Stormy weather for malware defenses

The spread of the Storm Worm has forced anti-virus firms to create better defenses to automatically block such threats, rather than depend on simple heuristics or signatures.

Unlike previous malicious code, such as mass-mailing computer viruses, the Storm Worm is not a program that spreads aggressively on its own. Rather, the Trojan horse awaits orders from a central command post to send out the next round of variants. The control has made the program, if not stealthy, then more difficult to stop. The bursts of new variants make a quick response even more important, and the fact that the variants do not exploit a single vulnerability, but users' trust, make them more difficult to stop.

"Vulnerability-based exploits only require a single, or at most a few, signatures," said Vince Hwang, group product manager for security response at Symantec, the owner of SecurityFocus. "The ones that rely on user interaction are definitely a challenge. It is all social engineering."

Other attacks, known as targeted Trojan horses, exploit a related issue to dodge antivirus defenses. By sending out malicious code to an extremely small number of victims - often fewer than 10 specific individuals - the malicious software attempts to sneak under defenders' radar. Underscoring the less-is-more tactic, programs - such as the Storm Worm and targeted Trojan horses - have not made the monthly top-10 lists of security firms' most pervasive threats. On MessageLabs latest top-10 list, for example, Netsky, MyDoom, and Bagle - viruses that are almost two years old - command six of the 10 slots.

For both variant-heavy threats such as the Storm Worm and sneaky targeted Trojan horses, blocking the threat immediately requires technology that does not need to know about the attack, or its pattern, beforehand. And self-propagation, the hallmark of computer viruses, is no longer an adequate indicator of bad behaviour.

"For over a year now, viruses are not viruses," said CommTouch's Lev. "There are no more epidemics. Instead, they (spammers) use bot nets to send spam and then more malware."

Perhaps the most significant technology under development at various anti-virus firms is typically referred to as behaviour blocking. The technique identifies malicious programs by what actions they take, not by the code that makes them up.

The defense is actually a blast from the past. Anti-virus firms and early developers played with the approach more than a decade ago. Gatekeeper for the Mac, created by Chris Johnson in the early 1990s, detected malicious code by noting suspicious actions. Personal firewalls attempt to block malicious programs from communicating out to the internet.

Several anti-virus firms - including Sophos, F-Secure and Grisoft - are building next-generation behaviour analysis into their products. The modern technique creates a virtual sandbox for any program run on the system and monitors the behavior of the program until a determination can be made of whether the code is malicious or benign.

"If you are seeing something that is obviously poking its head into things that it shouldn't be, then we can shut it down," said Larry Bridwell, vice president of communications for anti-virus firm Grisoft.

Unlike the simple techniques in the past that generally decided whether a program was malicious based on a single action, the latest techniques allow a program to run longer, reducing false alarms.

"What did it take for behavioural analysis to work?" said Bridwell. "Big processors, big memory and big bandwidth. And we didn't have that before."

While viruses make up a smaller portion of threats each year - about 10 per cent of what Grisoft sees are viruses, said Bridwell - don't expect the term "anti-virus" to go away. Grisoft attempted to sell a product as anti-malware and consumers panned it on the name alone.

"To some analysts, some press and every user, it doesn't matter what the program does, it's anti-virus," Bridwell said.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus