The Elusive Enemy
Anti-virus protection advances to trap even the sneakiest of viruses: the server-side polymorphic
ENTERPRISES are under siege, with 84 percent of organizations penetrated by e-mail-borne viruses, according to a 2006 study by Osterman Research. The cost is high, around $500 per infected desktop said Proofpoint, a messaging security provider. Most organizations have implemented anti-virus technology, and yet users still get infected.
Many enterprises are left with no choice but to implement sweeping policies to block certain types of file attachments, such as .exe, because the anti-virus solution is unable to recognize and block only the malicious attachments. In effect, the system administrator is forced to serve as a safety net for the anti-virus when it is supposed to be the other way around.
In the past, virus writers and virus distributors were simple “script kiddies” or young computer hackers looking for notoriety. But today there is big money involved. Each infected computer generates significant revenue for the malware underworld, either by providing illicit passwords, personal information to aid in identity theft or simply by recruiting the computer as part of a botnet that can be rented out to send spam and further virus outbreaks.
With the earliest forms of viruses, traditional anti-virus technology may have been enough protection. However, the newest strains of viruses are designed to take advantage of the main weakness in anti-virus engines—the time it takes for A/V vendors to develop and distribute new signatures or heuristics for protection.
Polymorphic Viruses
The earliest viruses were most often released in a single variant and in massive amounts. When a new virus would be identified, the alarm bells would ring, and IT managers would instruct users not to open e-mail messages with certain subjects or attachments. This was usually enough to protect users until the signature would come out a few hours or days later.
However, after some experimentation with multiple variants in previous years, at the start of 2007, server-side polymorphic viruses were born. Polymorphic malware is malware that self-mutates upon replication, making it more difficult for anti-virus engines to catch. Server-side polymorphic malware refers to the fact that the multiple variants are developed on the server side before being distributed to targets.
The first such malware was “Happy New Year” in late 2006. Early this year, it was followed closely by “Storm-Worm,” Valentine’s Day greetings and others. Even old-fashioned viruses like Bagle, more than three years old, which started out as a run-of-the-mill, single-variant virus, is now a full-fledged, server-side polymorph, at times averaging more than 600 new variants per day.
Even though anti-virus vendors have improved signature/heuristics delivery time down to several hours in some cases, the newest viruses take advantage of that unprotected time and point all ammunition to the vulnerability.
These server-side polymorphic viruses use several strategies to bypass traditional anti-virus defenses.
Vast variant quantity. These malwares distribute a vast number of variants. For example, Commtouch measured and blocked more than 800 distinct Happy New Year variants in a single, five-minute period. Storm-Worm distributed more than 7,000 distinct variants on several days of that outbreak, and more than 40,000 altogether during a 12-day period. Since each variant or group of variants requires a different signature, it is impossible for anti-virus engines to keep up with this rapid-fire pace.
Brief variant lifetime. The fleeting lifetime of each variant is two to three hours on average, and each variant rarely makes a second appearance during the outbreak. Since it takes several hours to develop a new signature or heuristic, and up to several days to distribute to end users, the short-lived variants are typically out of distribution by the time traditional anti-virus defenses are available.
Low variant volume. Each variant is distributed in relatively small quantities or instances. Since an anti-virus vendor must be aware of a malware sample in order to analyze it in its laboratory, distribution in low numbers often enables the malware to fly below the radar of the traditional anti-virus engines.
Social engineering. Multiple subject lines and attachment names are used in order to confuse users—they can no longer be protected simply by avoiding e-mail messages with unknown subjects or attachments. Topical subjects are designed to entice people to open the messages. For example, Storm-Worm subject lines had a true, irresistible tabloid quality.
These latest forms of malware are particularly insidious. The distributed malware is an innocent-looking piece of code that is designed to be easily distributed and to penetrate the target computer. Once it hits the target computer, it can connect to its "master" and download new code that will get it to the next stage. Now, the infected computer can be used as a spam-bot, a keylogger, a URL proxy, or serve for other malicious activity like DDOS attacks or new malware distribution. The ability of the same code to serve for different criminal activities is called a blended threat.
Virus Protection
So if anti-virus is dead as pundit Robin Bloor has been saying for more than a year, what other methods are out there? Commtouch does not believe anti-virus is dead, simply that the older methods require some newer, supplementary ammunition to maintain effectiveness. Defense-in-depth requires a layered solution with diverse technologies in order to combat threats successfully. Many anti-virus vendors—such as F-Secure, VirusBuster and G-Data—use Zero-Hour™ virus outbreak protection as a complement to signature- and heuristic-based solutions. Similar technology also is offered by some unified threat management solutions. In Commtouch’s case, Zero-Hour protection is based on a global data center analysis of more than a billion e-mail messages per day, looking at recurrent patterns in the data, as well as the distribution patterns. Using unique algorithms, the technology blocks unknown malware within moments of it being distributed on the Internet.
Another important layer is a perimeter-based solution, which determines whether to allow or block e-mail messages based on the sender’s IP address and other information. This type of “reputation service,” often incorporated into edge security products and traffic management products such as Sendmail Flow Control, can eliminate a vast amount of unwanted mail before it ever enters the organization, thus reducing bandwidth and storage requirements in addition to improving organization security.
This article originally appeared in the June 2007 issue of Security Products.
About the Author
Amir Lev is the president and CTO of Commtouch Software Ltd.