Blacklists, whitelists and heuristics: Symantec describes new threats

Weafer said that new threats have emerged in the security landscape over the past 18 months.

“There are two major changes,” said Weafer. “One is the increasing degree of complexity of the threats. The other is the massive volume of new threats coming out. Instead of seeing one virus and its effects, now we’re seeing one to two million new threats a month.”

Weafer said that this is because of server-side polymorphism: viruses that change every time they are downloaded.

“Imagine if you’ve got a piece of malicious code on a server. You can chop and change it every time a new person comes to the website. We’re talking about Trojans more than anything else.”

Instead of blocking one or two new viruses each day, Symantec’s system is blacklisting 10,000 to 20,000 new blocks every day: an ‘exponential growth of problems’ from 2-3 years ago.

“The typical scenario for a user getting infected today goes like this. The bad guys have scanned websites and found a vulnerable web server: an ordinary website that contains scripting. It could be a travel site, a downloads site or a small business, for example.

“A malware writer attacks the site with an SQL injection, or exploits other vulnerabilities to get their malware onto the site. When users browse the site, they’re exposed to the exploit. They might download data onto their machines. This creates a pathway to download tonnes of stuff – botnets, keyloggers, software updates – limitless information can now be downloaded onto that machine.”

Because these viruses morph every time they’re downloaded, they can be nearly impossible to predict.

“Server-side polymorphism creates literally millions of threats a month. This requires a totally new approach to security,” said Weafer.

Whitelisting, blacklisting and heuristics

The traditional model of internet security involves blacklisting, said Weafer: creating a list of undesirable sites that are automatically blocked at the user’s end.

“The problem with blacklisting is that there are millions and millions of sites,” said Weafer.

“It’s easy to blacklist the top 50 per cent. But once you get to the long end of the tail, there’s little knowledge about these sites and there are millions that you need to try and block.”

Whitelisting – creating a list of trusted sites – is a different approach to the problem.

“Whitelisting is often brought up as the magic pill,” said Weafer. “Whitelisting’s been around for a long time, and it’s only being leveraged by a small number of people – governments and financial services, for example. If you’ve got a controlled environment then you can keep it secure.

“We’re already using whitelisting to augment our behavioural protection. One of our goals is to build the world’s most comprehensive whitelist.”Inbetween blacklists and whitelists, Symantec hopes to build a system that protects users from unexpected threats.

“To an average user who wants to go to lots of new sites, [blacklists and whitelists] have been restrictive. How do you bring out whitelisting in a way that allows you more flexibility but still provides an excellent security network?”

Weafer says that the solution lies in heuristic models.

“We use blacklisting to prevent malware, whitelisting for the most prevalent software, and heuristics for everything in the middle.”

The system is known as STAR: the Security Technology and Response organisation, a worldwide team of security engineers, threat analysts and researchers. It is housed in nine locations around the world, reporting on security in 180 countries and more than 35,000 technologies. STAR’s technology is leveraged across all of Symantec’s corporate and consumer security product lines.

STAR’s first release of data and security was in August this year.

Looking forward to 2009

Asked about the future, Weafer said that malware would increasingly move towards local attacks.

“We think the volume of attacks will continue to increase. But specifically we’re going to see more localisation and regionalisation. Attacks will be region specific – like phishing attacks are – based on local events and businesses.

“We’re seeing a decline of the IRC botnet. They’re too inflexible to attackers. Attackers would prefder to go to DNS, which is web-based attacks, which allows them to change their address rapidly and cycle through multiple IP addresses.

“P2P distribution also helps them evade detection.”

Lastly, he said that users can expect attacks from unusual places.

“We’re seeing an increase in attacks originating from devices that now have computer drives. Earlier this year we saw a virus originate from a digital photo frame. People in the factory were copying viruses onto the digital photo frames, and the viruses would spread after they were sold.”