Bugwatch: How to stop a bullet

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Steven Trilling, Symantec's director of internet security services, examines why traditional methods alone are no longer effective in stopping viruses and what new technologies are being developed to handle this new breed of threat.

The approach of reactive signature-based antivirus software needs to be updated. This is not to say the technique is no longer useful; indeed, such software can be indispensable. But since the fastest worms today can achieve what is known as 'total contagion' faster than either a human or automatic system can generate and deploy signatures, the industry has to re-examine its strategy and look at alternative methods.

First, it is important to remember that there are millions of threats flying around the internet at any one time, and to stop these we must deploy technologies right across the network to proactively block them. This will help eliminate the potentially damaging reactive cycle in which most companies find themselves when managing their network security.

Today a number of promising new technologies are being developed to help us manage and protect our corporate infrastructure. Four in particular will help us to do this more proactively: behaviour blocking, protocol anomaly protection, generic exploit blocking and virus throttling. All are designed to help stop the 'bullet' before it hits its target - even before it leaves the gun.

Behaviour blocking is really a last line of defence. It is designed to monitor behaviours of applications in real time and block any activity that appears to be malicious, in the same way a drug might stop a virus in the human body. This technology must determine which behaviour is malicious and which is legitimate, a challenge which often leads to a proliferation of false positives.

Some behaviour-blocking technology, known as worm blocking, is already available today in antivirus packages, and has successfully blocked many email-based worms without needing signatures.

Protocol anomaly protection, also known as Layer 7 proxying, is designed to act as a 'shield', stopping attacks before they reach a machine and cause damage. The idea is to filter all network communications either at the firewall, the hosts, or even in the routing/switching infrastructure, and ensure that all data flowing through these devices adheres to accepted internet standards. Anything that doesn't adhere to these standards simply doesn't get through.

With protocol anomaly protection in place, Code Red, Slammer and Blaster could have been stopped. The challenges here though are to make sure that this type of network filtering is sufficiently fast and cost-effective. In addition, there are thousands of internet protocols potentially in need of filtering, from email, web and FTP traffic to instant messaging and file exchange protocols, making the task even more daunting.

Generic exploit blocking is another 'shield' method, attempting to protect a new vulnerability against any future attack. It's like a padlock: each padlock has its own set of internal pins that define the shape of the key that opens it. In the same way, when a new vulnerability is released and analysts characterise the shape of it, generic exploit blocking uses those characteristics to protect the vulnerability against future attack.

Like everything else, this technique has its problems, not least the fact that most vulnerabilities have complex shapes, making it difficult to produce signatures for them and apply them quickly enough without slowing network traffic.

Finally, Hewlett Packard is developing a technique known as virus throttling. The theory behind this is that ultra-fast worms attack new computers every few seconds, so if you limit the number of connections to new computers to one per second the spread of attack is significantly reduced. Nimda established between 300 to 400 new connections per second, and Blaster sent 850 packets per second, so using virus throttling to stop threats sending more than one packet per second would dramatically slow down, or even stop, the rate of propagation.

While these and other new technologies show promise, the security community still has much research to do. But new proactive techniques are needed today: attacks are getting faster and we need to work faster to stop them.