Special Report: Walk on the wild side
Hunting for the little beasts that infect modern computer networks is trickier and more complex than ever, Fleur Doidge finds
Marwell Zoological Park near Winchester has been working to prevent an infestation of bugs, but not the kind you might expect.
Among the Przewalski’s horses, the Pink-toed tarantulas, the Fulvous whistling ducks and the Siamang gibbons, the human staff feared that the zoo’s current anti-virus software was not fully protecting against the proliferating strains of resistant and intelligent computer bugs.
So the conservation charity turned to internet security software specialist ESET recently for a much-needed upgrade.
Viral variations
David Whitehead, IT manager of the 100-acre park, says variants of computer viruses have started mutating quicker than a chameleon changes its colours.
“We were already very aware of the significant amount of memory some anti-virus products hog and a low footprint on system resources was top of our list of criteria, alongside high detection levels and low false positives,” he says. “We chose ESET NOD32 because it met these requirements effortlessly and the company was also prepared to recognise our charity status and provide us with a discount.”
As a charity, Marwell tries hard to make the most of its resources. When one staff member is assigned a new computer, the old one is passed on to another employee.
It is common for some zoo staff to be using computers that are six or seven years old. That policy does not always sit well with desktop security products, which are typically developed in line with advances in memory and processing power – meaning additional functionality is often simply bolted on as the system develops.
ESET’s NOD32 anti-virus has a small footprint compared to those of some competitors, so had instant appeal for a customer not wishing to compromise legacy hardware and systems.
“Being such a small program, NOD32 was easy to deploy and we have not suffered a single infection since we started using it,” says Whitehead. “The best thing about ESET is that it does exactly what it should do, unobtrusively and without any perceivable impact on the machines on which it runs. One might describe it as a roaring success.”
Heuristic help
NOD32 compares internet traffic against known virus signatures and uses heuristic scanning techniques to detect malware via ESET’s ThreatSense engine. Heuristics refers to the use of a set of rules or guidelines. In anti-malware products, heuristics-based scanning means a set of rules are used to assess the potential for online traffic to be malware.
According to ESET, the advantage of the heuristics-based model is that it can detect variants of existing malicious programs and previously unknown malicious programs.
Heuristics has become a popular complement to traditional virus signature-based techniques because, in part, it can enhance an application’s ability to detect zero-day attacks.
Marwell also has users that access the network remotely via VPN. The new software includes Remote Administrator, a central management console from which it can respond to threats, update signature databases, run reports, and install and manage applications. When users log on to the VPN, NOD32 automatically updates protection.
“You always lose a degree of control when users are based outside the network, but we’re determined not to be made a monkey of by getting hit by a virus,” says Whitehead.
This year, Marwell plans to upgrade its servers, renewing its NOD32 licence and this time including licences for the new email and NAS servers, which can also be managed via Remote Administrator.
Alan Thake, vice president of sales at ESET, says the Slovakia-based security vendor is targeting increased market share throughout 2009 and beyond. “There are still the big names out there – Symantec, McAfee, Sophos and the rest – but we are moving further into the market and competing head on with companies such as Kaspersky,” he says.
ESET signed UK distribution in 2002. However, while most people have heard of its long-standing NOD32 product, it is only recently that the firm has moved to promote the ESET brand specifically.
“There is fairly consistent growth in the security market and in real terms we have pretty much been doubling our revenue year on year,” says Thake. “We have had 55 per cent direct sales versus 45 per cent channel, but we are looking to increase channel sales and consistently recruit new resellers.”
Intelligent sell
Opportunity exists for all sizes and stripes of reseller, but particularly for those targeting large accounts that are prepared to really sell to a solution’s strengths rather than simply present several options and tell customers to pick one, according to Thake.
ESET offers NOD32 and its integrated internet security package, Smart Security, in versions for the small office or home with one to four machines, SMEs with five to 1,000 computers and the 1,000 PC-plus enterprise.
There is also a mobile anti-virus offering, aimed at the burgeoning opportunities to provide a line of defence for Windows-based smartphones, which increasingly are used to do business via the internet and are therefore becoming more vulnerable to bug infestation.
Market development funding, as part of a new channel programme, is on the drawing board and slated for likely rollout in the second quarter, says Thake.
Ian Kilpatrick, chairman of security distributor Wick Hill, says this year a comprehensive approach to internet security is definitely more important, with heuristics-based techniques an key component.
Wick Hill does not currently carry ESET product. However, Kilpatrick agrees that a small footprint and low drain on system resources are critical for customers.
“From my perspective, ESET is a reliable product with a small footprint, although we chose Kaspersky because we believe it has number-one status,” he says.
“Heuristics-based technologies have been around for years and have got much better. They are definitely part of the solution.”
Users still need education, combined with incident response to new threats and a unified threat management approach is likely to prove popular with customers in 2009.
“We see people becoming heavily creative in an attempt to break through, using blended threats,” Kilpatrick says. “Blended threats can be incredibly difficult to find.”
Trojans and social engineering are proliferating in the wild as cyber-criminals sharpen their focus on specific targets. This might be less about targeting a vulnerable individual within a company than about focusing on specific types of company or groups of individuals.
“And you need fast updates,” adds Kilpatrick.
Detect and protect
Romanian security vendor BitDefender found that 80 per cent of malware attacks in 2008 were Trojan based. Last year saw some 2,000 new and mutated viruses discovered daily, as well as some 50,000 phishing attacks per month and one million zombies spreading various malware species.
The web-based e-threats level leaped 460 per cent and JavaScript exploitations via SQL injection tripled in volume. Spam emails incorporating contagion jumped 400 per cent.
Seventy-five per cent of trojans found had complex updating mechanisms, stealth data download and upload features as well as rootkit or spyware features.
In 2009, stealth and automation-related attacks are expected to evolve. More application vulnerabilities will be exploited in ways similar to the password-stealing Trojan .PWS.ChromeInject.A. Web 2.0 attacks will rise too.
Vlad Valceanu, head of anti-spam research at BitDefender, says many infectious bugs are now automatically updated.
“This has implications for heuristics, because malware has become less static and more dynamic. So, as time passes, heuristics techniques become more important,” he says.
Heuristics is a critical complement to traditional signature comparison, especially as some malware now recompiles its code every hour. Each time a virus connects to a site and downloads an update, it mutates so is less likely to be recognised by comparison with known signatures.
“That is why behavioural approaches are best for such threats,” says Valceanu. “We are also seeing Trojans and other malware developing interesting techniques to target voice over IP.”
The trend for virtualisation is also encouraging a heuristics-based approach, because malware writers are intensifying their focus on examining whether a potential target is in a virtual, emulated environment or a real environment, and modifying their attacks accordingly.
“Heuristics-based detection will play a greater and greater role,” adds Valceanu.
Suite of solutions
Nick Billington, UK country manager at BitDefender, confirms that a channel that differentiates between security vendors is at an advantage. Security applications are not all the same – it is horses for courses, although there might be some casualties this year.
“Resellers should be providing a suite of products and adding value to the customer,” says Billington. “That is how resellers are going to get through.”
David Emm, senior technology consultant at Kaspersky Lab, says heuristics is one of a number of valuable techniques to protect against bug infestations.
“Over the past couple of years, it has become more important to be proactive. We have two elements in our heuristics armoury: static analysis, where we are looking for known behaviour; and dynamic heuristics or emulation,” says Emm.
“And on top of that, we use real-time behavioural analysis, where you look at how a particular program behaves.”
Emm says malware breeds and mutates so fast nowadays that behavioural approaches simply cannot be ignored. Any security product that relies on signatures alone will be ineffective.
“We are finding about 5,000 new signatures daily. Eighteen months ago, that number would have been only about 400 to 500,” he says. “A few years ago, vendors all offered a bit of heuristics, then more and now you get integration with the firewall and anti-spam.”
Dedicated defence
Education is key, with resellers needing to understand all the different species of defence and how they all team up as well as how the threats are evolving. These issues are moving targets and cannot be ignored.
“We just launched a partner programme, and training is a massive part of that,” says Emm.
ESET’s global threat report for 2008 collects statistics from 10 million systems. It found that the most prolific threat last year was online gaming password stealers – which accounted for 10.8 per cent of all detected attacks. In second place, with 8.3 per cent, was INF/Autorun, which uses Windows Autorun as a vector.
The vendor also predicts more fake anti-malware products appearing online to extort money from internet users, according to the firm’s director of malware intelligence, David Harley.
“Some major anti-virus companies have seen their web sites spoofed,” he says. “In addition, confidential information such as credit card details may be used subsequently in many different ways.”
ESET’s Thake says its product strengths include defence against known and unknown rootkits using its anti-stealth technology incorporating customisable command options. NOD32 is also compatible with Vista. Adware and spyware protection has been overhauled to provide more granular threat assessments.
“And we have never missed an in-the-wild virus in virus bulletin testing,” says Thake.
This CRN Special Report was sponsored by ESET.