Jon's Network

How do we protect companies from malware that no one has ever seen before?

In this podcast we touch briefly on the well-known malware problem and how Webwasher tackles it at the gateway with their Anti-Malware Module. Using a combination of signatures, heuristics and behavior analysis (proactive detection in marketing lingo), they can stop more real-world threats than anyone else right now according to AV-Test.org.

[display_podcast]

You might also be interested in the Webwasher SSL Scanner podcast from last month.

Sign up for a Webwasher Web Demo Here

Participants:

Me

Oliver Braekow, Mgr. Product Marketing for Webwasher, Secure Computing. You may remember Oliver from the SSL Scanner Podcast.

Christoph Alme, Principal Engineer and Anti-Malware Team Lead, Secure Computing

Jon: While effective malware prevention includes training users to stop clicking through spam and to stay away from bad web neighborhoods, so to speak, Webwasher provides the technology you need to achieve and maintain a malware-free network in an automated fashion. Let’s agree on definitions first. What do you mean by malware?

Oliver: In general we refer to malware if a file entering your network will result in universally accepted malicious impact on your machines, infrastructure or yourself. This can be a traditional old school virus formatting your hard drive at some point in time or it can be some kind of spyware on your machine sending information out without your explicit consent or even a trojan converting your machine to a member of a botnet, thereby stealing processor power, bandwidth and even potentially implicating legal issues.

Jon: Are all these bots just unwary home users with no firewall or AV software or are they found in businesses too?

Oliver: The rise of botnets is a problem we’ve seen over the last couple of years, and now this seems to become the next big buzzword after spam and spyware. In reality, it’s just the natural evolution of the virus and spyware phenomenon; people are just becoming more creative at making money. While the majority of home users is affected by this, we clearly see botnets spreading inside corporate environments. Traditional stateful inspection firewalls and signature based anti-virus for mail and web clearly doesn’t cut it.

Jon: How big is the problem really?

Oliver: We can tackle this question from different angles. Lets start with an independent test that just got published on PC Magazine They actually performed a test of 29 known anti-malware/anti-virus scanners and basically squeezed 606,901 malware samples through all these scanners. That’s a lot of samples. All of these malware samples were collected over the last 12 months and all of these samples were actual functional samples that at one time or another circulated on the internet or via e-mail; not proof of concept code or something like that.

I still remember a mere two or three years ago traditional anti-virus vendors boasted how many samples they actually covered with their signature database. This was roughly in the area of 100k to 200k samples, over the whole lifespan of their product up to that time. So now, just last year, we got more than 600k new samples. And as expected some vendors seem to be doing a better job keeping up than others. In summary, on average the products detected 86.95% of the samples. So out of the close to 607k samples, 79,200 samples weren’t detected. That’s scary. Webwasher Anti-Malware covered 99.83%, only letting through roughly 1300, therefore ranking first place. The three vendors sharing close to 90% of the traditional AV market covered between 87.28% and 97.77%, thus letting through between 77,200 and 13,500 samples. The worst commercial product only covered 62.12% and was even outperformed by free the Clam AV.

Translated to ratios: At the gateway, Webwasher Anti-Malware is outperforming the market-leading products by a factor ranging between 10 and 60 in some cases. Of course Webwasher is a gateway only product, so we can actually apply stricter filtering rules than products that run on the client because even if we would produce a false positive it doesn’t result in nuking your machine.

Jon: So the big problem you feel is an incomplete protection of threats by AV companies and you have therefore made it a goal to protect against as many threats as possible, coming close to 100%. What isn’t “traditional” signature-based AV doing for organizations?

Christoph: Signatures are an important baseline for any AV, and they’re here to stay. They scale very well, allow us to detect a threat exactly, and usually they don’t generate false-positives because they’ve been taken from a caught sample, that is known to be malicious.

Exactly this benefit, on the other hand, is its Achilles heel. You have to get hold of at least one such malware sample before you can create a detection signature against it. And analyzing malicious files that are, in most cases, obfuscated and try to protect themselves against being disassembled and debugged, takes time. Choosing the right signature to detect this threat, and hopefully future variants of it, takes time as well. Finally, your signatures go through QA before becoming available to users.

In the meantime, the attackers may long have released yet another variant of their miscreant. Take the so-called Storm Worm Trojan early this year, for example, that was distributed in a serial variant attack, where, at some phases, we saw new variants emerge about every 15 minutes. So the question arises, how to protect users in the meantime, how to protect them right from the start against some new piece of malware? How to tell in advance, whether a new file, that nobody (except its author) has seen before, is probably malicious?

Obviously, we need to make that detection depend less on database updates containing latest (manual) analysis results, and rather act more automatic. In other words, we must not only look for malicious content that we’ve seen before, instead, we have to make a decision on whether some new content may be malicious – without ever having had a human analyst look at it before.

Jon: Not only are the variants coming out more frequently, but the attacks are becoming more targeted. Everyone is using the term “targeted attack” in their marketing? What does this mean exactly?

Christoph: Usually, attackers rent large botnets that they use to send out mails to an anonymous mass of mail addresses that they have collected or bought. The mails either link to the malware or have it attached.

A “targeted attack”, in contrast, is performed against some individual whom the attacker knows, rather than a large anonymous group. Therefore, he can use very focused social engineering to craft an E-mail that tries to fool the victim into opening the malware. That piece of malware may even be tailor-made for exactly that one attack.

Jon You mentioned the need to make detection less dependent on humans and more automatic. How is that possible? Can you describe Webwashers approach in more detail? Is it different from heuristics?

Christoph: With Webwasher, the administrator can combine, for example, Secure’s own Anti-Malware engine with up to three additional Anti-Virus engines. Just as a second set of eyes sometimes sees more, so do multiple scan engines. To keep the gateway’s latency low, Webwasher’s PreScan™ technology allows us to limit the load against the scan engine to exactly the content, and portions, that need to be scanned.

Looking at marketing collateral, it seems there’s around a dozen companies claiming to do this.

As the second line of defense, we provide our own behavioral heuristics scanner along with any chosen combination of scan engines. This module tries to determine what behavior a scanned file may perform at runtime, e.g. when it would be executed on a client computer. And the administrator defines whether to allow, to block, or maybe to warn the user upon download of a file comprising certain behaviors, like, for example, a Java applet that might try to modify files on the user’s hard disk, or a script that might try to modify settings of the user’s browser.

Jon: Is this the same as “sandbox” technology, where a virtual run environment is created to actually run the possibly malicious file or program to see how it behaves? Can you describe your proactive security filter in more detail? How do you keep false positives low – a problem with many heuristic scanners?

Christoph: “Sandboxing” works great at the backend, in a lab environment, but it doesn’t scale well on a gateway that several thousands of end-users are using to surf the web. Therefore, our behavioral analysis is performed almost completely statically, avoiding time-consuming emulation as much as possible.

This comes at the unavoidable cost of false-positives, just as you said. First of all, a false-positive at the gateway means that a user can’t browse a certain web page or download a certain file, and this can always be whitelisted on demand.

Next, when we detect suspicious content on web pages, for example, we only block the whole page when we are relatively sure it might in fact turn out to be malicious. Otherwise, we rather remove only the offending scripts, or even only parts of it.

Likewise, for executable downloads, depending on behavior categories and probability, the administrator can choose to have us not directly block but rather warn the end-user about his download first, showing the possible behavior categories to him, and then the end-user could choose to proceed with his download. In addition, the administrator can further have us check for digitally signed executables, and skip behavioral analysis for trusted certificates.

Jon: I suppose if the user is warned and he knows the download or the site violates the Internet use policy, he might very well abort, since he knows he is being watched. Can the sensitivity be adjusted by the network administrator?

Oliver: Webwasher comes with default block pages in most languages telling the end user exactly why a page was blocked. These block pages can easily be customized to match the corporate design and they can even be extended to provide more information. The settings for Webwasher after installation have the heuristic proactive security filters enabled at a medium sensitivity level, which should be be OK for most security conscious customers. Admins can easily apply a setting such as “Strict” or “Low” without the need to understand the details of this technology. More advanced users can fine-tune the sensitivity of the proactive security filters down to a level where for each type of active code they can exactly specify what level of interaction with the operating system is permissible or not.

Jon: Is Webwasher the only product doing this? What are other companies doing? What are the other different approaches?

Oliver: Looking at marketing collateral, it seems there’s around a dozen companies claiming to do this. Looking behind the scenes at what is really done, this number shrinks down to Secure Computing and two others (ed. Aladdin and Finjan). Our Webwasher product was actually one of the very early ones providing this technology with market standards to a broader audience and embedded in a suite of security products that are completely integrated. Besides the actual signature only approach of traditional AV vendors and our Proactive Security filters, there’s one other approach that might be noteworthy and I’ll shortly cover it.

Instead of stopping the actual piece of malware, you try to stop access to this piece of malware. This is basically like expanding the reach of a traditional URL Filter to cover more protocols and to go on a quest to find the bad stuff out there on the internet before it finds you.

Digging into this there’s again two ways companies do this. One with mostly muscle and one with mostly brain. The one I refer to as mostly muscle means actually running huge server farms and crawling the internet 24×7 looking for malware. So if they find something that looks suspicious on the server they block the server. According to the website of the company doing the most noise around this (ed. Websense), they cover the whole internet in about 24 hours – I actually find such a statement hard to believe. Even if it is true – on the switch side it shows that ideally they find a new threat in 24 hours, plus the time they need to analyze, QA, and push out to customers. Most traditional AV vendors have on par or even better reaction times, so this different way of doing it shows no immediate and apparent benefit to me.

We’re covering this approach too, but we’re limiting crawlers to special cases and put some more brains into it. First of all we make use of that fact that our proactive security filters block malicious code without needing a signature. So when our product installed at a customer site finds some new malicious piece of code we get automated feedback with the file itself and where it came from. Obviously this is an optional setting customers need to activate manually, but we see more and more customers using it. Second we’re using a technology dubbed TrustedSource, effectively doing something similar to what our behavior-based heuristic filters are doing for malware, just on the website and domain level. Rather than looking at the content of a website, we’re looking at the social and network neighborhood of the domain. This allows us to build a reputation score providing a good indication if a site is potentially malicious or not. We’re using a similar approach with our messaging security products and see tons of cross pollination. Moreover it turns out that this approach is becoming the de facto standard for enterprise-grade anti-spam filters and now we’re adapting it to the web.

Sign up for a Webwasher Web Demo Here

Jon: Let’s talk more next time about how you have adapted TrustedSource reputation technology to URL filtering. I know there are people interested to see how that works. For readers interested in learning more, you can of course visit securecomputing.com or email Oliver (oliver_braekow@securecomputing.com) or me.