it is a time bomb that triggers only under certain conditions.”

Choking the virus

Hewlett-Packard is researching yet other ways to police the network and its hardware. One is called Virus Throttling. This does not seek to kill the virus but to contain it before it does any damage.

Matthew Williamson, a research scientist at HP Labs, says, “You’re not trying to stop it categorically in the way that a signature does. A virus like Nimda may try to contact up to 400 different machines a second, depending on the spec of the infected machine. Let’s say normal behaviour is about one connection a second. Virus throttling uses this information to limit the number of machines that can be contacted in a second. If something tries to exceed the limit it is choked back and stopped, containing the virus to that machine. The machine is still infected, that’s very hard to avoid, but it is not spreading the virus and clogging up the network.”

Cluley’s argues that this is not enough. His position is that the virus has still taken the machine out of service, thus damaging the company. It is equivalent to a worker’s absence that increases the load on the remaining staff or results in work left undone. Williamson counters this, saying that the throttling policy covers this base by shutting off, say, port 80, the Internet traffic port. This prevents Web browsing but allows other work to continue.

Malware coders can trump this strategy by giving their viruses disk-wiping payloads. Policy could cover this but gradually more and more of the machine will be closed down and work itself will be throttled — but at least the virus will not escape the machine.

The disruption of normality

Another leader in the immunology field is Steven Hofmeyr, founder and chief scientist of Sana Security. He is highly critical of traditional antivirus developers. “AV vendors could find an answer that would make the email problem go away, but they’re locked into a business model that depends strongly on having a subscription and update process,” he says.

Hofmeyr: AV vendors are locked into a subscription and update process

Sana Security’s Primary Response system uses intelligent analysis of the machine it runs on to spot when normal behaviour is disrupted, indicating a problem. This makes it better suited to servers because they run fewer applications whereas desktop computers typically launch many different applications in unpredictable combinations.

However, Hofmeyr sees possible extensions to desktop applications. He explains, “A typical email attachment doesn’t open every address in your address book. If you understand the normal behaviour of an email client, you’ll know in a heartbeat when something unusual is happening and stop it. This means you can detect things that you’ve never seen before.”

Primary Response hooks into the operating system at a low level to record and monitor the normal pattern of system calls. This intimacy allows it to detect anomalies at an early stage and stop them before they do damage, Hofmeyr says. Because human error and bias are greater problems in security issues, replacing human judgement with intelligent monitoring based on a knowledgebase is a move in the right direction, he claims.

There are trade-offs in systems like Sana’s, but Hofmeyr is unconcerned by this. “There’s obviously some overhead in the extra processing time and the disk space it requires, but it is negligible. The true overhead is in human resources,” he says. “How much does it cost to have people interact with the systems? Do you really need human operators to do all the clean ups, download patches, install virus signature updates and all the rest of it?

“The basis of current practice is the assumption that people know and understand what is going on in the system. This may have worked once when we had very simple systems but our systems have grown so complex and become so interconnected that no-one really knows what’s going on — which is why you need the things we are doing or that Matt is looking at in HP Labs.”

Curiously, Primary Response is not sold as a malware detection system but as an intrusion detection application to keep hackers out. This positioning underlines the convergence of intrusion detection, antivirus and even systems failure detection.

A system that automates the analysis, diagnosis and correction process is the Holy Grail. We are not there yet; in fact the complete solution may still elude us years hence. But as we learn more about the people who write malware and the processes they invent, so the industry will build a more secure future.

Eric Doyle Doyle is an IT journalist who writes for titles that include Computer Weekly and the Guardian.