This means war

The IT security community arms for battle with sophisticated new strategies and technologies for eradicating worms.

Assaults such as the recent Bagle and MyDoom worms prove once again that “malware” attacks – viruses and worms – are not only growing more prolific but also more sophisticated. And this is only the beginning, the IT security community fears.

As their companies become more interconnected via new data center technologies, network security officers and their security vendors worry about the next generation of such attacks, called “superworms.” This malware would feature the most potent elements of existing worms and be aimed at specific targets.

“In the past, viruses never spread far because people had to execute them and we could develop virus signatures to counteract them,” says Steven Hofmeyr, chief scientist at Sana Security, an intrusion-prevention software vendor. “Worms spread very rapidly because there’s no human intervention. We need different mechanisms for dealing with them.”

It’s war, and network managers and security vendors have only just begun fighting back. They’re exploring new technologies and launching creative efforts to counter attacks that cost billions of dollars in fixes and lost productivity.

Mixing old tactics with new

To protect their companies against today’s fast-moving malware, network executives are combining aggressive policies with new and existing technologies. For instance, The Weather Channel in Atlanta uses MailMarshal from NetIQ. The product blocks e-mail messages with suspected viruses as if they were spam. When SoBig.F hit in June 2003, The Weather Channel immediately grabbed the details about the content of SoBig.F messages and loaded that data into MailMarshal to filter inbound mail, says Christina Neustadt, director of customer service at The Weather Channel. Consequently, it quickly stopped infected attachments without disrupting legitimate e-mail.

Neustadt says the company, which filters out as spam about half of the 100,000 or so e-mails received per day, is aware that some zero-day viruses could slip through. Zero-day viruses are new attacks that appear before anti-virus companies have had a chance to release fixes. To deal with those attacks, The Weather Channel uses Network Associates’ McAfee anti-virus software, which scans all desktop machines daily. The company is exploring intrusion-prevention technology, subscribes to CERT advisories and analyzes anti-virus sites. “We do a lot of upfront due diligence, constantly trolling for what may be out there,” Neustadt says.

Texas Tech University in Lubbock was plagued with viruses – 75 to 100 computers per month were being infected – until the university standardized on the McAfee anti-virus suite, replacing an unregulated assortment of anti-virus software, says Joe Green, assistant vice president of technology services for the university. Texas Tech then implemented intrusion-detection software and launched an incident-response program. The program has proved to be a particularly effective defensive weapon because it handles the major, but often overlooked, role of establishing and enforcing security policies.

Through the incident-response program, Texas Tech quickly notifies key departmental managers when malware attacks become known, and isolates segments of its network as necessary to stop the spread of viruses or worms. Employees must follow a formal incident-response procedure, which includes notifying help desk personnel when they discover a virus or problems on their computers that might indicate the presence of a virus. Employees are trained on how to detect viruses, what to do and what not to do – such as not forwarding suspect e-mails.

Other companies are seeking new technologies to help bolster their defenses. Praxair, a gas products manufacturer in Danbury, Conn., is evaluating a product from WholeSecurity that monitors the behavior of desktop machines and their users’ activity. If something unusual happens that doesn’t jibe with set parameters in the software, the product blocks network access for that machine and alerts a central console, says John Hill, CIO at Praxair.

While similar to intrusion-detection products, the vendor calls this method “on-demand security.” The product, Confidence Online, is downloaded and installed from a browser without requiring the user to reconfigure a device, the vendor says. Once downloaded to individual PCs, the software automatically detects activities such as electronic eavesdropping, Trojan horses or other hacker activities. It looks for signs of unauthorized remote access, blocking access to the network from the device if it determines an intrusion has occurred.

“Clever worm writers can change the digital signature of a worm very quickly,” Hill says. “This [technology] doesn’t depend on signature analysis but on the behavior of the machine itself.”

Praxair uses other tools such as patch management and also has formed a global incident-response team. Members of the team perform continuous monitoring of the corporate networks in various Praxair locations and immediately shut down specific router ports if a malware attack is identified.

In the R&D labs

Vendors, too, are at battle stations – in their research-and-development labs. They have developed many promising young technologies that will be appearing in future products in yet-to-be determined time frames. For example, Symantec is evaluating how to apply its anti-spam heuristics technology to worm defense, the company says. Heuristics sends e-mail through a series of tests to distinguish spam from legitimate messages. Symantec is exploring how heuristics can analyze e-mail for characteristics that indicate it includes a fast-spreading worm, how the worm is spreading and, ultimately, how to keep infected machines from affecting others.

Symantec also is studying a concept it calls threat tracers, which would let administrators identify which machines generate threats through open file sharing. Administrators would be able to trace an attack back to a machine on the network and determine how an infection occurred, while also identifying weak points in the network that need to be bolstered.

Intrusion-detection vendors, too, are busy creating technologies to thwart zero-day malware. Sana last year launched intrusion-prevention software called Primary Response, which uses principles of the human immune system to secure server applications and data. (The product analyzes application code and builds profiles of normal behavior, and continuously monitors applications to find abnormal behavior.) Sana is working on technology that would let Primary Response sense which servers are most vulnerable to attacks at particular times and then automatically institute higher levels of security. A server determined to be vulnerable would be monitored closely, while servers determined to be a lower risk would not receive intense scrutiny.

HP researchers are in the early stages of developing a technique, called virus throttling, that slows the spread of viruses from an infected machine by restricting the number of connections it tries to make with other machines. The technique was tested against MS-SQL Slammer in the lab and within two-tenths of a second nearly stopped the spread of the worm, HP says.

Vendors such as F-Secure, Network Associates and Trend Micro are gearing their R&D toward multiple-defense systems that combine security methods. F-Secure last fall introduced a combined anti-virus/firewall/intrusion-prevention box. Future developments for it will include sandboxing technologies, says Mikko Hyppönen, director of anti-virus research at F-Secure. Sandboxing involves creating a virtual, protected PC within a PC – and then executing a suspicious acting program there, Hyppönen says. “If it tries to do ‘nasty’ things, it can’t, as it can’t access things outside the sandbox. And this will alert the monitoring program about the nasty nature of the program under question. In practice, this is done by emulating Windows within Windows,” he says.

Network Associates’ R&D efforts focus on merging the behavioral-analysis technology of intrusion prevention with the signature-based scanning of traditional anti-virus products. Focusing on the perimeter of the network (the Internet gateway), and the host (the desktop or server), such gateway scanning can effectively stop high-speed, memory-resident worms such as Slammer, the company says. Host-based scanning would work best for malware transported in encrypted traffic, like Secure Sockets Layer, or that arrives in physical media.

Meanwhile, Trend Micro is developing products for working with network devices such as routers and hubs. These products would monitor traffic for sudden changes in activity and cut off an offending system, says Bob Hansmann, senior product marketing manager for enterprise products at Trend Micro.

Creative strategies

Beyond building new technologies, security vendors also are engaging creative strategies in the battle against malware. Symantec has launched worldwide education and awareness initiatives to provide corporations with materials to educate their workers. And it has conducted extensive research on the motivations of virus writers. Symantec found that writers of self-replicating code such as viruses are motivated by the perceived challenge, peer motivation and curiosity. The company’s research also determined that the hacker and virus communities are not converging – each tend to have different skill sets, and methods of communication, distribution, interaction and motivations.

Vendors also are getting better at developing early warning systems to deal with fast-moving worms, says Wes Wasson, chief strategy officer at NetContinuum, a security appliance vendor. For example, vendors are examining Internet traffic patterns that might indicate a virus writer is preparing to attack a known or unknown vulnerability, then sharing this information with other vendors and the media.

After Slammer hit last spring, technicians reviewed scan patterns of network ports that SQL uses. They noticed that in the six to eight weeks before the attack those ports saw a substantial spike in scanning activity. They could apply the same detective work to other known vulnerabilities to see if scans had increased.

Many anti-virus experts occasionally infiltrate virus chat rooms and underground discussion groups, Hyppönen says, posing as virus writers to learn about new attacks planned or vulnerable targets. “We also rely on key informants to get information like this from the other side,” he says. Whatever it takes to win the war.

Violino is a freelance writer covering business and technology. He can be reached at bviolino@optonline.net .