Expert view: beating malware
- 8 December 2008
Mark Jackson, consulting systems engineer, Cisco Systems, argues that it’s time for a new approach.
Virus and worm outbreaks – and malware infections more generally – have long been a headache for IT managers in the NHS.
At best, a worm outbreak can paralyse end systems and clog up network links, resulting in a loss of service to users. At worst, a worm can leave behind other malware, allowing an attacker to steal sensitive data, delete files and generate enough traffic to render the network unstable for many days.
Headlines heralding a worm outbreak have been a rarity in the past few years, at least in comparison to early 2000, which saw a new outbreak hitting the news on almost a daily basis.
However, following this period of calm, a worm outbreak has once again been dominating the headlines because a number of NHS hospitals have been reportedly been affected by an outbreak of Mytob.
Traditional anti-virus: no longer up to the job?
During this intervening period, the industry has witnessed a fundamental shift in the way in which malicious code is both written and distributed. There has also been a change in attacker motivation, moving from notoriety and fame to financial fraud and information theft.
These changes have meant that attacks have become more targeted. Malware is far less noisy than it once was, but it is being produced more quickly when new vulnerabilities are announced.
For example, in 2001 the Nimda worm exploited a vulnerability that Microsoft had announced almost 340 days earlier. In 2004, the Sasser worm exploited a vulnerability announced only 14 days before. In 2005, Zotob was discovered only four days after the vulnerability was announced.
With all of these changes in the threat environment, the anti-virus systems that most NHS trusts rely on are becoming less effective at protecting end systems.
Traditional anti-virus systems focus on what an attack looks like and maintain a list of known attacks called signatures. The list of signatures is regularly updated as the vendor discovers new malware.
This approach worked well in the past, but its weaknesses became clear when major outbreaks such as Blaster and Zotob emerged and effected many trusts across the UK.
Dependence on signature-based systems forces the administrator into a constant update race, one in which it is almost impossible to get ahead of the attackers and therefore one that is always risking the compromise of end systems until patches and updates can be applied.
Time to focus on behaviour
A new endpoint protection paradigm has emerged in response to these weaknesses, moving the protection focus away from what an attack looks like to looking at what it is doing.
So-called behavioural-based systems take advantage of the fact that practically all worms and viruses behave in the same way, irrespective of what they look like. In fact, most attacks against any end system will follow a similar path:
1. Probe – discover a vulnerable target
2. Penetrate – perform an exploit on the target device; for example a buffer overflow
3. Persist – download the malware, execute and modify the system registry
4. Propagate – pick random IP addresses and attempt to discover further vulnerable targets
5. Paralyse – malware is propagated to further vulnerable devices.
In applying this to real malware examples such as the Zotob and CodeRed worms, it is clear that while both worms look very different – and would therefore require two different signatures – they actually follow the same set of behaviours.
Each of the distinct steps can be identified and blocked by a behavioural-based protection system running on the end-point. However, such systems tend to focus on the final three steps, since these are often the most damaging but also – more importantly – because they rarely change.
Getting ahead of the attackers
In other words, a behavioural-based solution can have a policy that looks for and blocks ‘bad’ behaviours, removing the need to constantly modify and update the solution as new attacks are discovered.
This capability represents the significant benefit of a behavioural-based solution over a signature-based solution; day-zero prevention. Day-zero prevention allows the administrator to finally get ahead of the curve, confident in the knowledge that their systems will remain protected as new malware is released.
It also allows the administrator the opportunity to patch systems in more controlled fashion, allowing adequate testing time to ensure application stability and performance is maintained when the patch is applied.
The bottom line is that trusts are still being hit by worms and viruses, and yet all will have anti-virus solutions deployed. Those that believe they are still protected by traditional signature-based anti-virus products will face a rude awakening, as recent cases suggest.
Anti-virus has been failing us for some time and trusts have no option but to reconsider their route to protection in light of this changing threat environment.
Box/highlight text: Mark Jackson is a security consulting systems engineer in the UK Public Sector team at Cisco. He has more than 11 years experience in IT and networking and specialises in information and IT security solutions. He also has more than four years’ experience of working with the NHS. Tel: 020 8824 8535.
Related article
Bart’s takes a week to recover from Mytob virus
E-Health Insider will consider “expert view” articles on topical subjects. Please send proposals to Lyn Whitfield, managing editor, E-Health Insider: lyn@lynwhitfield.co.uk.