It may not be common knowledge, but spam and viruses are originated by the same people. 90 percent of the viruses in the past year have been designed to leave behind a small SMTP engine that is used to hijack an unsuspecting consumer PC and send out spam. So it’s ironic that the biggest sources of spam on the Internet might be the PC your mom or dad have connected to a cable modem, spewing out spam unbeknownst to them.
These “zombie” PCs have proven to be very effective tools to help spammers fool less sophisticated spam filters. So in order to keep their army of zombie PCs alive and growing, spammers need to create new viruses to infect in suspecting PCs.
The traditional defense against viruses rely on a “signature” or a series of bits that identify malicious attachments. While signatures remain a critical component of any virus defense system, they have an inherent weakness. No
matter how good the anti-virus signature vendor, it takes a finite amount of time—usually about 13 hours—to detect, isolate, characterize, and create a signature for a new virus outbreak. So the bad guys simply design new virus variants every few weeks and get them to spread rapidly in the window when signatures are being developed. This is why, despite the widespread use of signatures, email-borne viruses continue to be a major problem for IT teams.
To contain the rise in rapid outbreaks, a two layer filtering system is needed, similar in nature to the two layer spam filtering systems found in leading edge solutions. The inner layer is a signature based anti-virus filter. The outer
layer is a preventive anti-virus solution. With IronPort’s solution, the outer layer of virus defense is known as IronPort Virus Outbreak Filters™. The concept is to identify a new outbreak based on a traffic anomaly and then quarantine or “pause” suspicious mail until the traditional anti-virus signatures have been developed.
IronPort has a unique asset that is used to battle these outbreaks—the SenderBase Network. Because SenderBase measures such a large population of email—more than 25% of the world’s email traffic—IronPort can detect the propagation of a new virus the instant it begins. These rapid outbreaks are designed to spread around the world in a matter of hours, in an attempt to beat the signatures. There is no form of human communication that mirrors this type of massive propagation.
IronPort has created a Threat Operations Center (TOC) to monitor SenderBase and look for anomalies in global email traffic that indicate a new outbreak.
For example, a good outbreak indicator might be a sudden increase in password protected zip files, corresponding with an increase in mail coming from IP addresses that have never sent mail before, because these are really infected PCs spreading the virus.The TOC is staffed with technicians and statisticians that create algorithms to automatically detect these anomalies, and also to provide manual oversight to an automated system to ensure it isn’t being manipulated by the engineers that created and propagated the virus.
Having IronPort’s highly trained analysts in the loop means that the IT team at every corporation doesn’t need to be reviewing and reacting to every new outbreak—IronPort takes care of that effort.
When the TOC team issues a new outbreak alert, it automatically pushes a rule out to the IronPort appliances. The appliances have a unique dynamic quarantine that scans and re-scans mail as more fined grained information becomes available. For example, the moment an outbreak occurs, the TOC may issue a very course rule such as “quarantine all .zip files”. This rule is automatically sent to the IronPort appliances in the field and, at any time of the day or night, initial virus defenses are activated—.zip files are put in a special quarantine on the appliance. Within five minutes the TOC technicians may determine that the outbreak is associated with .zip files that are sized between 50 and 55 KB.A
new rule is created and pushed out to the appliances. The dynamic quarantine then re-scans all quarantined messages, releasing anything that isn’t a .zip between 50 and 55 KB. As the outbreak rages around the world, the TOC team
may create another (more fine grained) rule—the outbreak is .zip between 50 and 55KB and contains the word price in the file name. This rule is pushed out and the dynamic quarantine re-scans, narrowing in on the outbreak. The concept is illustrated in Figure 1.
Figure 1 : Dynamic Quarantine in Action
The TOC team also coordinates with IronPort’s anti-virus signature partner, Sophos. Both teams share information on the outbreak and coordinate the release of the updated signature. When the signature is known to have been updated on the remote IronPort appliance, the TOC will issue a rule that says “scan quarantine with Sophos” and the Sophos engine will scrub all messages in the quarantine, deleting or stripping all messages that match the signatures.
Table A: IronPort’s Virus Outbreak Filters Lead the Industry
*June 2005 – July 2006. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro,
Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
This two layer filtering system with a preventive outer layer and a content-based reactive inner layer represents comprehensive virus protection. IronPort Virus Outbreak Filters have been in production for more than a year and have stopped over 150 outbreaks an average of 13 hours ahead of signature availability, providing state of the art protection for corporate networks and admin free defense for the IT team. An outline of IronPort’s response to recent outbreaks is provided in Table A.
No system can provide perfect security against spam or viruses (although some vendors make claims and guarantees to this effect). IronPort Virus Outbreak Filter technology, combined with Sophos anti-virus signatures, yields the most effective virus defense system on the market—in production at more than 20 percent of the world’s largest enterprises. The same engine that protects companies like Cisco, Juniper, Network Appliance, Dell and Intel is powering IronPort C10 email security appliance designed for small and medium sized businesses. Plug it in, and spam and viruses just go away.
No comments:
Post a Comment