- Email: [email protected]
Malware protection before infection
Malware protection before infection John Sterlicchi A US Department of Homeland Security funded research programme will help deliver Endeavor Security’s new method of targeting botnet and malware attacks before hosts are infected. The service, which runs on an Intel-based appliance running Red Hat’s Fedora operating system, has the capability to detect sophisticated threats. The malware detection and diagnosis system harnesses the preliminary traces of an attack. By deploying a single device, the company’s Firstlight active malware protection (AMP) allows companies to identify new malware threats as they traverse the wire before an infection occurs. It blocks malware at the gateway and remediates infections by locating infected hosts inside the network. AMP captures an image of the malware and relays it directly to anti-virus vendors. It also goes after the command and control channel that directs botnet and targeted attacks, stopping it before it gets onto any systems. The service gives administrators a dashboard view of the current state of their network. Christopher Jordan, Endeavor Security chief executive, told reporters that AMP permits the company to see how the malware code has been modified. “We’ve reverse-engineered the unknown malware we capture, with the objective to remove information on the covert channels. That lets us find infected machines already on the network.” The service was developed under the Department of Homeland Security’s small business innovation research (SBIR) programme and Endeavor Security is rolling out the technology as a software-as-a-service offering.
News INDEX Accenture
38
Atos Origin
38
BlackBerry
43
Butler Group
43
City & Guilds
39
Communications Electronics Services group 38 Department of Homeland Security
9
eBay
34
EC-Council
30
Endeavor Security
9
Finjan
32
Storm botnet peaks on Valentine’s Day
F-Secure GCHQ
38
Ian Grant, Computer Weekly
Hewlett-Packard
39
IDC
38
Just over a year since it was first detected, Storm, the blended malware attack, looks like becoming a major vehicle for criminals, say malware researchers. After months of relative dormancy, traffic generated by the Storm botnet ramped up just before Valentine’s Day to peak at between 4% and 5% of internet traffic, said researchers at e-mail hosting service MessageLabs, and security supplier Kaspersky Labs. Phishing messages tried to lure recipients into opening e-mails with subject lines such as Love Rose, Just You, I Love You, Valentine Day and Valentine Dad. The e-mails contained links that apparently went to a Valentine e-card or song that a supposed beloved had chosen. Clicking on the link may well have delivered a card or song, but it also installed malware on the user’s PC to capture keystrokes, load viruses, copy and transmit or delete files, and enrol the PC as part of Storm’s botnet. Storm uses social engineering techniques - typically temptation and falsely based trust in unsolicited e-mail messages - to lure people to infectious websites. Once a visiting PC is infected, the code hides itself on the user’s PC. Using a variety of methods it then goes on to infect and remember other PCs, thus setting up a peer-to-peer botnet. Researchers have suggested this was the first example of botnets being hired by criminals on a large scale. Graham Cluley, senior technology consultant at Sophos, an IT security company, said Storm’s owners are now showing less care in coding, despite the huge number of variations they have brought out. “It is almost as if they always have another version in the pipeline. It is now about driving cost down and getting the job done,” he said. Its pervasiveness, its persistence, its technology and its management make Storm impossible to defeat purely with technology, researchers say. Because Storm depends on people clicking to connect to an insecure website, users will have to stop doing that, and law enforcement and police have to trace and arrest the Storm gang, they say. This article first appeared on the website of Computer Weekly, www.computerweekly.com © Reed Business Information 2008
41,43
Information Systems Security Association (ISSA)
38
Institute of Information Security Professionals (IISP) ISC2
38 31,38,39
Kaspersky Labs
9
MessageLabs
9
Microsoft
7
Mobile Data Association
41,42
Multi-Media International Services NHS
43 38,41
Royal Holloway
39
Signify
41
Sophos
9
Starbucks
42
See pp.16-17 for companies exhibiting at Infosecurity Europe 2008. See pp.18-20 for companies launching new products at Infosecurity Europe 2008.
INFOSECURITY EUROPE 2008
9
News INDEX Accenture
38
Atos Origin
38
BlackBerry
43
Butler Group
43
City & Guilds
39
Communications Electronics Services group 38 Department of Homeland Security
9
eBay
34
EC-Council
30
Endeavor Security
9
Finjan
32
Storm botnet peaks on Valentine’s Day
F-Secure GCHQ
38
Ian Grant, Computer Weekly
Hewlett-Packard
39
IDC
38
Just over a year since it was first detected, Storm, the blended malware attack, looks like becoming a major vehicle for criminals, say malware researchers. After months of relative dormancy, traffic generated by the Storm botnet ramped up just before Valentine’s Day to peak at between 4% and 5% of internet traffic, said researchers at e-mail hosting service MessageLabs, and security supplier Kaspersky Labs. Phishing messages tried to lure recipients into opening e-mails with subject lines such as Love Rose, Just You, I Love You, Valentine Day and Valentine Dad. The e-mails contained links that apparently went to a Valentine e-card or song that a supposed beloved had chosen. Clicking on the link may well have delivered a card or song, but it also installed malware on the user’s PC to capture keystrokes, load viruses, copy and transmit or delete files, and enrol the PC as part of Storm’s botnet. Storm uses social engineering techniques - typically temptation and falsely based trust in unsolicited e-mail messages - to lure people to infectious websites. Once a visiting PC is infected, the code hides itself on the user’s PC. Using a variety of methods it then goes on to infect and remember other PCs, thus setting up a peer-to-peer botnet. Researchers have suggested this was the first example of botnets being hired by criminals on a large scale. Graham Cluley, senior technology consultant at Sophos, an IT security company, said Storm’s owners are now showing less care in coding, despite the huge number of variations they have brought out. “It is almost as if they always have another version in the pipeline. It is now about driving cost down and getting the job done,” he said. Its pervasiveness, its persistence, its technology and its management make Storm impossible to defeat purely with technology, researchers say. Because Storm depends on people clicking to connect to an insecure website, users will have to stop doing that, and law enforcement and police have to trace and arrest the Storm gang, they say. This article first appeared on the website of Computer Weekly, www.computerweekly.com © Reed Business Information 2008
41,43
Information Systems Security Association (ISSA)
38
Institute of Information Security Professionals (IISP) ISC2
38 31,38,39
Kaspersky Labs
9
MessageLabs
9
Microsoft
7
Mobile Data Association
41,42
Multi-Media International Services NHS
43 38,41
Royal Holloway
39
Signify
41
Sophos
9
Starbucks
42
See pp.16-17 for companies exhibiting at Infosecurity Europe 2008. See pp.18-20 for companies launching new products at Infosecurity Europe 2008.
INFOSECURITY EUROPE 2008
9