PCQuest : Top Stories : Combating Zero Day Attacks

Combating Zero Day Attacks

Continued from page: 1

Saturday, October 14, 2006

Prevx1

Print Comment Email Digg Del.icio.us Reddit Twitter

Prevx1
Prevx1 is an anti-malware software. It can run along with your anti-virus, firewall etc. It can also stop new zero-day malwares from coming into your systems through constant system and application behavior monitoring and also protects you against all known malwares. To effectively protect your system it constantly requires Internet access.

Microsoft HoneyMonkey

Strider HoneyMonkey is a project from Microsoft to detect and analyze websites hosting malicious code. Their intent is to stop attacks that use web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of users. The project is taken from the popular honeypots, and according to them HoneyMonkey is a computer or a virtual PC that actively copies the actions of a user surfing the web. A series of 'monkey programs,' which drive a browser in a manner similar to that of a human user, run on virtual machines in order to detect exploit sites. The browsers can be fully or partially updated in order to look for exploit sites that target specific vulnerabilities. For further details you can visit their homepage at http://research.microsoft.com/honeymonkey

When Prevx1 is run for the first time, it carries out a once-only scan to identify all executable files on the computer. After these files have been cataloged, it verifies them against its online community database. After that Prevx1 continuously monitors system behavior to detect malwares. If it finds a suspicious application behavior, it anonymously reports it back to its Prevx1 community database which then monitors this feed in real time, constantly assessing and re-assessing an application's behavior. If it finds this behavior to be malicious, it will block the application and add it to its database, thus protecting you against zero day attacks.

The Prevx1 community database has records of known good and bad programs. After it has blocked a known program, it shows a message box where you can get online details about the files it blocked. When it blocks a program it puts it into Prevx1 jail. This jail is essentially a repository for malware it has detected where it divides them into various categories.

Prevx1 for business lets you manage and control security issues throughout the organization using a Web based security console. This console lets you see where Prevx1 is installed and the whole status of the nodes on which it is installed.

It will also keep you informed about any attacks on your PCs. The console also provides configuration options allowing you to control Prevx1 centrally. It also lets you do an unattended silent remote installation of Prevx1 on your clients. Plus, you can choose whether it runs silently or with minimal visibility to the user.

Symantec Critical System Protection

With SCSP policies you can control behavior of applications running at the client end and immediately block it if any attack takes place

Symantec Critical System Protection (SCSP) provides zero day attack protection through policy-based behavior control and detection for both servers and desktops. It continuously monitors and controls application behavior, blocks port traffic, and provides host-based intrusion prevention and detection, and also controls how processes and users access resources. It also provides protection against buffer overflow attacks. An integrated firewall is present, to help you block inbound and outbound TCP/UDP traffic. You can block traffic per port, per protocol, per IP address or range, etc. SCSP has three main components: SCSP server; client agents; and a management console. SCSP agents are required to be installed on the clients. It lets you customize how agents communicate with the server. These agents report events to management console as and when they happen. The centralized management console enables administrators to configure, deploy and maintain security policies, manage users and roles, view alerts, and run reports. Symantec Critical System Protection creates security policies for every normal program running on the system. It also has a policy editor trough which you can easily make focused policies. It also comes with a policy library, which contains sample prevention and detection policies and has rules to detect specific actions, and take actions accordingly.

To get best results from this software, you need to get its policies right. In our tests when a worm tried to alter MS Word, it successfully managed to detect and block the worm immediately. It does plenty of reporting and comes with 75 predefined queries and reports that can provide an overall summary of the activities. It does real time alerting too as it can alert you through email when an event matches the criteria specified for the alerts. SCSP is a good software and can effectively protect your clients against ZDA.

Similarly, you can also optimize security policies for particular user and system functions. By default, it has three modes-ABC, Pro and Expert. In ABC mode it's all silent for the user whereas in Pro mode it generates queries for unknown programs violating certain Prevx1 Protection Settings. In Expert mode, it generates queries for good and unknown programs violating protection as well as unknown ones.

In one of our tests, we took a zero day worm and put it in an unpatched WinXP machine. Prevx1 managed to detect intrusion attempts by the zero day worm, when it was trying to modify the registry. It gave a pop-up, alerting us about the attack and also asking whether the application should be allowed to perform its functions or not. The software was able to detect malicious activity but couldn't find out whether it was a worm or not. When run in Expert mode, it started acting as a firewall as if it were asking queries for each program, whether they should be allowed to run or not. The application displayed similar kind of messages even while installing and updating the software.

3Com's Zero Day Initiative

Zero Day Initiative (ZDI) is a portal by 3Com which pays people who report vulnerabilities to them, not just their own but those of others as well. Here's how it works, When a researcher discovers a vulnerability, he can log on to the ZDI portal and submit the vulnerability for its valuation from 3Com. At this point he is given a unique submission ID through which he can track that vulnerability. After 3Com has verified the vulnerability, it decides whether to make an offer for it or not. If it makes an offer, the same is informed to the researcher by e-mail. Now if that researcher accepts the offer, the exclusivity of information is assigned to 3Com and the researcher is paid for that. 3Com then informs the affected product vendor about the vulnerability and also distributes protection filters to its customers. Thus, protecting their customers even before the vulnerability is released. Later on 3Com shares in advance, vulnerability details, with other security members before it is disclosed to the public. Once the patch is ready from the affected vendor, 3Com works in collaboration with it to notify the public of the vulnerability through a joint advisory that gives full credit to the original researcher unless the latter wants to remain anonymous. If you want to participate in their initiative or know about upcoming advisories, log on to www.zerodayinitiative.com.

However, to avoid the pain of allowing every action performed by a legal application, it lets you define security settings for all actions performed by a particular application. Overall, this software can be handy in protecting your nodes from a zero day worm if it manages to sneak in.

While there are various tools available, both commercial as well as free, to identify and protect your network and hosts against zero day attacks, they're not enough. Such tools can only go so far in protecting your network and systems.

You also need to establish the right set of policies and guidelines on how to identify zero day attacks and take necessary measures to prevent them from doing any damage until a patch is discovered for them. As you're fighting against an unknown enemy in ZDA, the best form of defense you have is to identify anamolies on your network.

These could be like a sudden surge in traffic on your network? And if so, where is it coming from? Is it coming from a host that normally doesn't transmit so much traffic? You need to train your team to keep a watch on such anamolies. Any packet sniffing tool or your intrusion detection system would be able to give this information. Gartner calls this technique, Network Behavior Analysis.

The moment such an anamoly is detected, the first step should be to isolate the cause. If it's a host, that's generating too much traffic, remove it from the network for further analysis. The idea is that even if a patch or fix is not available, you should be able to at least prevent the infection from spreading to other machines on the network.

Anindya Roy and Swapnil Arora

Page(s) 1 2




	Doing IT Right
	How to Remotely Manage your IT Infrastructure
	The Future of Computing
	Now You can afford a Supercomputer in your Enterprise

Untitled Document

ZTE:Leading CDMA Technology

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Global Services Media] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]