In-Depth

Under-the-Radar Danger

How do you stop stealth endpoint malware not even your antivirus vendor knows about?

• By Rich Weiss
• 10/04/2005

Earlier this year, an article in the endpoint security space argued that information security professionals should continue strengthening their endpoint defenses even though a highly publicized attack hadn’t occurred in months. The Zotob worm recently reminded us that the age of the headline-grabbing exploit isn’t over. It reportedly took down the networks of well-known TV and print media companies, a large heavy equipment manufacturer, and a prominent Federal government agency.

Most organizations did a good job of minimizing damage from Zotob. In many cases, they had implemented controls that automatically prevented PCs from connecting to their networks until the PCs’ antivirus software was updated and/or required Windows patches were installed. In other cases, their security staffs worked hard to install updates and patches on all local and remote endpoints in the days before the worm struck.

It’s malware that doesn’t make the headlines (or may be unknown to Microsoft or antivirus vendors) that’s starting to pose a greater danger. Security researchers increasingly note that programs developed for criminal purposes are being targeted at limited geographical regions or specific organizations. These stealth exploits aren’t widely experienced, so antivirus or IDS updates are slow in coming, if they come at all. The advantage to the exploit author of staying under the radar of the antivirus vendors is obvious.

Targeted attacks on enterprises have been going on since computers with valuable or sensitive information were first connected to public networks. Kevin Mitnick’s hacking spree in the mid-1990’s is one of the highest profile examples. Mitnick used both social engineering and malware to break into 35 prominent companies’ systems and steal or tamper with information, causing an estimated $300 million in financial damage.

Another highly publicized incident occurred in October 2000, when Microsoft discovered that a hacker had penetrated its corporate network and viewed or altered the source code for Windows and Office applications. The attacker reportedly used the QAZ Trojan horse to compromise a remote employee’s PC and then used the employee’s VPN connection to gain unauthorized access. More recently, evidence of corporate espionage enabled by PC malware has appeared in several news reports.

The vast majority of directed attacks never become public, however. People with ties to the black hat community will tell you that corporate databases are routinely stolen and sold. You won’t read about these incidents in the newspaper, however. Victims don’t want to suffer the embarrassment and damage to their reputation that can occur when customers or shareholders find out that a firm didn’t protect its data properly.

How do you combat malware attacks that your antivirus or IDS don’t recognize? At a minimum, closely monitor network endpoints for inbound or outbound communication attempts by unrecognized or unapproved applications. In addition, consider adopting a solution that provides real-time guidance on whether to block or allow each communication attempt. One such service is based on log data provided by millions of personal firewall users worldwide. Security researchers use this data to detect any malicious network application with a very limited distribution soon after it’s released. Their service then pushes a rule to an endpoint security agent that immediately blocks or terminates the malware.

Take steps today to prevent stealthy endpoint attacks from flying under your security radar.