Gateway scanning is not enough!

2007-10-01

Paul Dickens

Institute of Physics Publishing, UK
Editor: Helen Martin

Abstract

'Why is the number of malicious attachments decreasing - and why shouldn't I be happy about it?' Paul Dickens, Institute of Physics Publishing.


Most users of email will know that the spam problem just keeps on getting bigger, yet the number of computer viruses received as attachments in email is decreasing. What's not so obvious is that the threat of computer viruses is as prolific as ever - it's just not as common to see viruses arriving as email attachments, and for some end-users this promotes a false sense of security.

Within my own corporate environment, we are finding fewer malicious programs being received as attachments than previously, whilst the volume of spam is increasing and new viruses are continuing to test the local desktop protection. So where are the viruses coming from?

During December 2005 we saw vast numbers of malicious attachments in email. In an organization of 400 mailboxes there were 90,000 unwanted malicious attachments per week. I admit that this was an unusually high number, probably caused by a variant of an email worm such as Sober, but in the preceding months 40,000 malicious attachments per week was common. Today, the number of malicious attachments has dwindled to a fifth of what it was then, and the number is still decreasing. So, why is that number decreasing - and why shouldn't I be happy about it?

I know that the anti-virus program used at the mail gateway of my organization is effective, because secondary levels of detection are in place to catch anything it misses (any technology that uses a signature-based strategy demands layered security). The educated assumption, therefore, is that the malware is increasingly hidden from the email scanner through the use of URL links in spam messages. But why is this still a problem if we can catch spam and quarantine it?

I have worked closely with an anti-spam vendor and I know that recipients of email want access to their spam. Providing your users with the ability to search for legitimate email held in spam quarantine is sensible: it reduces the demand on IT support staff, since they do not have to search masses of spam for a lost message (the user can do so themselves), and it builds the users' confidence in the anti-spam solution as they can see that spam is being blocked.

However, providing the user with the ability to search their own quarantine also poses a risk. A user may release a malicious email from their quarantine area, believing it is legitimate. Spoofed email addresses are everyday stuff and ambiguous links within messages present a real threat.

Of course, one way of protecting against malicious downloads would be to filter out and remove all spam found to contain URL links. This sounds reasonable enough, but false positive management would present a burden on IT support staff. We have found that the best answer - for our organization - is to prevent the threat at the door using active Internet behaviour scanning.

Previously we used a subscription service to detect suspicious URLs alone, but this presented windows of vulnerability and wasn't sufficient to block all malicious websites. Rather than allow the unknown content through, we block behaviour which can compromise the desktop before it reaches the end-user. By adopting this policy we are able to supplement signature-based technology and remove the window of vulnerability.

This allows our users to browse relatively freely whilst providing a robust security strategy. Even when some functionality of a site is considered risky and removed, the user is able to read the text without downloading risks to the desktop and in that sense it's less restrictive and safer for the business.

Today's use of the Internet requires the adoption of a security policy to detect incoming behaviour; however I am also keen to see improvements to anti-virus products for email gateways. Although we can use web security to check content on demand, it would be preferable to segregate the malicious email from the spam quarantine area and prevent it from reaching the user's spam management service. No doubt this is easier said than done - it's difficult to imagine a solution without having to launch the link within the email, identify the threat and remove it - but a solution by Christmas would be nice.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.