|
 |
|
General Information
|
Add To My Personal Library |
August 10, 2007
• Vol.29 Issue 32
Page(s) 26 in print issue
|
Keep On Top Of New Threats
How To Stare Down Polymorphic Attacks
|
Life in a data center is not like the old-time cowboy movies when the guys in the white hats always won. In the modern version, the black hats keep coming up with new ways to rustle bandwidth. One of the latest weapons used against networks is the polymorphic attack.
“Polymorphic attacks use advanced techniques for obfuscating the malicious code that is executed when a system is compromised via any vulnerability,” explains Rohit Dhamankar, senior manager of security research for TippingPoint (www.tippingpoint.com).
The word itself means having many shapes or many forms. That’s just how polymorphics seek to trick systems.
“The attackers make such an attempt in order to bypass any intrusion detection or prevention system that relies on simple string-matching on the shell code,” Dhamankar says.
 A Real Danger
Michelle McLean, director of marketing at ConSentry (www.consentry.com), says the question of whether these attacks are a real concern or just annoying lies in the nature of the attack more than in whether it employs polymorphic behavior. She notes that attacks, such as happened to the government of Estonia and the so-called “Italian job” in June, do serious damage—in the one case, compromising the functioning of the government and in the other case compromising people’s personal data.
“Other times, however, these attacks are just annoyances, spreading silly executables or the link,” she notes. “However, given the clean-up work involved and the increasingly damaging behavior of these attacks, they’re certainly migrating more toward real concerns than annoyances.”
FireEye’s (www.fireeye.com) Philip Lin, director of product marketing and technology evangelist, notes that malware is growing at an alarming rate, crossing corporate boundaries and spreading undetected infections behind corporate firewalls—so much, in fact, that the FBI ranks it among its top priorities along with espionage and terrorism.
“Polymorphic attacks are able to sneak by signature-based security devices like intrusion prevention systems,” Lin says. “We have found that polymorphic attacks continuously change (or mutate) nonessential elements of their code while leaving their core attack algorithm intact. One of our security team members put it this way: Polymorphism is just new ‘functionality’ making attacks more advanced and much more likely to bypass signature-based technology like antivirus or intrusion prevention (on the desktop or in the network).”
Another difference, he says, is that the quality of the attack code is much improved as college graduates, often in the Far East, look for an outlet for their talent or try to make a name or a few dollars for themselves.
“Without a doubt, these attacks are real concerns for our customers and security research team. We have found that polymorphic network attacks are able to defeat virus protection software and network behavior anomaly detection systems, especially when combined with other stealthing techniques,” Lin says. “Our customers see network attacks as real concerns to network stability, as well as data security.”
Ways To Corral Polymorphics
In a typical attack, Dhamankar says, the attacker first triggers a vulnerable condition in some software, an application, or hardware and then proceeds to leverage the vulnerability to execute code of his choice. TippingPoint tries to detect and block a flow and the packets that trigger the vulnerability.
In this case, the detection is not based on the malicious code the attacker is trying to execute. As a result, it is immune to polymorphic mutations of an attack targeting specific vulnerabilities.
That is the most obvious difference between polymorphics and regular attacks. “These attacks mutate, so the typical first-line defense, which is signatures, is weak at protecting against them,” McLean says. “A signature will catch only an exact match—not a mutation—so security software must evolve along with the attacks to keep pace,” she explains.
Today, most vendors do more than include signatures in their products. They build in the ability to recognize and block mutations, an augmentation of signature-based protection. Some build in behavioral-based detection and blocking and check Windows Registry files and other system resources for modifications and then alert the user.
“Those are the real capabilities needed to detect and contain polymorphic attacks,” McLean adds.
ConSentry takes the approach of developing behavior-based algorithms to detect attacks. This way, whether they’re polymorphic or not, they identify malware by its behavior—setting up too many connection attempts and failing at most or setting up connections at too fast a rate for that application type. “Behavior-based protection provides a much broader set of defenses,” McLean says.
The NSS Group, during its test of the TippingPoint appliance, validated its approach, too. The NSS test was performed by applying polymorphic mutations to attacks by using the ADMutate tool. It also proved effective.
At FireEye’s core is use of virtual victim machines. This is a real-time analysis engine using virtualized Windows environments to see how network traffic affects the virtual PC.
“If the virtual PC (the virtual victim) becomes infected, we know we have an attack in the network, regardless of polymorphism,” Lin explains. “Without signatures or relying just on heuristics, FireEye is able to protect against zero-day, polymorphic attacks.”
Keep in mind that polymorphism is just one way used to cloak an attack to bypass legacy scan-and-block technologies. “One of our customers, a midsized business, said traditional approaches block yesterday’s attacks. They needed something for today’s stealthy, polymorphic attacks,” Lin concludes. 
by Curt Harler
Where To Put Protection
“One of the main things IT should think about is where to deploy protection,” says Michelle McLean of ConSentry (www.consentry.com). Traditionally, virus protection has lived at the LAN/WAN boundary and on endpoints. “As behavior-based techniques surpass signatures for this kind of protection, locating that technology at aggregation points but still close to the user is essential for recognizing the attack and containing it before it can spread throughout the enterprise,” she states.
Keep in mind that preventing polymorphic attacks is more than layering traditional security technologies in the network and on the desktop.
“Most companies have plenty of security layers but haven’t realized that the attacker’s technology has advanced to the point that key security layers have been rendered obsolete. Preventing polymorphic attacks requires an accurate, predictive method of detection above and beyond signatures or heuristics,” Phillip Lin of FireEye (www.fireeye.com) says. |
s
|
|
