|
The Latest Threats Exploit the “Zero-Hour Gap”
Malware distributors skirt traditional defenses by exploiting the “zero-hour gap,” the time it takes to identify the attacking malware and write signatures that can detect and neutralize it. Recent studies have shown the lag time or gap between when a virus is recognized and a signature written to combat it can run anywhere from several hours to more than one day! It doesn’t require a vivid imagination to conjure up the havoc a virus can wreak with even two hour head start.
To exploit this gap, virus writers have take to using several new distribution strategies—socalled short-span attacks and serial-variant attacks. Sometimes they use a combination of both techniques.
Short-span Attacks
Often mass-mailed by zombies or bots which can distribute 100-200 million messages—from thousands of compromised machines—in a matter of hours, the short-span attack can infect many millions of users before signature protection is available. Short-span attacks, with their spam-like distribution pattern of a rapid buildup, steady distribution and quick drop off, are often used to distribute Trojan horse viruses in attacks that are financially-motivated.
Serial-variant Attacks
Before launching an attack, the malware/spam distributor prepares a number of variants like variations on a theme in classical music. These variations force the anti-virus vendor to write a signature to counter each unique variant. Like time release capsules, as one variant is countered, another is already launched to infect the network. The more variants, the longer the enterprise is open to attack; the shorter the intervals between variants, the stronger the attack.
On the Road to True Zero-Hour Protection
A number of approaches have been tried to augment or supplement signature-based anti-virus solutions to overcome the challenges presented by malware distributors’ latest attack strategies. Falling roughly into two categories, these are behavioral analysis (or “sandbox” techniques) and heuristic analysis.
Behavioral Analysis—the Sandbox Approach
In its simplest terms, the behavioral analysis or sandbox approach is to set up a virtual end-user PC (sandbox) and run active email attachments on it while monitoring them for suspicious behavior. When an attachment is found to be attempting malicious activities, such as attempting to modify registries or change system settings, it is quarantined.
Behavioral analysis has shortcomings. It is not easily scaled and often cannot detect delayed viruses such as worms, spyware and adware, which have all been designed not to leave a trail. It is also highly resource intensive because it requires running attachments of each email coming into the enterprise. These techniques also require the deployment of hardware on which the “virtual environments” are run.
Heuristic Analysis
Heuristics is analogous to the controversial practice of profiling conducted by some law enforcement agencies to control terrorism or illegal drug trafficking. The theory is “if it looks like a duck, walks like a duck and quacks like a duck, it could, indeed, be a duck.”
In heuristic analysis, email messages and attachments are scanned for characteristics that resemble the characteristics of known viruses. An attachment name hiding its extension, code or script inside the attachment that could modify a registry, etc. are red fl ags that might cause a message to be quarantined.
A “too sensitive” heuristic engine will cause an overabundance of false positives. If it’s not sensitive enough, new viruses will get through. Also, malware authors are not above testing their code against heuristic scanners prior to an attack, then rewriting their code to ensure it breaks through the enterprise’s defenses. A recent IDC study noted that most heuristic-based solutions tested had less than 30% effectiveness in accurately detecting malicious code.
A New Approach: Network Traffic Analysis and Recurrent Pattern Detection
Tracking a large sampling of multiple millions of email messages worldwide in real-time from a variety of locations, network traffic analysis solutions make it possible to detect a virus outbreak’s footprint. An entirely new approach to virus detection and defense, network traffic analysis solutions warn of an emerging attack “in the wild” before the virus outbreak reaches the enterprise. This enables organizations to filter out and quarantine high-risk messages with minimal impact to legitimate communications.
|
