Defending Networks Against Rapidly Evolving Threats

By Mark Harris, Global Director of SophosLabs™, Sophos

The challenge for organizations today is to stay ahead of the increasingly interconnected threat from rapidly spreading and evolving viruses and spam campaigns, phishing scams, spyware, and other threats.

Malicious threats, such as viruses and spam campaigns evolve rapidly, often using a combination of methods to spread. Typically, when a new malware threat or spam campaign appears, security vendors react by quickly creating specific virus detection algorithms and new anti-spam updates, which detect and counter the threat. In response, virus writers frequently release new viruses, often distributing multiple strains of the same threat in a short amount of time, in order to increase the chances of survival of their creations. Similarly, spammers use a variety of tricks to circumvent specific anti-spam technologies and rapidly adapt their campaigns to beat the filters.

In this continuously evolving threat environment, financial motivation has driven virus writers and spammers to join forces to produce campaigns that coordinate virus, spam, phishing, and spyware attacks. The random vandalism of earlier generations has been replaced by more purposeful criminal activity, with a shift in emphasis away from “traditional” viruses towards threats designed to steal money, information, or both. Trojans and other spyware, i.e. keyloggers now form the majority of new threats analyzed by SophosLabs – a global network of threat analysis centers.

As a response to these threats, a number of standalone “day zero” solutions have emerged. However, effective protection requires a combination of the rapid creation of new virus and spam identities, and preemptive generic detection. An integrated approach is also important using multiple vendors to protect different parts of a network introduces vulnerability gaps, since the distinction between different types of threat is not always clear. Bofra, for example, was a threat, which not only exploited an internet browser vulnerability in order to spread, but also shared some characteristics with spam and viruses, attacking through the gateway and endpoint. The interconnected technology and pooled expertise in SophosLabs enable experts to respond rapidly and effectively to emerging threats, no matter what combination of techniques they use to spread.

SophosLabs analyzes tens of thousands of files a month for viruses and millions of emails daily to determine whether they are spam. Sophos uses automated systems, which replicates and analyzes viruses, to accelerate the production of new anti-virus updates. A database holding threat information from Sophos’s 20 years’ experience in combating threats makes a wealth of data available to the Labs’ analysts worldwide. New anti-spam updates are created and deployed several times an hour. This response to new spam attacks is complemented by the fastest response times of the major security vendors to new virus outbreaks.

Through its combination of cross-threat expertise and powerful integrated technologies, SophosLabs is uniquely positioned to provide consolidated protection to combat the increasing sophistication of the new breed of cyber-criminals. The global visibility, which SophosLabs has of emerging threats also enables Sophos to provide additional alert services. Sophos ZombieAlert™ Service provides organizations with immediate warning if spammers have hijacked any of their computers to send spam or launch denial of service attacks. Sophos PhishAlert™ Service provides alerts of phishing campaigns, so that targeted organizations can take steps to shut down any bogus websites, which have been set up in order to steal from their customers.

SophosLabs is able to provide rapid protection through the experience and intelligence of its experts and through its range of highly refined technologies and detection methods. These factors combine to protect businesses against existing and emerging threats, no matter how complex the method of spreading. Viruses, spyware, Trojans, and worms are detected using a combination of techniques that include: Dynamic Code Analysis™ - a range of techniques used by the Sophos virus detection engine, and in particular the technique for detecting more complex encrypted malware, algorithmic pattern-matching, emulation - a technique for detecting polymorphicviruses such as viruses that hide by encrypting themselves differently each time they spread, and threat reduction technology.

Spam is blocked using methods that include: content scanning, obfuscation detection such as substituting letters for numbers, e.g. V1agra, sender reputation filtering, call to action/URI analysis, for example looking for known spammers, spam identities, heuristics, and automated tuning, which adjusts the weighting of tests to catch campaigns designed to bypass a single, popular filtering technique.

All these methods put Sophos protection at the top of the league in terms of speed and reliability. In addition, Sophos Genotype technology™, which is used in Sophos’s endpoint and gateway solutions to deliver protection at the desktop, laptop, server and gateway - allows us to protect businesses at an even earlier stage by delivering preemptive generic protection against threats before they emerge. Genotype technology is incorporated into Sophos’s virus detection engine and anti-spam engine. It focuses on detecting new variants of existing families of spam campaigns and viruses. It has its analogy in the world of living organisms. In biology, the genotype is the genetic make-up of an individual organism. It is composed of genes, i.e. segments of a DNA molecule, which are units of information inherited from parent organisms. This technology looks at the “hereditary information” in new viruses or spam messages and detects when the threat is a close relative of one, which is already known.

Virus writers regularly reuse most of the original virus’s code, i.e. - there are thousands of variants of the Rbot virus. Even if new malicious functionality has been added, the new virus remains similar to the original threat and is part of the same family. It is this similarity that Genotype technology exploits, by extracting the complete genotype of a program. Genotype technology avoids the false positive problem common in conventional heuristic detection by targeting specific virus and spam families.

Every program has its own genotype. However, the genotype of a malicious program, such as a virus, significantly differs from the genotype of a non-malicious program. Additionally, genotypes of a particular virus family differ from the genotypes of another virus family. Examples of genes, which may be found in a malicious program are the ability to copy itself to the system folder, spread using vulnerabilities in the operating system, or to change registry keys so that it starts. Extracted genes are matched with genotypes of all known families of threat using a finely tuned scoring system. When the genotype of the examined file matches the genotype of a known family of viruses, Sophos Anti-Virus reports the virus as a genotype (e.g. W32/Rbot-Gen).

Spammers constantly introduce new techniques. By sending spam through “fresh” open proxies, they try to prevent their messages being blocked by IP-based block lists. To bypass reputation filtering, spammers register hundreds of new domains for each spam campaign, making them harder for security vendors to react to. By randomizing obfuscation patterns, rotating phrases, and adding random unrelated words and phrases, spammers can ensure that every recipient gets a message that looks different from the other ones in the same campaign. These techniques impact the efficiency of spam detection signatures and basic content analysis. Spammers also use randomization in images so that they are not identical to others in the same spam campaign. This can be done by changing just a few pixels, so that the image will still appear the same to recipients. Some spam emails, i.e. stock market scams, often contain no call to action in the message, which makes call to action and URI analysis less effective.

Nevertheless, spam can still be detected and blocked. All messages within a given spam campaign have a number of common attributes that remain the same - for example, the message size range or certain email headers. For each campaign, the labs create a unique genetic spam campaign template that can be applied against incoming message traffic, does the URL found in this message end with a .aspx string followed by a question mark and 5 to 7 digits?

Messages that match the template are identified as a known spam campaign and will be blocked automatically as spam. Some genotype definitions are short-lived and are created to address a specific spam outbreak, while others that address long-running spam campaigns might stay active for a long time. With other anti-spam techniques by themselves blocking up to 95% of all spam traffic, Genotype technology is used only where conventional anti-spam techniques are less efficient or do not work. However, its value in protecting networks is significant.

Sophos analysis shows that, even though genotypes block only about 5% of all spam, they provide 100% protection against the spam campaigns that are harder to detect with solutions using just reputation filtering and anti-spam heuristic rules. Genotype technology provides unique proactive detection against the latest mutations of a campaign.

Through expertise, technology, and global visibility of emerging threats, SophosLabs provides the 24/7 research and rapid global response businesses need to protect them from increasingly complex threats. “Day zero” protection through Genotype technology integrates with a range of other highly tuned techniques and technologies to provide Sophos users with the highest level of protection.