Gunter Ollmann
Gunter Ollmann

In many ways, much of corporate security is a bit like dealing with those pesky odd jobs around the house.

There's always something that needs fixing, painting or screwing back in. All too often we find that many of the smaller jobs get pushed back and postponed for some reason or another. There's a litany of things that should be done -- like installing a doorstop behind the bathroom door to prevent the kids from slamming open it open and the handle inadvertently punching a hole through the drywall.

You know how it goes -- despite the best of intentions, things get put off and then, wham! Instead of the original $5 price tag and 15-minute effort, you now have to deal with something considerably bigger and more expensive -- and there goes the entire weekend.

For the last few weeks many corporate security teams and CISOs have been facing the same frustrated, self-induced, Homer Simpson “Doh!” experience in face of the Apple Flashback malware outbreak.

They'd heard the rumblings about malware for the Mac OS X for years, they've received the glossy literature from anti-virus and IPS vendors at the last few RSA conferences, and it was on their list for doing something about… soon. Next thing, they turn around and there are 10 times as many corporate Macs and BYOD notebooks as they thought there were, and half of them are already leaching out important files and stuff.

But why didn't their newest anti-malware protection platforms work? Why didn't the new tools that were meant to  fill in the holes of the traditional desktop anti-virus products work? Simply put, because nobody has been that interested in protecting against non-Windows 32-bit malware, and the money hasn't been there for the vendors to offer up solutions in the realm.

Take for example the latest and greatest gap-filler anti-virus technology -- appliance-based virtual machine malware dynamic analysis systems. It's a mouthful, but some simply call it next-generation anti-virus (NGAV) or next-generation IPS (NGIPS).

What they're supposed to do is automatically intercept copies of Windows 32-bit executable files that are being downloaded from the web or shuttled over email, throw them into automated virtual machines so that the binary file is made to run, flag files that look to be malicious and, in a lot of cases, create a signature that can be deployed within the IPS component of the NGIPS solution.

So here's the shocker: the Flashback malware infecting Macs isn't a Windows 32-bit executable! So all those lovely shiny NGAV and NGIPS appliances being deployed out there are blissfully incapable of observing the threat -- lest we forget also missing Windows 64-bit malware, Android malware, iOS malware, Blackberry malware, Linux malware, etc).

It's not the vendor's fault. Their products are working exactly as marketed and probably performed perfectly in the proof-of-concept and evaluation deployments, as the corporate security teams chucked sample after sample of 32-bit Windows malware at it. These signature-less malware detection systems just aren't designed or built to handle the other operating system threats.

Automated dynamic analysis of malware is hard. The vast corpus of knowledge in that area is almost exclusively tied to the types of malware that affect Windows XP and Windows 2000. Handling suspicious binaries and malware that affect other operating systems and environments is more difficult, and is not quite at a level that it can be tin-wrapped and sold as an array of appliances.

The stop-gap for those corporations seeking to mitigate Flashback who have purchased and deployed signature-less NGIPS technology, is to deploy a vendor-supplied signature.

Is it just me, or is it kind of messed up that the new-fangled signature-less protection systems -- which are essentially gap fillers for signature-based network inspection engines, which are in turn gap-fillers for host-based anti-virus software -- require their own batch of vendor-supplied signatures to work?

It's not supposed to work this way. This is kind of like throwing a cushion behind the door after the kids have already knocked that hole in the drywall so they don't make the hole any bigger. It neither fixes the more serious problem -- e.g. the hole in the wall -- nor does it prevent it from happening elsewhere -- e.g. the other doors around the house to which you haven't extended your budding, do-it-yourself home maintenance skills.

If you were looking to deploy dynamic defense architectures and signature-less detection systems, I'd strongly advise you to examine the full spectrum of threats you're going to face today -- and next week -- and choose wisely. If your organization has a mix of operating systems, devices or BYOD strategies -- and don't they all nowadays -- make sure that your evaluation and testing strategy extends to these newer threats if you want to avoid another “Doh!” moment and mad scrabbling for post-breach fixes.