[ insider_reports_insider ]
Storm Worm Dancing Past PC Defenses
David Utter
Staff Writer
2007-02-01
 Insider Reports RSS Feed
Short life times for the Storm worms, and a multitude of variants, have combined to be part of the reason why fighting them has become a difficult effort for security companies.
 | | Storm Worm Dancing Past PC Defenses |  |
The Storm has been spreading over the Internet for weeks now. Emails hit inboxes with plausible Subject lines and innocent looking attachments. The next thing that happens to an unwary users is a system infection, launched by the file connected with those spams.
Security firm CommTouch said in its Malware Trends Outlook Report that four reasons have contributed to the continued spread of Storm:
• High Distribution Intensity: Storm-Worm attacks repeatedly in intense, high-volume waves. This substantial quantity ensures a wide distribution of the malware across the Internet.
• Vast Variant Quantity: Storm distributes a vast number of malware variants, over 7000 distinct variants on several days of the outbreak, and over 40,000 altogether during the report period. Since each variant or group of variants requires a different signature, it is impossible for anti-virus engines to keep up with this rapid-fire pace.
• Brief Variant Lifetime: The fleeting lifetime of each variant is two to three hours on average, and each variant rarely makes a second appearance during the outbreak. Since it takes several hours to develop a new signature or heuristic, and up to several days to distribute to end-users, these short-lived variants are typically out of distribution by the time traditional anti-virus defenses are available.
• Low Variant Volume: Each variant is distributed in relatively small quantities or instances. Since an AV vendor must be aware of a malware sample in order to analyze it in its laboratory, distribution in low numbers often enables the malware to "fly below the radar" of the traditional anti-virus engines.
With the RSA Conference coming up, we chatted with Marc Maiffret, CTO and chief hacking officer at eEye about these topics. It's a condition of being online that has to be addressed, and he believes that the newest version of his company's newest edition of Blink will be suited to handle this.
Maiffret noted the combination of applications needed to address malware attacks on vulnerabilities today: anti-virus, anti-spam, malware detection, buffer overflow protection, and patch verification for systems. Blink 3.0 will do this for its users, he said.
The Blink approach features sandbox technology from Norman, which now has its A/V engine in eEye's Blink package. Using lightweight VM ware, Norman sandboxes executables and evaluates them before they can run and do Bad Things.
That's the proactive approach Maiffret wanted for Blink. He said out of 20-some vendors eEye evaluated for inclusion in Blink, Norman was the one consistently detecting viruses ahead of time.
But the reactive way of taking on viruses, with a signature-based solution, has its place. The addition of signature-based scanning helps stop existing pests. Maiffret said Blink is stopping viruses roughly 3.5 days before signatures arrive as updates for users of rival products from McAfee or Symantec.
---
Tag: Storm Worm
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the updates - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
