A Day In The Antivirus World

This article written by Campbell Taylor - 'Global', is a review of the information learnt from a one day visit to McAfee and includes personal observations or further information that he felt were useful to the overall article. He refers to malicious activity as a term to cover the range of activity that includes worms, viruses, backdoors, Trojans, and exploits. Italics indicate a personal observation or comment.

In December 2004 I was invited to a one day workshop at McAfee's offices and AVERT lab at Aylesbury in England . As you are probably aware McAfee is an anti-virus (AV) vendor and AVERT ( Anti-Virus Emergency Response Team) is McAfee's AV research lab.

This visit is the basis for the information in this document and is split into 4 parts:

1) THREAT TRENDS

2) SECURITY TRENDS

3) SOME OF TODAY'S SECURITY RESPONSES

4) AVERT LAB VISIT

Threat Trends

Infection by Browsing

Browsing looks set to become a bigger method of infection by a virus in the near future but there was also concern about the potential for a ‘media independent propagation by a virus', that I found very interesting.

 

Media Independent propagation

By media independent I mean that the virus is not constrained to travelling over any specific media like Ethernet or via other physical infrastructure installations. McAfee's research showed a security risk with wireless network deployment which is discussed in the Security Trends section of this document.

So what happens if a virus or worm were able to infect a desktop via any common method and that desktop was part of a wired and wireless network? Instead of just searching the fixed wire LAN for targets, the virus/worm looks for wireless networks that are of sufficient strength to allow it to jump into that network.

You can draw up any number of implications from this but my personal observation is that this means you have to consider the wireless attack vector as seriously as the fixed wire attack vector. This reinforces the concept that the network perimeter is no longer based on the Internet/Corporate LAN perimeter and instead it now sits wherever interaction between the host machine and foreign material exists. This could be the USB memory key from home, files accessed on a compromised server or the web browser accessing a website.

An interesting observation from the McAfee researcher was that this would mean a virus/worm distribution starting to follow a more biological distribution. In other words you would see concentrations of the virus in metropolitan areas and along key meeting places like cyber cafes or hotspots.

Distributed Denial of Service (DDos)

DDoS attacks are seen as continuing threat because of the involvement of criminals in the malicious hacker/cracker world. Using DDoS for extortion provides criminals with a remote control method of raising capital.

Virus writers are starting to instruct their bot armies to coordinate their time keeping by accessing Internet based time servers. This means that all bots are using a consistent time reference. In turn this makes any DDos that much more effective than relying on independent sources of time reference.

As a personal note, Network administrators and IT security people might consider who needs access to Internet based Time servers. You may think about applying an access control list (ACL) that only permits NTP from one specified server in your network and denying all other NTP traffic. The objective is to reduce the chances of any of your machines being used as part of a bot army for DDos attacks.

Identity Theft

This was highlighted as a significant likely trend in the near future and is part of the increase in Phishing attacks that have been intercepted by MessageLabs.

SOCKS used in sophisticated identify theft

McAfee did not go into a lot of detail about this but they pointed out that SOCKS is being used by malicious hackers to bypass corporate firewalls because SOCKS is a proxy service. I don't know much about SOCKS so this is more of a heads up about technologies being used maliciously in the connected world.

Privacy versus security

One of the speakers raised the challenge of privacy versus security. Here the challenge is promoting the use of encrypted traffic to provide protection for data whilst in transit but then the encrypted traffic is more difficult to scan with AV products. In some UK government networks no encrypted traffic is allowed so that all traffic can be scanned.

In my opinion this is going to become more of an issue as consumers and corporates create a demand for the perceived security of HTTPS, for example.

Flexibility versus security

In the McAfee speaker's words this is about “ease of use versus ease of abuse”. If security makes IT too difficult to use effectively then end users will circumvent security.

Sticky notes with passwords on the monitor anyone?

Security Trends

Wireless Security

Research by McAfee showed that, on average, 60% of all wireless networks were deployed insecurely (many without even the use of WEP keys)

The research was conducted by war driving with a laptop running net stumbler in London and Reading (United Kingdom) and Amsterdam (Netherlands). The research also found that in many locations in major metropolitan areas there was often an overlap of several wireless networks of sufficient strength to attempt a connection.

AV product developments

AV companies are developing and distributing AV products for Personal Digital Assistants (PDAs) and smart phones. For example, F-secure, a Finnish AV firm, is providing AV software for Nokia (which, not surprisingly is based in Finland).

We were told that standard desktop AV products are limited to being reactive in many instances, as they cannot detect a virus until it is written to hard disk. Therefore in a Windows environment - Instant Messaging, Outlook Express and web surfing with Internet Explorer, the user is exposed, as web content is not necessarily written to hard disk.

This is where the concept of desktop firewalls or buffer overflow protection is important. McAfee's newest desktop product, VirusScan 8.0i, offers access protection that is designed to prevent undesired remote connections; it also offers buffer overflow protection. However it is also suggested that a firewall would be useful to stop network worms.

An interesting program that the speaker mentioned (obviously out of earshot of the sales department) was the Proxomitron. The way it was explained to me was that Proxomitron is a local web proxy. It means that web content is written to the hard disk and then the web browser retrieves the web content from the proxy. Because the web content has been written to hard disk your standard desktop AV product can scan for malicious content.

I should clarify at this point that core enterprise/server AV solutions like firewall/web filtering and email AV products are designed to scan in memory as well as the hard disk.

I guess it is to minimise the footprint and performance impact that the desktop AV doesn't scan memory. No doubt marketing is another factor – why kill off your corporate market when it generates substantial income?

AV vendors forming partnerships with Network infrastructure vendors

Daily AV definition file releases

McAfee is moving daily definition releases in an attempt to minimise the window of opportunity for infection.

Malicious activity naming

A consistent naming convention that is vendor independent is run by CVE (Common Vulnerabilities and Exposures). McAfee will be including the CVE reference to malicious activity that is ranked by McAfee as being of medium threat or higher.

Other vendors may use a different approach but I feel the use of a common reference method will help people in the IT industry to correlate information data about malicious activity form different sources rather than the often painful (for me at least) hunting exercise we engage in to get material from different vendors or sources about malicious activity.

AV products moving from reactive detection to proactive blocking of suspect behaviour

New AV products from McAfee (for example VirusScan 8.0i) are including suspect behaviour detection and blocking as well as virus signature detection. This acknowledges that virus detection by a virus signature is a reactive action. So by blocking suspicious behaviour you can prevent potential virus activity before a virus signature has been developed. For example port blocking can be used to stop a mydoom style virus from opening ports for backdoor access.

A personal observation is that Windows XP Service Pack 2 does offer a Firewall but this is a limited firewall as it provides port blocking only for traffic attempting to connect to the host. Therefore it would not stop a network worm searching for vulnerable targets.

Some of Today's Security Responses

Detecting potential malicious activity - Network

Understand your network's traffic patterns and develop a baseline of network traffic. If you see a significant unexpected change in your network traffic you may be seeing the symptoms of malicious activity.

Detecting potential malicious activity - Client workstation

On a Windows workstation if you run “ netstat –a ” from the command line you can see the ports that the workstation has open and to whom it's trying to connect. If you see ports open that are unexpected, especially ones outside of the well known range (1 – 1024) or connections to unexpected IP addresses, then further investigation may be worthwhile.

Tightening Corporate Email security

With the prevalence of mass mailing worms and viruses McAfee offered a couple of no/low cost steps that help to tighten your email security.

1. Prevent all SMTP traffic in/outwards that is not for your SMTP server
2. Prevent MX record look up
3. Create a honeypot email address in your corporate email address book so that any mass mail infections will send an email to this honeypot account and alert you to the infection. It was suggested that the email account be inconspicuous e.g. not containing any admin, net, help, strings in the address. Something like '#_#@your domain' would probably work.

AVERT LAB VISIT

We were taken to the AVERT labs where we were shown the path from the submission of a suspected malicious sample through to the testing of the suspect sample and then to the development of the removal tools and definition files, their testing and deployment.

Samples are collected by submission via email, removable media via mail (e.g. CD or floppy disk) or captured via AVERT's honeypots in the wild.

Once a sample is received a copy is run on a goat rig. A goat rig is a test/sacrificial machine. The phrase “goat rig” comes from the practice in the past of tethering a goat in a clearing to attract animals the hunter wanted to capture. In this case the goat rig was a powerful workstation running several virtual machines courtesy of VMware software that were in a simulated LAN. The simulation went so far as to include a simulated access point to the Internet and Internet based DNS server.

The sample is run on the goat rig for observational tests. Observational tests are the first tests conducted after the sample has been scanned for known malicious signature files. Naturally malicious activity is not often visible to the common end user, so observable activity means executing the sample and looking for files or registry keys created by the sample, new ports opened and unexpected suspicious network traffic from the test machine.

As a demonstration the lab technicians ran a sample of the mydoom virus and the observable behaviour at this point was the opening of port 3127 on the test host, unexpected network traffic from the test host and newly created registry keys. The lab technician pointed out that a firewall on the host, blocking unused ports, would have very easily prevented mydoom from spreading.

Following observational tests the sample will be submitted for reverse engineering if it's considered complex enough or it warrants further investigation.

AVERT engineers that carry out reverse engineering are located throughout the world and I found it interesting that these reverse engineers and Top AV researchers maintain contact with their peers in the other main AV vendors. This collaboration is not maintained by the AV vendors but by the AV engineers so that it is based on a trust relationship. This means that the knowledge about a sample that has been successfully identified and reverse engineered to identify payload, characteristics etc is passed to others in the AV trust group.

From the test lab we went through to the AV definition testing lab. After the detection rules and a new AV definition have been written the definition is submitted to this lab. The lab runs an automated test that applies the updated AV definition on most known Operating System platforms and against a wide reference store of known applications.

The intention is to prevent the updated AV definition from giving false positives on known safe applications.

Imagine the grief if an updated AV definition provided a false positive on Microsoft's Notepad!

One poor soul was in a corner busy surfing the web and downloading all available material to add to their reference store of applications for testing future AV definitions.

After passing the reference store test an email is sent to all subscribers of the McAfee DAT notification service and the updated AV definition is made available on the McAfee website for download.

In summary, the AVERT lab tour was an informative look behind the scenes, without much of a sales pitch, and I found the co-operation amongst AV researchers of different AV companies very interesting.