Reputation Technologies to Fight Threats

    Today, almost any reasonably determined student can launch his “own” Trojan, and for this he does not need to have programming knowledge, he does not need to be an expert on vulnerability search, he does not need to be able to carry out mass infections through spam mailings or hacking sites - all this can be compensate for a couple of hundred dollars saved at breakfast. An entire underground services market has formed, where you can buy designers to create phishing sites and Trojans, order infection of a certain number of inhabitants, and the results of the work of your own Trojan — logins and passwords, credit card numbers — can be sold to the following links in the criminal chain. Our hypothetical school student presses a button in the constructor, and now the standard malicious code is modified into a new, yet unknown to antivirus.




    There is a way out of the race, and it is based on an understanding of the nature of modern threats and on the principles of reputation. In the process of infection with the Trojan and other malware, maintaining communication with the control center and sending the collected data, the victim machine contacts the specific servers controlled by the attacker. It is at this point that you can prevent infection or block the sending of the collected data to the drop zone, just not allowing network interaction to take place.

    How to determine which server is dangerous?

    This requires a constantly accessible, fault-tolerant database containing information about the addresses of malicious servers - servers hosting phishing websites, installers of trojans and bots containing botnet control centers and their drop zones. When requesting all network connections, the security system should intercept them and check the reputation of addresses, that is, find out if the address of the requested server is in the "black list", and if so, block communication with this server.

    How do I keep my URL reputation database up to date?

    Ideally, such a database should contain information about all URLs and servers - both malicious and "clean". The following sources can be used to populate the database with the addresses of malicious servers:
    • Spam mailings that lure users to phishing sites and sites with malware downloaders;
    • Automatic analyzers - crawlers scanning a network for known viruses;
    • Malware code analysis - allows you to identify the addresses of management servers, updates and drop zones;
    • Feedback schemes built into antivirus products - they supply previously unknown links for analysis and categorization;
    • Honeypots - trap networks for collecting fresh, relevant attacks and threats;
    • External data from information security vendors.
    As you can see, updating the URL reputation database requires both automated methods and the manual work of analysts.

    Implementation

    The approach described above is implemented by Trend Micro, the URL reputation base is part of a set of technologies under the general name Smart Protection Network. In addition to the URL reputation database, Smart Protection Network includes a file reputation database and an email reputation database containing information about known spam senders. This allows you to correlate data from three databases, for example, when analyzing spam mail, the sender’s address (it can also be one of the botnet’s members) is entered into the email reputation database, the link leading to the Trojan’s downloader gets into the web reputation database, and the boot loader executable itself gets into the file reputation database.


    What does this give a simple user?

    All Trend Micro products - for home users and corporate clients - use queries to the URL reputation database when any application on the protected machine, including the browser, contacts the Internet.

    Why is this effective?

    As a rule, the same servers are involved in many criminal projects - on the same server there can be a botnet control center and dozens of domains for phishing attacks. Thus, once the “lit up” server will be blocked in all subsequent attacks.

    In the context of a constant increase in the number of malware samples, it is necessary to combine reactive and proactive protection methods - a signature-based approach alone is not enough. Even if antivirus companies now try to release updates every few minutes, in the future it will be practically impossible to keep up with the exponential increase in the number of threats. If the constant work of analyzing the code and updating the signatures protects against known threats, then reputation technologies can prevent infection with new malware by stopping communications with well-known servers with a "bad" reputation.

    Denis
    Trend Micro Cowless Technical Consultant

    Also popular now: