December 5, 2007
By Larry Seltzer
Look back at the security news three or four years ago and you'll see a "worm of the week" phenomenon in action. Malware was spread, and botnets created, through e-mail messages. These e-mail messages had attachments and social engineering that attempted to trick the user into running the attachment.
This approach is now comparatively rare, I think mostly because it's no longer all that effective. This is partly because users are more conditioned not to click on attachments, and partly because security software got better at blocking them. Even e-mail programs are smart enough, by default, to block executable attachments most of the time. You still see malicious attachments—the Storm worm used them a lot—but they aren't the main form of attack.
For a couple of years now, the threats that infect PCs are not directly mail-borne, but indirectly so. You probably get a lot of spam that includes a Web link and some text attempting to get you to click on it. With many of these, click on the link and the site will attempt to infect you through a variety of vulnerabilities in the browser, Windows, Java, whatever they can do. Finally, if no back door attack is available, they may just try to get you to run an executable.
The other common way malware writers get you to run their programs is to poison search engine results with links to infection pages, often hosted on compromised legitimate Web sites.
With many of the browser vulnerability attacks, conventional PC security software is of no help. At the very least, your system will be compromised until it reboots. Many attacks conducted in this way will be seen by the PC security software when their files hit the file system, but you can't assume that it will, especially since signature-based defense fails fairly often from new variants of the attacks.
The answer is for security software to take another approach, protecting the browser. Many programs began to do this years ago, incorporating what is generally known as HIPS (Host Intrusion Protection Software).
HIPS is designed to work once a program has already slipped through the outer layers of system security and executed. It monitors the execution of the system for suspicious behaviors. Usually they look for any buffer overflow, as these are always wrong and often a sign of an attempt to compromise the system. Windows HIPS systems often look specifically at the browser, and Internet Explorer in particular, because that's where the attacks are.
Symantec's Browser Defender technology in the 2008 editions of their Norton Antivirus and Norton Internet Security products are examples of browser HIPS. They look specifically at calls from IE code into ActiveX controls, a common method of attack, as many of these controls have vulnerabilities. Symantec actually wrote a new definition system for these attacks.
A better way to protect the browser is the method used by Exploit Prevention Labs, just acquired by AVG Software. Their LinkScanner products monitor network traffic looking for malicious behavior before it executes. The nature of the beast dictates that this is generally HTTP traffic.
Where it's best to do so, LinkScanner can block connections at the IP or domain name level, which makes it useful against fast flux networks. But mostly it uses signatures and heuristics to look for the behavior before it gets into the system.
The fact that it operates outside the execution environment makes it complementary to HIPS, not necessarily competitive with it. Layering has always been a good approach to security, because no approach is perfect.
Grisoft is mostly famous for its very popular free antivirus, but they are a big company in any event, with 60 million active users. Now they have a great tool that can qualitatively improve the security of the Internet experience for their users. The bar has been raised.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
資料來源 http://www.eweek.com/print_article2/0,1217,a=220982,00.asp
By Larry Seltzer
Look back at the security news three or four years ago and you'll see a "worm of the week" phenomenon in action. Malware was spread, and botnets created, through e-mail messages. These e-mail messages had attachments and social engineering that attempted to trick the user into running the attachment.
This approach is now comparatively rare, I think mostly because it's no longer all that effective. This is partly because users are more conditioned not to click on attachments, and partly because security software got better at blocking them. Even e-mail programs are smart enough, by default, to block executable attachments most of the time. You still see malicious attachments—the Storm worm used them a lot—but they aren't the main form of attack.
For a couple of years now, the threats that infect PCs are not directly mail-borne, but indirectly so. You probably get a lot of spam that includes a Web link and some text attempting to get you to click on it. With many of these, click on the link and the site will attempt to infect you through a variety of vulnerabilities in the browser, Windows, Java, whatever they can do. Finally, if no back door attack is available, they may just try to get you to run an executable.
The other common way malware writers get you to run their programs is to poison search engine results with links to infection pages, often hosted on compromised legitimate Web sites.
With many of the browser vulnerability attacks, conventional PC security software is of no help. At the very least, your system will be compromised until it reboots. Many attacks conducted in this way will be seen by the PC security software when their files hit the file system, but you can't assume that it will, especially since signature-based defense fails fairly often from new variants of the attacks.
The answer is for security software to take another approach, protecting the browser. Many programs began to do this years ago, incorporating what is generally known as HIPS (Host Intrusion Protection Software).
HIPS is designed to work once a program has already slipped through the outer layers of system security and executed. It monitors the execution of the system for suspicious behaviors. Usually they look for any buffer overflow, as these are always wrong and often a sign of an attempt to compromise the system. Windows HIPS systems often look specifically at the browser, and Internet Explorer in particular, because that's where the attacks are.
Symantec's Browser Defender technology in the 2008 editions of their Norton Antivirus and Norton Internet Security products are examples of browser HIPS. They look specifically at calls from IE code into ActiveX controls, a common method of attack, as many of these controls have vulnerabilities. Symantec actually wrote a new definition system for these attacks.
A better way to protect the browser is the method used by Exploit Prevention Labs, just acquired by AVG Software. Their LinkScanner products monitor network traffic looking for malicious behavior before it executes. The nature of the beast dictates that this is generally HTTP traffic.
Where it's best to do so, LinkScanner can block connections at the IP or domain name level, which makes it useful against fast flux networks. But mostly it uses signatures and heuristics to look for the behavior before it gets into the system.
The fact that it operates outside the execution environment makes it complementary to HIPS, not necessarily competitive with it. Layering has always been a good approach to security, because no approach is perfect.
Grisoft is mostly famous for its very popular free antivirus, but they are a big company in any event, with 60 million active users. Now they have a great tool that can qualitatively improve the security of the Internet experience for their users. The bar has been raised.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Copyright (c) 2007Ziff Davis Enterprise Inc. All Rights Reserved.
資料來源 http://www.eweek.com/print_article2/0,1217,a=220982,00.asp
全站熱搜
留言列表
