Infosecurity

Why you need to be malware aware

By Alice Kok | 26 February 2009

The number and diversity of viruses, worms and other nasty threats to information security is growing quickly. What - if anything - can be done to stop it, asks Alice Kok.

View photos

Related Articles

• Singapore’s border needs to be more secure
• US unprepared for cyber war

Related Categories

• INFOSECURITY

From this Section

• FEATURE

The fight between malware – short for malicious software – and the technology designed to stop it, is like the evolutionary struggle between man and parasite. As man’s defenses against infection get stronger, so the parasite finds ever more ingenious ways to get around them.

Like evolution, the rise of malware is largely a product of chance. Last year, half of the top hundred malware were accidentally downloaded from the internet by casual web surfers who succumbed to a variety of tricks that let invaders sneak in. In January 2008, the ‘secret crush’ Facebook application duped Facebookers into thinking a friend had romantic intentions. Once clicked, the application led users to a spyware site.

Malware incidences continue in spite of an army of tools and awareness programmes to prevent people from accessing malicious web sites. In the first quarter of 2008, 50 per cent of sites infected with malware were legitimate web sites inadvertently infected by hackers.

Peter Firstbrook, Research Director of Gartner, says that anti-virus techniques are being overwhelmed by the volume of new malware and its increasing diversity. In 2007, for the first time, the number of new malware unleashed into cyber space exceeded the number of legitimate packaged software. “In the future, it may be easier to track the universe of known good software than to identify all the bad stuff,” says Firstbrook.

Finding malware is tricky - even IT giants make mistakes. In January this year, Google accidentally flagged all of its search results as malware because of a mistaken click of a mouse by one of its programmers. It wasn’t a disaster. But it showed that even the leading technology players struggle to tell the difference between friend and foe.

Malware is essentially any programme coding that is unwanted or hostile. It is created by hackers with the intention of intruding on privacy, stealing information or simply vandalizing computers.

Not only is there lots of it, there are many different types. In 2007 alone, as much malware was produced as in the past 20 years. In 2008, one new infected web page was discovered by the anti-virus software firm Sophos every four and a half seconds; three times faster than in 2007.

Just as malware becomes more numerous and diverse, so the digital environment has presented more opportunities for it to grow. The ‘threat environment’ is expected to continue to evolve rapidly as attackers specialise and adaptable malware tools proliferate. But most organisations still rely on the same defensive technology invented 10 years ago, notes Gartner’s Firstbrook. “Organisations must change their defensive strategies or accept increased business risk and potentially costly disruptions.”

Goh Chee Hoh, Managing Director for Asia South and Hong Kong of internet security firm Trend Micro says that as more sophisticated malware comes on to the radar, so companies should look to stop it as early as possible. “The smarter solutions block threats before they even reach the individual or organisation’s network,” says Goh.

Worryingly, even companies with the best technology to block it admit that no single solution can stop all kinds of malware; the parasite is out-adapting the host. Lam Chee Keong, Regional Enterprise Solutions Manager of Juniper Networks admits that there are simply too many types of viruses, worms and other alien invaders to build a completely effective defense.

Some of the most effective malware solutions - URL filtering, for instance - work like an infantry frontline, stopping some but not all the onrushing cavalry. “This solution alone cannot protect your computer against all malicious web sites. But having it in place will filter out a good percentage of all bad content.”

A problem with URL filtering is that it suffers from ‘latency’. It takes time to find threats and update distributed databases. Meanwhile other new malware may have crept under the radar. Which is why more lines of defense are needed.

The rest of the defensive work is done by components that can communicate with each other, like the meerkat who warns the burrow of an approaching cobra. If URL filtering fails, another unit is ‘told’ that something is wrong.

Juniper’s malware package is called “Adaptive Threat Management Solutions”. It comprises different solutions that work in combination. With the firewall as a first line of defense, the Intrusion Detection and Prevention (IDP) component is software that ‘understands’ the nuances of normal protocol usage. Before a web site’s html content is downloaded, the protocol and coding of the web site are run through IDP, which checks whether the traits of the coding are in line with conventional sites, or if it contains signature protocols unique to malware.

The language of malware is coding. If a web site is tainted, its html code contains symbols that are considered abnormal. “If IDP comes across any of these codes in a web site, it will block access,” says Lam.

Symantec’s threat scan in its End-Point Protection software package works along the same lines. It scans protocols for signature codes unique to malware. Endpoint Protection 11 is Symantec’s behavioural analysis scan. Since anti-virus technologies are unable to capture every malicious signature in cyber space, behavioural analysis software acts like a “virtual sandbox”, explains Don Ng, Enterprise Security Field Director of Symantec, Asia Pacific.

“This is how malware is detected that doesn’t have a signature. Everything that is downloaded is placed in the sandbox for observation. The solution will check its behaviour to see if the content is trying to alter computer codes - to see if it’s behaving badly.”

If won’t hurt to take extra precautions to ensure that remote access to the enterprise network is secure and uninfected. Companies’ network access for remote workers will need to be equipped with software that can authenticate and check a remote device before it is given access to the network. This device must meet two criteria. It should possess updated anti-virus software and, more obviously, it should not be an infected device.

Anti-virus software is only the first step against malware, concludes Ng. “The more complicated the internet gets, the more vulnerable to attack it will become. The best way to tackle malware is to take a multi-pronged approach.”