Stopping targeted attacks, why signatures are not enough anymore

We have seen and targeted attacks on users. As a defender, I have been on the lookout for the next generation of new Anti-virus technologies.
As we can see, the Malware Boom Puts Pressure on AV Labs: The volume of malware attacks has increased 185 percent in recent months, and antivirus research labs are struggling to keep up. We need the next generation which will fight malware without relying on signature updates

Last week, I happened to stumble upon Symantec Endpoint Protection.

  • Proactive Threat Scanning Behavioral-based protection that protects against zero-day threats and threats not seen before.
  • Advanced Rootkit Detection and Removal Provides superior rootkit detection and removal by integrating VxMS (Veritas Mapping Service—a Veritas technology), thereby providing access below the operating system to allow thorough analysis and repair.
  • Application Control Allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.
  • Device Control Controls which peripherals can be connected to a machine and how the peripherals are used. It locks down an endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices.
Being able to lock down parts of the registry and stop binaries being written to disk for example can already stop a lot of infections. On the SANS website, I also found an interesting whitepaper:

Stopping the Targeted Attack: Why Comprehensive Malware Protection is Superior to Anti-virus Signatures for Protecting Your Organization (Whitepaper)
This paper discusses the evolving nature of malware, and why enterprises continue to be highly vulnerable to targeted malware attacks despite deployment of common security solutions like anti-virus software and traditional firewalls. Accordingly, the paper then describes new solutions designed to be much more proactive and effective in protecting an organization’s inbound and outbound traffic.

From the paper, the changing nature of Malware are:

1. Malware attacks are much more focused and sophisticated: Gone are the old random-style attacks. Today’s malware is focused on specific organizations or users with specific behavior patterns. It largely depends on who the organization is or what the user does, what sites are accessed online, whether material is downloaded from risky sites, and how careful he/she is about downloading files attached to emails, and similar issues. The traditional “one solution fits all” approach to stopping attacks is no longer applicable.
Malware changes its code constantly: The latest viruses are designed to avoid detection by AV engines
by automatically changing or mutating every day and every time they send themselves out. Anti-virus vendors either have to use performance-hungry and error-prone heuristics or must create a new signature for each mutation.
Malware means money: Malware is no longer a teen prank. It is created and distributed by sophisticated individuals and well organized groups. The perpetrators either are or employ talented software engineers who are as good as those employed by anti-malware vendors, and they work hard to stay at least one step ahead of the good guys. More often, malware is actually used for corporate espionage against a specific corporation, as the infiltration of the Israel HOT cable television group network in 2005 showed11.
Some malware removers are actually malware: This ‘greyware’ represents a deceitful trap for users. Some pornography Web sites are rumored to have deals in place with malware authors. E.g. when someone accesses the site they get a fake error message that his/her system is compromised and is urged to click a link and download a “test utility” to scan. This “test utility” is usually a piece of spyware disguised as a seemingly benign system cleaner or something similar.
Standard antivirus programs are often ineffective: The malware designers constantly test their creations against Norton, McAfee, and other popular anti-virus and anti-spyware systems, so they know those programs will not detect their malware during the zero hour when it is first released. By the time the vendors catch up, the damage is done, and the bad guys change their code to make it undetectable again. Sometimes these code changes are even automatic (see #2 above).
Hide and seek: More and more malware actually tries to hide itself by using rootkit mechanisms or completely disabling anti-virus software on the client.

No comments: