Tuesday, April 24, 2007

Storm Worm vs. IDS

News from last week was this "Storm Worm". A hacker launched malware by a massive spam campaign. This meant that thousands of users were likely infected before the anti-virus companies had a chance to respond to the virus and release signatures to their customers.

SANS has an interesting post about how this shows that traditional anti-virus can't deal with the problem. The describes a one-line Linux shell script that can detect whether a ZIP file likely contains a virus:

if zipinfo patch-58214.zip grep -q 'BX.*\.exe' ; then echo 'encryped executable'; fi

This is almost identical to a signature I wrote for the Proventia IPS. Proventia is based upon protocol-analysis technology. This means that it decodes the SMTP protocol, e-mail format, and BASE64 decodes MIME attachments. It then parses the ZIP file just like 'zipinfo'. While it doesn't uncompress/decrypt the contents of a ZIP file, it can still process the filenames. My signature tests the filename to see if it ends in something executable, such as .exe, .scr, .pif, etc. Because it uses protocol-analysis, Proventia blocks the e-mail by sending a "500" return code in SMTP instead of killing the TCP sesson. Because it uses protocol-analysis, it reports to the operator the filename, the subject line of the e-mail, and the from/to addresses in the SMTP session. Because it's NOT a store-and-forward proxy, it can run at multiple gigabits-per-second. This, and a few similar signatures in Proventia will stop most 0day e-mail viruses at gigabit speeds. It's fabulously useful, but of course, few people use it.

The technology is ready for 0day viruses, the problem is that the market still isn't. The technology I describe above doesn't fit within any easy market category, it's neither precisely what people understand as "intrusion-prevention" nor "anti-virus". It's like a thousand other bits of technology that languish in our industry because there is no neat category for them. I created the first IPS (BlackICE Guard aka. Proventia), but it was a just an IDS feature until Intruvert showered money on Gartner to create a new category for it.

EDIT: btw, for people interested in the history of IPS, the following is a post from 2001 I made to the Security Focus IDS mailing list. This was before Gartner created the market segment. You can tell my frusteration trying to differentiate IPS from firewalls and pure IDS.

http://archives.neohapsis.com/archives/sf/ids/2001-q1/0168.html

1 comment:

mokum von Amsterdam said...

It is both sad and funny to read you post and look at the orgs I get hired by: 9 out of 10 have ALL the tools to make their world a better place, but 9 out of those 10 still lack management backing to implement anything that *might* stop|block|prevent this one thingy the high management want to recieve. This will not change anytime soon, unless someone is made personally & financialy accountable for things gone wrong.
But he, see it as job security :P