How to prevent the unknown attack – proactive filtering

If you’re in corporate IT, it can be a difficult world keeping on top of security to keep your business systems running.

We are in a new era of computer security, and it's a dangerous one for businesses. There are now estimated to be over 60,000 known viruses, though fortunately, only around 1000 are dangerous and active.

If you're in the defence business, whether it comes to physical security, computer security, even terrorism, you can set out to defend yourself against things you know - he problems come with things you don't know.

Today's aggressors are able to launch masses of new network worms with the help of zombie networks consisting of thousands of remote controlled computers. Such a rapid infection is called a "Day Zero" attack, and the current sophistication means the time until millions of Internet PCs are infected has dropped significantly from days to as low as 30 minutes. In contrast, the analysis, creation and provision of virus patterns needs several hours. Only a few hours after the first sample has been analysed can an antidote be available.

And for the corporate IT department, that antidote still has to find its way into the "bloodstream" i.e. onto corporate servers, into the network. With the proliferation of mobile devices that also need to be protected, it's a process that takes time, leaving companies vulnerable.

What is needed is some method of recognising the danger signs, and taking the appropriate defensive action. You can liken it to preventive medicine. If you eat the right foods, eat a balanced diet, and take the right supplements, you stand a reasonable chance of warding off problems. No guarantees – but you give yourself a good chance by keeping your immune system healthy.

It is the same with computer security; what is needed is some form of preventive approach, and one solution is "proactive filtering".

The idea builds on the development of "sandboxing" technology. Sandboxing is a technique for creating confined execution environments, which could be used for running untrusted programs. A sandbox limits, or reduces, the level of access its applications have - it is a container. A piece of code works in emulation mode in a sandbox, and does not get access to the hard disk.

Sandboxing was a promising start, but it has largely failed to work as the number and complexity of new viruses has proliferated. The use of emulation means systems runs slowly, and there are lots of false positives. In addition, in cases where a virus contains a time or logic bomb, sandboxing is rarely successful. To the sandbox, it looks – mistakenly – like a harmless piece of code.

Now, however, proactive filtering offers a three way approach that verifies digital signatures and in so doing, blocks any untrusted program code; screens and blocks any suspicious code based on its potential behaviour; and finally, filters out any potentially harmful code that tries to exploit any vulnerabilities on the client.

Combining these three different anticipatory analyses on the gateway, without the need to deploy and maintain software on the client, can be a cost effective solution to today's hard-pressed corporate IT departments. A proactive filter runs on the gateway and inspects any incoming and outgoing code in three steps, depending on the program code language.

Initially, a proactive filtering system examines any ActiveX controls and Java applets for digital signatures. If any of them are not digitally signed they are blocked, an administrator is likely to want to block them anyway.

Similarly, if they have been signed, but the signed data has been altered since the signature had been applied, or if an authority that the administrator does not trust has signed them, they will be blocked as well.

In the second step, a heuristic analysis is performed. Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs. As a result, a heuristic engine is able to detect potentially malicious functionality such as the replication mechanism of a virus, the distribution routine of a worm or the payload of a Trojan.

It is akin to fingerprint analysis, linked to a library of Active X controls. Potential function calls are iterated regardless of the actual program flow and known functions are classified based on a given set of rules. Depending on the program code language, detected function calls are put into relation and again compared with a given set of context-sensitive rules. After doing checksums, you should see only the ones you know, with a high percentage of matches. Those that do not match what is contained in your library are a risk, and potentially should be blocked. It is important that the library is updated continually with known patterns for Active X controls.

In the third and final step, any "remaining suspects" - scripts that try to exploit vulnerabilities on the client are scanned and filtered out. It may be that the scripts themselves are not malicious. However, they are potential enablers to inject or execute further malicious code. Detecting and filtering such scripts on the gateway interrupts any malicious payload being distributed to the clients.

This approach, of proactive filtering, can act as a penicillin to alleviate corporate IT departments' typical pain points, such as spam and phishing attacks, where users get email containing a link that takes the user to the company website.

Often, such phishing attacks are aimed at financial services company sites, with a goal of eliciting user passwords to access accounts. Proactive filtering can help neuter such phishing attacks, and also counter spyware, which can secretly gather personal information such as your email address, location and even credit card information, and pass it on to a third party.

The risk of current threats, caused by their complexity allied to the use of largely immature new technologies and communications methods, such as Bluetooth, is an issue that corporate executives must address. Every new technology is a potential carrier of a new virus, and in future, Day Zero attacks could occur two or three times a week, given the increasing sophistication of the attackers.

If that worries you, think about taking your preventive medicine: Proactive Filtering.

Dr. Horst Joepen is president and CEO of Webwasher AG, a CyberGuard company.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.