Zombies in Your Office

Wayne Rash

You know they're in there. Maybe you can see your traffic levels change, perhaps you're having a sudden increase in browser crashes. On the other hand, maybe you're secure in your belief that your firewall and your security software have you protected against a malware invasion on at least some of your computers in the enterprise.

But the fact is, in many large enterprises at least some machines are infected by malware and as a result are hosting botnets, keystroke loggers, password stealers, or data harvesters. For most companies, the presence of this malware is revealed only after it has been running for a while, perhaps days or weeks after it took up residence. Meanwhile, your enterprise has been open before them, letting the malware controllers grab whatever they wanted as they had their way with your network.

Most of the time these malware attacks are what security professionals call 'zero-day exploits.' These attacks are intended to break into computers for which there is no protection. Sometimes the lack of protection is due to a failure to update your operating system, sometimes it's because you didn't update your security software, but it's also frequently due to the fact that the creators of the malware are taking advantage of an exploit before anyone knows about it. That's why it's called 'zero-day' -- the exploit is launched immediately after a vulnerability has been discovered.

The problem with malware today is that many of the traditional defenses such as firewalls and anti-virus software are ineffective. The code is downloaded from Web sites, and the information is transmitted back through a port such as 443 that you have to keep open to use SSL. Because most AV software depends on the signature of the malware, it only works once the company that makes the AV product discovers the malware and updates its database to include it, and then gives it to you.

Intrusion detection products are supposed to catch things like this, but intrusion detection has a checkered history. Finding a way to sort through the false positives on many IDS products is harder and more expensive than fixing the damage the malware does. To make matters worse, there are many vectors for malware, so just because you've managed to close off one pathway, there are still a hundred others. So if it's not the Web, then you'll have malware from someone's iPod, or their USB memory stick or a laptop that they've taken home.

One company that has an interesting approach to solving the malware problem is FireEye, which makes a security appliance that monitors traffic as it passes from your firewall to your network. The appliance looks for potential malware traffic on any open port, and it analyzes what it's doing by using what the company calls its 'virtual victim' in which it examines any suspect network activity to see what it's actually trying to do. Meanwhile, FireEye is also listening for the command-and-control traffic that's used to tell the malware what to do. If it finds out that it is indeed malware, then it issues an alert, and tells the network security staff what to look for, and where to find it.

Zero-day exploits have gotten a lot of attention lately because it was just such an attack, apparently by the Chinese government, that hit Google a few days ago. This attack depended on an unpatched vulnerability in Microsoft Internet Explorer 6 and an apparently new algorithm for building a Trojan Horse. It didn't work with later versions of IE. According to FireEye's Chief Security Architect, Marc Maiffret, the attack used a global Aurora botnet to attack Google in an effort to pry out source code, user names of Chinese dissidents, and other sensitive information. Maiffret said his company first discovered the infection on customer machines.

In the case of Aurora, FireEye discovered that an attack was going on because its security appliance was stopping it. But initially no one knew exactly what was going on. It was only later that the exact nature of the attack was discovered, and FireEye's appliance was already stopping it by then.

Of course much of the problem could have been avoid had enterprise managers been diligent about making sure their systems were up to date, that their security software was updated, and that their users were trained to avoid downloading anything that they didn't already know was safe.

The problem is, even if you do everything right, you can't always avoid malware. When it appears, it's nice to have a way to find it and eradicate it before the AV and OS vendors deliver a patch. In this case, it looks like FireEye has found a solution that will help some enterprises.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.