For years, traditional signature-based antivirus and intrusion detection technologies have successfully held many Internet threats at bay. Security experts analyze a threat, such as a virus or worm, to determine its peculiar characteristics and then produce a signature or fingerprint to block that specific threat.
Security solutions such as antivirus software and intrusion detection systems look for the telltale code that identifies the threat as a known problem. This traditional signature model, together with improvements in the time and mechanisms with which signatures are delivered to customers, remains one of the most effective approaches for stopping the spread of specific threats.
At the same time, malicious code is hitting with greater frequency, ferocity, and speed. According to the current Internet Security Threat Report released by Symantec Corp., nearly 5,000 new Windows viruses and worms appeared during the first six months of this year -- that's nearly five times the number in the same period in 2003. And hackers are increasingly using bot networks to enhance the speed and breadth of their attacks. With this attack strategy, hackers secretly install bot (short for robot) programs on a computer that enable a remote, unauthorized user to control that computer. What's more, they're doing this on a wide scale, creating armies of remotely controlled computers they can use to launch attacks and spread malicious code.
This new threat landscape puts the effectiveness of traditional fingerprinting technology at risk. Because traditional signatures are only written after an actual threat has appeared and is circulating throughout the Internet and attacking vulnerable systems, it may be too little too late in some instances.
Consequently, security engineers have developed a new technology designed to stop threats before they emerge. Called generic exploit blocking, this technology aims to protect vulnerable software against future attack.
Lock and key
Just as a padlock has a set of internal pins that limits the shape of key that can open it, software vulnerabilities have certain characteristics that limit the malicious code that could exploit those vulnerabilities. With a padlock, an examination of its pins makes it relatively simple for a locksmith to identify the shape of a key that would open the lock, without ever seeing the actual key.
With generic exploit blocking, security experts examine software vulnerabilities to determine the specific stream of data that must be sent over the network to exploit a vulnerability. They can then produce a signature that detects and blocks any attack that meets the exploit criteria.
For example, in July 2003, a vulnerability in the Microsoft SQL Server database was announced. Exploiting the vulnerability could be accomplished by sending a packet of a certain length (in this case, at least 61 bytes), with a first byte having a specific value (4, in this instance), to a particular network port (1434 in this situation) on an unpatched system.
Using this information, a generic exploit-blocking signature could be created that stopped any packets with the same attributes, written as follows in pseudo-code: IF packet_size > 60 AND packet[0] == 4 && destination port == 1434 THEN BLOCK PACKET.
This signature could then be distributed to customers and automatically downloaded onto desktop PCs, servers and firewalls through the software's regular update mechanism. These products would then filter out all incoming and outgoing network packets having a matching signature. The result? All potential attacks against that vulnerability would be blocked.
Although the complexity of some software vulnerabilities might require security experts to spend hours analyzing code, the resulting signature still accelerates the security cycle by providing protection before a specific threat emerges and begins to spread.
New tools of the security trade
Generic exploit blocking is effective for most network-based vulnerabilities and is appropriate in both enterprise and consumer environments. It can also be integrated into any software that protects computers over the network, from desktop antivirus and firewall products to residential gateways and corporate firewalls.
This is good news for end users who face increasingly clever Internet threats. Today's blended threats, for example, use multiple methods and techniques to propagate. Beginning with the Code Red worm of August 2001, which resulted in $1 billion in damages according to some estimates, blended threats have proven to be a very pervasive and recurring problem.
Since the release of Code Red, the online world has struggled to protect against -- and, in too many cases, recover from -- other blended threats, including 2003's Slammer and Blaster. Consequently, today, a growing number of security solutions providers are leveraging generic exploit-blocking technology to protect against such blended threats that put a large user community in jeopardy.
What's more, additional proactive security technologies are being developed to complement both traditional signature-based solutions as well as generic exploit-blocking technologies. Among them are behavior blockers that monitor the conduct of active applications in real-time and block program activity that appears malicious. With this technology, key system APIs are blocked when suspicious activity is noted, which disrupts the lifecycle of malicious code.
Another proactive technology under development is protocol anomaly protection, which intercepts all network communications and ensures that the data passing through the network perimeter adheres to standard Internet protocol standards. This catches many worms that intentionally send invalid data in order to infiltrate a specific vulnerability in a target computer.
Finally, virus throttling is being researched as a way to control the number of connections a computer can establish, thus minimizing its impact. This technology aims to slow the spread of threats such as Code Red and Blaster, which propagated widely by choosing random network addresses to initiate an unusually high number of connections to new computers.
Security technologies such as generic exploit blocking and emerging innovations offer new solutions to help customers proactively stave off attacks. Together, these tools promise to provide enterprise and consumer computer users an impressive defense against potential perils on the digital path.
Carey Nachenberg is chief architect, Symantec Research Labs, Symantec Corp.
