October, 2008 The Death of the Pattern File David Perry | Global Director of Education.

October, 2008

The Death of the Pattern File

David Perry | Global Director of Education

Pioneer Days of the AV industry (1988-1992)

Some programs were one-off

Others never had a separate pattern file

Copyright 2008 - Trend Micro Inc.04/19/23 3Confidential

The First Era: Parasitic Viruses and Boot Sector Infectors


THE PAKISTANI BRAIN VIRUS


The original signature files of my acquaintence…

Were in hex

Were faxed to the customer

Or, were read to the customer over the phone!


SOON, THE PATTERN FILES WERE AVAILABLE ON DISKETTE

As if that is any help

You could subscribe to pattern files and they would be mailed out to you


Over at McAfee, they had another method of dealing

Pattern files were compiled with a new program each month

The program was distributed through a BBS, and also through a network of associates


Then, there were the DATA NETWORK SERVICES


All distribution methods had their faults

Distributing through bbs ad hoc networks, for example, created a potential for abuse, when the marketing department demanded self extracting downloads.And several of those diskettes contained more than just a pattern file…AOL and CompuServe required additional support for the services themselves


And there were problems with the users

Users believed that buying one copy of the product entitled them to copy and distribute it at willUsers were shocked and appalled to discover that they even needed updatesUsers were confused by the idea of a licensing model, and confounded by the idea that the next year’s model might have new functionality not covered by the pattern file


1992-the year of MICHELANGELO!


Both BRAIN and MICHELANGELO were boot viruses

A BOOT virus only travelled by attaching itself to the boot sector of a floppy disk

This meant that

Many people were

Infected again and

Again off their own

diskettes


Some virus problems were fixable without a pattern

FDISK /MBR (once DOS 3 was released) would issue a new mbr without killing the contents of a hard disk (still does)

This fixed a problem called mbr virus merry go round

And was soon overcome by hackers, with the encrypting boot sector viruses, MONKEY, ONE HALF, and MAGIC


The Second Era: Macro Virus to the Rise of the Internet


1995 – the end and the beginning

With the release of Microsoft windows 95, no more boot sector viruses could be created.

Thinking that this was the end, many companies prepared to get out of the AV business.

Instead, W95 actually introduced a new and far more prevalent form of computer virus.


the Macro Virus (summer, 1995)

Macro viruses were much easier to write than boot sector and com infectors, so a new class of virus writers arose, a class known as script kiddies

20,000 viruses in a single weekend

The rise of the script heuristic

(Macro Trap at Trend Micro)

The first email worm (Melissa)


But most of all

There were more and more and more updates all the time

This is when the sample naming problems arose (which involved pattern files)

This is when wild vs zoo became the most important distinction


Bye the end of the second era

There were a quarter million samples in the world

Pattern files were distributed without even telling the users

And the curve spread upward


In 1999 I was on vacation at Walt Disney World

When the Melissa virus first broke out

We had been telling people for years that there would never be an email borne virus

We were wrong


Melissa

March 26th, 1999--Melissa day

Not a trigger date but an outbreak

David Smith == Vicodin


CIH

Trigger date viruses still existed at this time, with CIH being a good example

CIH was one of the most intentionally destructive viruses ever seen


Some problems required entirely new approaches

No security solution has stopped or contained these network virusesMost often it has been too late = $2.15B in damages in Year 2003 alone

Source: Trend Micro, Computer Economics

Central Site

VPN

Firewall

DoS Protection

IntrusionPrevention

TraditionalAntivirus

Vulnerability AssessmentNimda

Code Red

Slammer MSBlaster.AWelchia

SecurityMgmt.

Internet


In the 21st century..

Increasing volumes and speed of deployment required ever faster updatesRather than focus on the virus leading up to it’s trigger date, the instantaneous outbreak (particularly of buffer overflow based viruses) required other treatmentsThere were now multiple fronts for malware


My company offered a guaranteed turnaround of pattern files

Enterprise Protection Strategy: Proactive Outbreak Lifecycle Management

Attack Preventio

n

$$

Notification and

Assurance

$

Pattern File

$$

Scan and Eliminate

$$

Assess and

Cleanup

$$$$

Restore and Post-Mortem

$

Threat Informati

on

$

Outbreak Prevention Virus Response Assessment and Restoration

Outbreak Prevention Services Virus Response Services Damage Cleanup Services

Proactive AttackUpdates

OutbreakPrevention

Policies

Analysis andReporting

Threat BasedScanning

VirusResponse SLA

AgentlessDamageCleanup

Client andServer Cleaning

TREND MICRO CONTROL MANAGER – outbreak lifecycle management, deployment, and reporting


The Third Era: Web Based Threats and Data Stealing Malware


TriggerDownloader

InfectionDownloadingComponents

InteractionWith Server

WEB

$$$$Breaking the infection chain requires a multi-point solution

WEB BASED THREATS


BOTNETS!


There had always been alternatives

Inoculation (era 1)

Heuristics (era 1,2,3)

Behavior Blocking

Firewalls

IDS, IPS, HIPS

Reputation services

In the cloud detection

Cat scans


Alternatives have this in common

They are philosophically bound to a single kind of attack

And will become obsolete

This makes clear one shining principle

NO ONE METHOD WILL SOLVE IT ALL


Summary: What’s Wrong With Pattern Files?


Good things about pattern files

They are cheap

They make positive identification

They can lead to a remediation script and or encyclopedia entry

They are already a developed technology

They employ many people


Bad things about pattern files

They are too big to be sensible

They are too slow for today’s attacks

They tie up too much network time

Everyone hates them, for the wrong reasons

Copyright 2008 - Trend Micro Inc.04/19/23 33Confidential 04/19/23 33

Increase in unique malware samples

Data source: AV-Test.org, January 2008Data source: AV-Test.Org, January 2008

Malware handling

Copyright 2008 - Trend Micro Inc.04/19/23 34Confidential 04/19/23 34

…with 250,000 unique samples/month ?

…with 500,000 unique samples/month ?

…with 1,000,000 unique samples/month?

…with 1,000,000 unique samples/day?

Customer

Pattern Deployment Challenge

Pattern DB

Get Samples

Analyze Samples

Add New Ones

Prepare Batch for Customer

Batch Update


TO SUM UP…

We do not protect against a one model world

We should never put blinders on against some ‘impossible’ attack

“In this world, said the Red Queen to Alice, it takes all the running you can do, JUST TO STAY IN THE SAME PLACE”


Feet on the Ground

HEAD IN THE CLOUDS


Traditional and Cloud-based Anti-MalwareValue of Offline vs. Online Protection

Value of Offline Protection

Value of Online Protection

TIME

In BOTH Traditional and Cloud-based protection offline scenarios, the value of locally stored signatures (Blacklists) diminishes over time, while the value of cloud based signatures increases.

PRO

TECT

ION


Traditional vs. Cloud-client ProtectionWith EITHER approach – we must meet the challenge to provide protection

OfficeScan 8Traditional Protection Approach

When a workstation is offline (or cannot access an active update server), it cannot download the latest batch of anti-malware signatures from the cloud – and thus is left unprotected.

OfficeScan 10 Cloud-client Protection Approach

Similarly, when a cloud-client based workstation is offline (or cannot access a scan server), it cannot query the latest anti-malware signatures in the cloud – and thus is also left unprotected. To ensure continued effective protection, OfficeScan Cloud-client technology has introduced an Advanced Offline Protection system to ensure continued protection for offline users.


Traditional vs. Cloud-client ProtectionWith EITHER approach – we must meet the challenge to provide protection

Offline Protection

Pattern Batch Update

Advanced Offline Protection

Online Pattern Query

OfficeScan 8 OfficeScan 10


Cloud-client ProtectionAdvanced Offline Protection - Details

Policy ManagementSystem protection policies that are engaged when the user is offline. Examples:

• Pass – allows file to run• Block – blocks file (default)• Ask – allow the user to control access to the file• Offline Quarantine – temporarily prevent file access until it can be verified• Device Access Control – dynamic control of USB, removable drives, etc…

Local WhitelistRepository of known good files and applicationsExamples:

• Digital Signature Validation• File Signature Validation


Online Pattern Query

Smart FilterUses specialized algorithms to maximize protection in offline scenarios

Local BlacklistRepository of known bad threats.



Cloud-client ProtectionAdvanced Offline Protection - Checking Sequence

File Reputation


THANK YOU!

October, 2008 The Death of the Pattern File David Perry | Global Director of Education.

Documents

Transcript of October, 2008 The Death of the Pattern File David Perry | Global Director of Education.