October, 2008 The Death of the Pattern File David Perry | Global Director of Education.
-
Upload
diane-dalton -
Category
Documents
-
view
218 -
download
2
Transcript of October, 2008 The Death of the Pattern File David Perry | Global Director of Education.
Pioneer Days of the AV industry (1988-1992)
Some programs were one-off
Others never had a separate pattern file
Copyright 2008 - Trend Micro Inc.04/19/23 3Confidential
The First Era: Parasitic Viruses and Boot Sector Infectors
Copyright 2008 - Trend Micro Inc.04/19/23 5Confidential
The original signature files of my acquaintence…
Were in hex
Were faxed to the customer
Or, were read to the customer over the phone!
Copyright 2008 - Trend Micro Inc.04/19/23 6Confidential
SOON, THE PATTERN FILES WERE AVAILABLE ON DISKETTE
As if that is any help
You could subscribe to pattern files and they would be mailed out to you
Copyright 2008 - Trend Micro Inc.04/19/23 7Confidential
Over at McAfee, they had another method of dealing
Pattern files were compiled with a new program each month
The program was distributed through a BBS, and also through a network of associates
Copyright 2008 - Trend Micro Inc.04/19/23 9Confidential
All distribution methods had their faults
Distributing through bbs ad hoc networks, for example, created a potential for abuse, when the marketing department demanded self extracting downloads.And several of those diskettes contained more than just a pattern file…AOL and CompuServe required additional support for the services themselves
Copyright 2008 - Trend Micro Inc.04/19/23 10Confidential
And there were problems with the users
Users believed that buying one copy of the product entitled them to copy and distribute it at willUsers were shocked and appalled to discover that they even needed updatesUsers were confused by the idea of a licensing model, and confounded by the idea that the next year’s model might have new functionality not covered by the pattern file
Copyright 2008 - Trend Micro Inc.04/19/23 12Confidential
Both BRAIN and MICHELANGELO were boot viruses
A BOOT virus only travelled by attaching itself to the boot sector of a floppy disk
This meant that
Many people were
Infected again and
Again off their own
diskettes
Copyright 2008 - Trend Micro Inc.04/19/23 13Confidential
Some virus problems were fixable without a pattern
FDISK /MBR (once DOS 3 was released) would issue a new mbr without killing the contents of a hard disk (still does)
This fixed a problem called mbr virus merry go round
And was soon overcome by hackers, with the encrypting boot sector viruses, MONKEY, ONE HALF, and MAGIC
Copyright 2008 - Trend Micro Inc.04/19/23 14Confidential
The Second Era: Macro Virus to the Rise of the Internet
Copyright 2008 - Trend Micro Inc.04/19/23 15Confidential
1995 – the end and the beginning
With the release of Microsoft windows 95, no more boot sector viruses could be created.
Thinking that this was the end, many companies prepared to get out of the AV business.
Instead, W95 actually introduced a new and far more prevalent form of computer virus.
Copyright 2008 - Trend Micro Inc.04/19/23 16Confidential
the Macro Virus (summer, 1995)
Macro viruses were much easier to write than boot sector and com infectors, so a new class of virus writers arose, a class known as script kiddies
20,000 viruses in a single weekend
The rise of the script heuristic
(Macro Trap at Trend Micro)
The first email worm (Melissa)
Copyright 2008 - Trend Micro Inc.04/19/23 17Confidential
But most of all
There were more and more and more updates all the time
This is when the sample naming problems arose (which involved pattern files)
This is when wild vs zoo became the most important distinction
Copyright 2008 - Trend Micro Inc.04/19/23 18Confidential
Bye the end of the second era
There were a quarter million samples in the world
Pattern files were distributed without even telling the users
And the curve spread upward
Copyright 2008 - Trend Micro Inc.04/19/23 19Confidential
In 1999 I was on vacation at Walt Disney World
When the Melissa virus first broke out
We had been telling people for years that there would never be an email borne virus
We were wrong
Copyright 2008 - Trend Micro Inc.04/19/23 20Confidential
Melissa
March 26th, 1999--Melissa day
Not a trigger date but an outbreak
David Smith == Vicodin
Copyright 2008 - Trend Micro Inc.04/19/23 21Confidential
CIH
Trigger date viruses still existed at this time, with CIH being a good example
CIH was one of the most intentionally destructive viruses ever seen
Copyright 2008 - Trend Micro Inc.04/19/23 22Confidential
Some problems required entirely new approaches
No security solution has stopped or contained these network virusesMost often it has been too late = $2.15B in damages in Year 2003 alone
Source: Trend Micro, Computer Economics
Central Site
VPN
Firewall
DoS Protection
IntrusionPrevention
TraditionalAntivirus
Vulnerability AssessmentNimda
Code Red
Slammer MSBlaster.AWelchia
SecurityMgmt.
Internet
Copyright 2008 - Trend Micro Inc.04/19/23 23Confidential
In the 21st century..
Increasing volumes and speed of deployment required ever faster updatesRather than focus on the virus leading up to it’s trigger date, the instantaneous outbreak (particularly of buffer overflow based viruses) required other treatmentsThere were now multiple fronts for malware
Copyright 2008 - Trend Micro Inc.04/19/23 24Confidential
My company offered a guaranteed turnaround of pattern files
Enterprise Protection Strategy: Proactive Outbreak Lifecycle Management
Attack Preventio
n
$$
Notification and
Assurance
$
Pattern File
$$
Scan and Eliminate
$$
Assess and
Cleanup
$$$$
Restore and Post-Mortem
$
Threat Informati
on
$
Outbreak Prevention Virus Response Assessment and Restoration
Outbreak Prevention Services Virus Response Services Damage Cleanup Services
Proactive AttackUpdates
OutbreakPrevention
Policies
Analysis andReporting
Threat BasedScanning
VirusResponse SLA
AgentlessDamageCleanup
Client andServer Cleaning
TREND MICRO CONTROL MANAGER – outbreak lifecycle management, deployment, and reporting
Copyright 2008 - Trend Micro Inc.04/19/23 25Confidential
The Third Era: Web Based Threats and Data Stealing Malware
Copyright 2008 - Trend Micro Inc.04/19/23 26Confidential
TriggerDownloader
InfectionDownloadingComponents
InteractionWith Server
WEB
$$$$Breaking the infection chain requires a multi-point solution
WEB BASED THREATS
Copyright 2008 - Trend Micro Inc.04/19/23 28Confidential
There had always been alternatives
Inoculation (era 1)
Heuristics (era 1,2,3)
Behavior Blocking
Firewalls
IDS, IPS, HIPS
Reputation services
In the cloud detection
Cat scans
Copyright 2008 - Trend Micro Inc.04/19/23 29Confidential
Alternatives have this in common
They are philosophically bound to a single kind of attack
And will become obsolete
This makes clear one shining principle
NO ONE METHOD WILL SOLVE IT ALL
Copyright 2008 - Trend Micro Inc.04/19/23 31Confidential
Good things about pattern files
They are cheap
They make positive identification
They can lead to a remediation script and or encyclopedia entry
They are already a developed technology
They employ many people
Copyright 2008 - Trend Micro Inc.04/19/23 32Confidential
Bad things about pattern files
They are too big to be sensible
They are too slow for today’s attacks
They tie up too much network time
Everyone hates them, for the wrong reasons
Copyright 2008 - Trend Micro Inc.04/19/23 33Confidential 04/19/23 33
Increase in unique malware samples
Data source: AV-Test.org, January 2008Data source: AV-Test.Org, January 2008
Malware handling
Copyright 2008 - Trend Micro Inc.04/19/23 34Confidential 04/19/23 34
…with 250,000 unique samples/month ?
…with 500,000 unique samples/month ?
…with 1,000,000 unique samples/month?
…with 1,000,000 unique samples/day?
Customer
Pattern Deployment Challenge
Pattern DB
Get Samples
Analyze Samples
Add New Ones
Prepare Batch for Customer
Batch Update
Copyright 2008 - Trend Micro Inc.04/19/23 35Confidential
TO SUM UP…
We do not protect against a one model world
We should never put blinders on against some ‘impossible’ attack
“In this world, said the Red Queen to Alice, it takes all the running you can do, JUST TO STAY IN THE SAME PLACE”
Copyright 2008 - Trend Micro Inc.04/19/23 37Confidential
Traditional and Cloud-based Anti-MalwareValue of Offline vs. Online Protection
Value of Offline Protection
Value of Online Protection
TIME
In BOTH Traditional and Cloud-based protection offline scenarios, the value of locally stored signatures (Blacklists) diminishes over time, while the value of cloud based signatures increases.
PRO
TECT
ION
Copyright 2008 - Trend Micro Inc.04/19/23 38Confidential
Traditional vs. Cloud-client ProtectionWith EITHER approach – we must meet the challenge to provide protection
OfficeScan 8Traditional Protection Approach
When a workstation is offline (or cannot access an active update server), it cannot download the latest batch of anti-malware signatures from the cloud – and thus is left unprotected.
OfficeScan 10 Cloud-client Protection Approach
Similarly, when a cloud-client based workstation is offline (or cannot access a scan server), it cannot query the latest anti-malware signatures in the cloud – and thus is also left unprotected. To ensure continued effective protection, OfficeScan Cloud-client technology has introduced an Advanced Offline Protection system to ensure continued protection for offline users.
Copyright 2008 - Trend Micro Inc.04/19/23 39Confidential
Traditional vs. Cloud-client ProtectionWith EITHER approach – we must meet the challenge to provide protection
Offline Protection
Pattern Batch Update
Advanced Offline Protection
Online Pattern Query
OfficeScan 8 OfficeScan 10
Copyright 2008 - Trend Micro Inc.04/19/23 40Confidential
Cloud-client ProtectionAdvanced Offline Protection - Details
Policy ManagementSystem protection policies that are engaged when the user is offline. Examples:
• Pass – allows file to run• Block – blocks file (default)• Ask – allow the user to control access to the file• Offline Quarantine – temporarily prevent file access until it can be verified• Device Access Control – dynamic control of USB, removable drives, etc…
Local WhitelistRepository of known good files and applicationsExamples:
• Digital Signature Validation• File Signature Validation
Advanced Offline Protection
Online Pattern Query
Smart FilterUses specialized algorithms to maximize protection in offline scenarios
Local BlacklistRepository of known bad threats.
Advanced Offline Protection
Copyright 2008 - Trend Micro Inc.04/19/23 41Confidential
Cloud-client ProtectionAdvanced Offline Protection - Checking Sequence
File Reputation