Best Behavior Against Evolving Threats
by Christopher Bolin
The nature of the virus threat has changed significantly over the last few years. Alongside the "traditional" virus threat, there are now mass-mailers, Internet-aware worms, DDoS (distributed denial-of-service) attacks, backdoor Trojans, zombies, and the blended or hybrid threats that combine multiple attack mechanisms. This evolution of the virus threat has made the task of protecting users and corporate systems more complex, where companies with fewer resources for security are requiring more comprehensive solutions.
More recently, and following the CodeRed and Nimda outbreaks in the second half of 2001, the threat evolution has triggered some to question the effectiveness of signature-based anti-virus scanners in stopping the latest Internet threats. This group contends that the signature scanners deployed throughout most corporate environments today have had their day, and that the future of viral protection belongs to "behavioral analysis" or "behavior blocking" technology.
While well-designed behavioral analysis technology may serve as a viable complement to traditional anti-virus technology, it should not be evaluated as a replacement for such technology that is still today effectively detecting, disinfecting and cleaning thousands of corporate computer networks.
What is "Behavioral Analysis?"
Behavioral analysis or behavior blocking is not a new idea, and in fact, some security companies adopted the approach in the early 1990s in response to the sharp rise in number of viruses that threatened to overwhelm anti-virus researchers. It works from a set of established rules that define a program as either legitimate, or malicious - a virus, worm or Trojan. If the analyzed code breaks one of the legitimate rules or fits into a pre-defined profile established as "malicious," the code or application is flagged as a threat.
As traditional signature-based anti-virus scanning technology examines applications and code for a particular "signature" or pre-existing strain that has been discovered by anti-virus researchers, behavioral analysis technology monitors what an application or piece of code does and attempts to restrict its action. Examples of this might include applications trying to write to certain parts of a system registry, or writing to pre-defined folders. These and other actions would be blocked, with the actions notified to the user or administrator.
This fairly simple process can be further refined. It is possible, for example, to restrict the access of one application, like allowing Microsoft Internet Explorer read-only access to limited portions of the system registry while giving unrestricted access to other applications. Additionally, the actions of a downloaded application can be restricted on the local system and the application can be run in a protective "sandbox" to limit its destruction. The activity performed by the application can be checked against a set of rules in this environment, and depending on the policy set, the application's actions might be considered a violation of the policy, in which case they would be blocked.
Don't Abandon That Anti-Virus Just Yet
The behavior blocker's key benefit, its advocates argue, is that it's able to distinguish between the "good" and the "bad" programs without the need for professional virus research to analyze the code. And because there is no need for ongoing analysis of each specific threat, there is also no need to keep updating virus signatures or virus definition files. Users are, in theory, protected against new threats in advance, without the need for traditional anti-virus updates.
There is a problem, however. A virus or worm may simply be a program that replicates. Beyond this, it may do what any other normal program does, and as a result, it may be very difficult to determine what rules should be utilized to define something as "bad" or malicious. What might be deemed malicious coming from a hostile application may be something acceptable from a legitimate application. For example, the low-level disk writes carried out by a virus, worm or Trojan to delete data from your hard disk are also those used legitimately by the operating system. A behavior blocker set up to protect a file-server would not know whether a modification or deletion of a document is being carried out legitimately by a user or is the result of a hostile program on the infected user's machine.
And that's not all. Behavioral analysis technologies cannot clean infections. Maintaining network uptime is paramount to corporations worldwide, and the ability to prevent and clean up a viral infection is critical to maintaining that critical uptime and saving money. While behavioral analysis technology is argued to be the future in providing proactive outbreak protection, it has yet to prove its effectiveness in cleaning up a virus-infected network environment as traditional anti-virus software would.
What would happen if a virus or worm was to get by a behavior blocker? Without anti-virus, a company would have to delete every infected document, throwing away thousands of hours of productivity.
Blended Technology Stops Blended Threats
So what is the future? According to a 2002 Computer Economics study, traditional anti-virus software, deployed throughout an organization today, can save a business up to three dollars for every dollar that business spends on their protection. This does not mean that behavioral analysis has no merit, it simply means it should be combined with proven anti-virus technology to serve as a complement to signature-based scanning methods in place today, as part of an overall security policy.
The major anti-virus vendors today are also fine-tuning "heuristic" analysis to detect new, unknown viruses. Heuristics involves looking through the code within a file to determine if the actions it takes are typical of a virus. The more virus-like the code is, the more likely the anti-virus scanner will flag the application. Heuristic technology from Network Associates has been capable of detecting and stopping major virus threats such as Klez, Homepage and AnnaKournikova.
So, businesses thinking about abandoning their anti-virus software to solely rely on behavior blocking tools should think twice about the decision. And with roughly 60,000 viruses in existence today, it could be the most costly decision they could ever make.
About the Author
Christopher Bolin is senior vice president of product development for McAfee, Inc. Network Associates is among those pioneering this collaboration of technologies, including the use of appropriate behavioral analysis techniques to supplement traditional "find and fix" methods. The company's McAfee Outbreak Manager technology is designed to head-off a malicious code threat before it gets a foothold and causes an outbreak. The technology is based on analysis of activity at the Internet gateway or e-mail server, and is integrated into McAfee's e-mail scanning products to look for activities that are typical of a new virus outbreak, including an influx of identical e-mail attachments.
Article © Copyright 2006 McAfee, Inc. Used by permission.