Bugwatch: Next-generation 'zero-day' attacks

The cyber-criminal is getting smarter, and so must the methods used to fight back

Nick Ray, chief executive, Prevx, vnunet.com 04 May 2005

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Nick Ray, chief executive at intrusion prevention firm Prevx, stresses the importance of identifying the characteristics of malicious attack behaviour.

The cyber-criminal is getting smarter and more organised, and so have his methods of attack. Two years ago the watchword was viruses, but new and infinitely more advanced attack methods now exist.

Next-generation 'zero-day' attacks, such as worms and Trojans, seem to have the measure of traditional signature-based security technologies, and a determined hacker can bypass even the most stringently configured company firewall to access system files and the registry.

And attackers are now running targeted scams that keep a low enough profile not to raise awareness among antivirus and anti-spyware vendors.

Whatever the reason for a malicious cyber-attack, whether it be financial gain, espionage or just for the sheer hell of it, companies must protect against unwanted incursions into their systems.

It is becoming increasingly important to ensure that these new methods of attack don't penetrate computer systems because the effects can range from the defacement of websites to the fraudulent extortion of large sums of money.

So what can be done to ensure a sufficient level of protection against attack? Clearly, patching is not working because of the speed with which these attacks strike and propagate to other computers.

A PC worm may be similar to a virus, in that it spreads from computer to computer, but where the worm differs is the speed of self-propagation.

Worms use the basic transport mechanisms of any computer or network to spread as quickly as possible, allowing attackers to take control of systems and execute malicious code.

Normally this happens before a patch has had a chance to be created, let alone implemented, meaning that worms can march through the globe's computer systems at an incredible rate. Sasser and Blaster are examples of how devastating they can be.

The traditional signature-based approach still favoured by many companies to detect malicious attacks is based on patches updated at regular intervals. It is inherently reactionary and out-of-date, and does little to stop zero-day attacks.

Until a worm or Trojan is known and a signature created and updated, the antivirus program cannot provide protection against the code as it simply does not recognise it as a threat.

And if a worm executes itself from memory and not from the file system, a lot of antivirus programs are not capable of protecting the system from attack even when the signature is known.

A lot of this type of code also hides in less-accessed system directories which will only be processed by antivirus software during a full scan. This means that, in most cases, antivirus will help clean up the worm only after it infects the machine or network, and probably infects many other systems.

So how do we protect against this new breed of attack that is seemingly marching through unprepared systems? Intrusion detection software doesn't rely on signatures but highlights when malicious code has accessed critical areas such as memory, file system, operating system, registry and applications.

While undoubtedly closer to the mark, it is still a case of closing the gate once the horse has bolted. Surely prevention is better than cure, and this is where Host Intrusion Prevention Software (Hips) enters the fray.

Hips is designed to recognise anomalies in exactly the same way as intrusion detection software. Crucially, however, it does so before these have had a chance to access critical systems.

Sitting just behind the firewall, correctly configured Hips should be able to recognise all the traits of a zero-day attack by understanding the methods used to launch such attacks and blocking them before they can cause damage.

Hips in theory should require no patches, no signature updates and no rules to work because it identifies the characteristics of the attack behaviour and stops the action taking place.

A security guard trained to recognise the faces of wanted criminals is of no use if he fails to spot a masked man breaking in.

Data is now the most important commodity in many companies. This data needs to stay protected from outsiders while being continually available to legitimate users. Malicious attacks seek to undermine both of these objectives using progressively more advanced hacking techniques.

It is up to the corporate world to adapt to these challenges and employ progressive IT security capable of addressing the problems of zero-day attacks.

While intrusion prevention may not be a silver bullet, employed alongside antivirus software it will catch and destroy any attempt to enter systems propagated by these new attacks, acting as the last man standing when signature-based security has failed.

See also: