In-Depth

Layering is Key to Countering Zero-Hour Attacks

Post-virus attack cleanup costs $200 per system. Taking a layered approach to protection can help keep your PCs safe.

• By Mathew Schwartz
• 11/15/2005

Viruses are an age-old computing problem, yet defending against them grows increasingly difficult. High-speed broadband and wireless connections let viruses spread rapidly, and the increased mobility of users—roughly half of all PCs sold today are laptops—imperils rapid and thorough distribution of emergency antivirus signatures.

Virus writers are also improving their code, making viruses trickier and taking advantage of new ways to spread them. Overall, “the threat of such infections is far greater than it was 18 months ago,” notes a recent report from Ferris Research. “Organizations must therefore consider how best to protect themselves.”

One incentive for better virus defenses is the cost of clean-up—about $200 per infected system, notes Ferris, which “includes the cost of technical support and wasted user time.” What that doesn’t include, however, are “things like delayed sales responses, reduced customer support, and loss of customer [or] prospect goodwill—costs that are hard to qualify but very tangible nonetheless.”

Tackling the Zero-Hour Virus Threat

Antivirus software alone won’t stop the virus problem, since it can’t handle so-called “zero-hour” virus attacks—the time between when a new virus appears in the wild and antivirus software vendors update their signature files to block it.

That inevitable time lag between virus discovery and updating signatures on all employee PCs leaves most organizations at risk for infection. According to Ferris Research, “this risk is especially high today, since modern, explosively propagating viruses can copy themselves millions of times before a corresponding antivirus signature becomes available. Unfortunately, the process of developing, releasing, and deploying an antivirus signature often takes several hours or longer.”

Consider research conducted by the University of Magdeburg and AV-Test GmbH, both based in Germany. Researchers analyzed how 28 antivirus vendors responded to Sober.C. While the virus was first detected on December 20, 2003, it subsequently took 10 hours for the first antivirus signature to appear, then “almost four days for all the other antivirus vendors to update their signatures,” Ferris notes.

Judging Zero-Hour Protection

What’s the best way to defend against zero-hour attacks? Network-access controls can block a computer with out-of-date antivirus signatures from connecting to the corporate network. For dealing with the viruses themselves, however, Ferris Research notes companies can also use heuristic virus detection, spam control, “rigorous patching,” e-mail-attachment blocking, multiple antivirus scanning engines, or virtual machines.

While some approaches are more effective than others, spam-blocking software can be especially useful. “Because e-mail messages are frequently used to distribute viruses, anti-spam systems are an important form of protection against zero-hour viruses,” Ferris says. “By having an effective anti-spam system in place, organizations can minimize spam, viruses, and spyware.”

Spam-blocking systems can also watch for an inordinate amount of traffic coming from one range of IP addresses, then block e-mails accordingly. Blocking spam likewise blocks the majority of malware, since it primarily propagates in spam attachments.

While rigorous patch management also helps defend against zero-hour attacks, that alone won’t control the threat. “Maintaining well-patched systems can prevent certain types of viruses designed to exploit vulnerabilities,” notes Ferris, “but patches cannot protect against the execution of other malicious files.”

Another option is heuristic detection, which watches desktops for signs of malicious code or activity. “Some vendors claim that heuristic detection can be 80 percent to 100 percent accurate” when detecting and blocking unknown viruses, says Ferris. Unfortunately, “real-world experience shows that actual detection capabilities are lower.” For example, according to Sober.P research conducted by AV-Test, “just six of the 28 vendors in the test caught the virus through heuristic means before a corresponding signature update was delivered.”

Thus while “heuristic detection is a useful technique for zero-hour control,” says the research firm, “it doesn’t provide reliable detection, and its effectiveness varies greatly among vendors.” Furthermore, false-positives may lead users to ignore heuristic warnings.

One emerging zero-day defense is the use of virtual machines to open any incoming e-mail attachments and then automatically assess whether they’re dangerous. One drawback to this approach, however, is that some viruses require user interaction before they attack.

Using multiple antivirus scanners is another defense, and it “does reduce the size of the post-zero-hour window, and helps decrease the number of viruses that get through,” notes Ferris. Even so, in and of itself it’s not an effective zero-hour defense since until a signature update is available, it doesn’t block new viruses.

Many organizations also block e-mail attachments—all of them or a subset of often-dangerous types such as executables and ZIP files. According to Ferris, “blocking e-mail attachments makes sense for potentially dangerous file types.” Yet it also introduces inconveniences. For example, when users need to transfer a large number of files, they often put them all into a single, compressed archive, such as a ZIP file. Therefore, if businesses block such files, users have to resort to workarounds, some of which might introduce new security problems. For example, swapping files using removable memory—which circumvents network-based virus-scanning controls—can allow malware to travel across the enterprise. Using Web-based e-mail accounts to swap files introduces similar risks.

Create Layered Zero-Hour Defenses

Despite the availability of numerous zero-hour defenses, Ferris says organizations should still rely on antivirus software as their primary defense, noting that “signature-based detection offers the greatest reliability with the fewest false-positives.”

Ferris also recommends using at least some of the previously noted defenses, in a layered fashion, to help. “For example, those not using a hosted e-mail security service may want to implement overlapping antivirus vendors and e-mail attachment blocking.”

Finally, don’t forget about “computational efficiency” when designing a layered approach, so defenses don’t introduce latency. “For example, spam suppression and then conventional signature-based antivirus filtering should be applied prior to virtual machine testing,” notes Ferris.

Related Articles:

Q&A: How Spyware Escapes Definition
http://esj.com/Security/article.aspx?EditorialsID=1497

Case Study: Containing Endpoint Infections
http://www.esj.com/Security/article.aspx?EditorialsID=1453