impossible for ideas to compete in the marketplace if no forum for
TruPrevent Technologies: Technical Overview
Sponsored by Panda Software (USA), Inc.
The need for protection technologies against unknown malware:
Current antivirus technologies are extremely effective for detecting and disinfecting known malware (any that is found in their databases of signatures), however, from the moment that a new malicious code appears until the antivirus solutions are capable of detecting it and disinfecting it, the following events must arise:
Result: from the moment that a new malware appears until the users are protected anything from a few hours up to several days may pass by, depending on the haste with which the manufacturer producing the antivirus reacts before the appearance of the new threat.
During that reaction time, the users of the antivirus product are left without support from that technology to prevent the infection.
The weapons that the user had till now to face up to this situation were:
Where does TruPrevent Technologies fit in?
TruPrevent Technologies is a set of technologies aimed at enhancing the security of the systems against attacks from unknown malware. Its purpose is protecting the user against malware that have just appeared and that traditional security products are incapable of combating because they are unknown for them. TruPrevent Technologies is a combination of technologies of different kinds with a common purpose: protecting workstations and servers against unknown threats, hence it is hard to label it within a single category within security solutions.
The technologies that make up TruPrevent Technologies interact between each other so that the degree of protection that is achieved is greater than that of any other solution. They are specifically designed for avoiding false positives and for taking decisions without any need for the end users or the administrators to intervene. These two points affect both the ease of use and administration, and the security of the system:
complement the rest of the existing security technologies (Antivirus,
Firewall, IDS/IPS, HIPS ). It specializes in detecting and avoiding the
harmful effects of unknown malware, and as such, it is the ideal
complement for the technologies specializing in the detection and
disinfection of known malware.
TruPrevent Technologies are based on the combination of different technologies for detecting unknown malware, amongst which the following stand out:
The technologies included in TruPrevent Technologies perform a coordinated task for analyzing the processes in execution, so each one of the operations that they perform is controlled.
Letâ€™s imagine that an application requests a service from the operating system during its execution:
Now consider how each one of these modules functions in detail:
Detecting and blocking attacks and unknown malware using application security policies The security policies are security solutions aimed at specific working environments. They are made up by containers of rules, each one of which is the solution to a given security problem. The rules that make up these containers determine that the action or actions may or may not be performed on a given group of resources from the system by an application or a group of applications in the security environment for a given userâ€™s profile.
The security policies are made up by a set of rules that control the access of the applications to the resources in the system. So secure behaviors are established for the applications, so that any malware introduced into the system or an attacker will see how the harmful actions that they mean to perform on the system are blocked. Specifically speaking, there are different types of rules:
The security policies are modified and updated from Panda (managed security) including solutions for security problems that may have been detected in the most common software products. So a solution can rapidly be taken against a vulnerability discovered in a software component prior to the publication of the patch by the manufacturer.
These predefined policies that are updated from Panda are sufficient for the protection to work effectively, providing a high degree of security for the systems protected and making the concept of managed security effective: it is Panda that takes charge of defining and updating, on the basis of the trends of action for the malware, these security policies without the intervention of security experts being required at the clientâ€™s premises.
These policies have been defined at Panda following an exhaustive study of the actions performed by the malware for damaging systems and controlling the access to the basic resources of the system such as the log for inputs, COM components, files, network, usersâ€™ accounts and services of the system, restricting their access to legal applications and so preventing third parties or third party software can damage the system.
The policies are established on the basis of the different environments protected in a modular way, so that some given policies are established for Windows systems, for workstations and for servers, as well as distinguishing within server environments by means of their function within the corporate network (Web servers, database servers, mail servers). The function of each one of these elements within the corporate network is very different and therefore the need for access to resources of the software that is executed in each one of them is specified for each element.
Some examples of these rules are:
These rules are defined bearing in mind what the needs are for accessing resources from the system for the common software however specific the latter may be, so that it does not limit its operation or interfere in its functioning, since not generating false alarms is the basic premise on which the new TruPrevent Technologies have been designed. So any action that may be deemed to be dangerous or harmful will be blocked so preventing the malware unknown or an attacker from being able to damage the system.
When a process attempts to violate any of the rules, a security policy may be added dynamically to a group of processes for which a certain, more restrictive security policy may be applied, with the result that there will be a correlation of events for the actions performed by the process in the system.
Security policies for the administrator:
The security policies management module offers the administrator the possibility to add new security policies specifically designed by him. The administrator will have all the tools needed to clearly and simply generate the containers and rules of different types that he may deem to be necessary. Specifically speaking, he may define the same types of rules as those that are produced by Panda.
So the administrator will be able to modify the behavior of the policies defined by Panda by adding more priority policies.
Detection of Buffer Overflows:
Buffer overflows are caused by exploits, or attacks that take advantage of the vulnerabilities in the software installed on the computer under attack, related to the fixed memory space reserved by applications to store incoming data.
Two concepts are more thoroughly scanned.
Vulnerabilities and exploits:
A computer vulnerability is an error in a software component that may mean a threat for the security and integrity of the system. There are different types of vulnerabilities, but the buffer overflow ones are by far the most widespread ones. These kinds of vulnerabilities are discovered in all kinds of software practically every day.
An application is vulnerable to a buffer overflow attack when it reserves a fixed space in memory for storing a data input and does not check the real length of that data prior to its insertion in the space reserved. These kinds of programming errors arise in all kinds of applications, affecting both workstation environments and server environments.
When the manufacturer of the vulnerable software solves the problem that causes security gap, it publishes a patch, that must be applied to the vulnerable software. During this time window between the discovery of the vulnerability and the publication of the security patch, the system is vulnerable to attacks.
An exploit is an attack on a computer system that takes advantage of a vulnerability that a software component offers for an intruder. Should the exploits that take advantage of buffer overflow vulnerabilities arise, it leads to the sending of a specific data string with an excessive length and not envisaged in memory buffer for a given process.
The problem arises when the process does not check the length of this string and writes its whole contents in the memory. This string with a length greater than that envisaged overwrites the original contents in memory and so the return address, so if an attacker specifically designs that string he can redirect the execution to an area in which he himself has put executable code and therefore achieve the execution of his own code in the system attacked. Therefore the attacker can take control of the system attacked.
The easiest type buffer overflow to exploit (though not the only one) is the buffer overflow in the stack. The variables utilized by a function of a process are stored within the area of memory assigned to the stack, and finally the return address to which the execution of a process will be redirected once the execution of the function has ended. In this type of attack, once the amount of data the overflow may produce is known, an attacker uses an input string, which is really an executable code and modifies the return address precisely in order to cause the redirecting of the execution of the application towards his own code. The string overwrites the return address that had been stored beforehand in the stack over the code that he wants to execute as shown in the figures.
When the execution of the function that had reserved the buffer is over, the operating system will take the return address that it has stored in the stack, but the latter is now altered by the code entered by the attacker. Hence, the attacker can execute the code that he wants. Very often the code that he has been able to insert in the process attacked is a small amount, and only manages, for example, to execute a function for downloading the code that he wants to execute from a server.
On other occasions, all the code that he wants to execute may be entered this way.
Patches for vulnerabilities and vulnerability window:
The time that elapses from when a vulnerability is discovered and the manufacturer of the application distributes a correction in the form of a patch represents a vulnerability window. Sometimes, the manufacturers of software correct the vulnerabilities before the latter can be exploited, and in this case a proper policy for updates in our applications may keep us protected. The problem is greater the more this vulnerability window grows, since it gives the attackers longer to develop exploits that will take advantage of these vulnerabilities, and the installations will remain unprotected for longer.
The current trend for creators of malware is to develop exploits in an ever faster way as from the appearance of a given vulnerability so no time for reaction is given to the software manufacturers for publishing patches. An added problem is that the appearance of an ever greater number of vulnerabilities often means that it is complicated to keep the large amounts computer equipment updated as far as the application of patches is concerned.
How TruPrevent Technologies acts:
The buffer overflow detection module included in TruPrevent Technologies monitor the execution of the processes of the system, looking after the areas of data for the processes in execution, controlling at all times that buffer overflows do not arise. Should an overflow arise, TruPrevent Technologies prevent the execution of the malicious code and terminates the execution of the process affected and therefore maintains the integrity for the system. Therefore, we shall be protected against these types of attacks even though they are unknown and our software is not properly patched. TruPrevent Technologies protect us even against the “attacks on day zero” (attacks that arise before the vulnerability itself has been discovered), since it does not need to know the nature of the attack or the vulnerability that it attacks when generically detecting these types of overflow buffer attacks.
TruPrevent Technologies is also capable of generating a signature or identifier for this attack that has taken place against a vulnerable software component and send it on to the network virus detection module so that subsequent attacks of the same kind will be repelled on a level of the filtering of packages in the Firewall and will not even manage to penetrate the vulnerable unit.
Detection of network virus:
The network virus constitute a type of attack that does not reach the machine in the form of a file like a ‘traditionalâ€™ virus but rather that the attack arises through the sending of packages directly to a port in which it is listening to the process attacked. This requires special treatment for its detection since what has to be done is to locate certain packages within the IP connection and not a file as in the usual case for a virus or a worm that reaches it or any other mechanism.
The network virus come from another machine in the network (whether it be a private network or Internet itself) and attack the vulnerable machine without any need for the user to do anything at all, which makes them even more dangerous.
Network virus are attacks that are aimed at exploiting vulnerabilities in certain services for processes that are running in the machine attacked A pure network virus does not write on the disk but rather it injects code in the process that it attacks and so it is capable of performing its malicious activity.
Because they do not write on the disk, they cannot be detected by traditional antivirus. However some combined attacks may even write on the disk looking for a mechanism to become resident in the machine and be able to execute themselves in new restarts, so converting the machine attacked into a new focus for generating attacks on other machines. This trace that they leave on the disk can be detected by traditional antivirus but its disinfection does not prevent the unit from being attacked by means of the injection of code in the process attacked.
How network virus detection works:
The system detector of network virus is based on the analysis of the contents of the packages that cross through the network interface for the machine protected. By means of the utilization of Firewall technology an analysis of the fields in the IP link is carried out to look for signatures of known attacks.
This system functions on the basis of two types of signatures:
Detection of unknown malware using behavior analysis:
This component, analyzes the behavior of each and every one of the processes that are executed in the workstations and servers on the network. It is not a simple analysis based on single rules that prohibit or allow certain actions: it is an analysis that takes into account the set of actions performed by any process from the time at which it appears for the first time in the operating system (correlation of events). The advantage of this method lies in the fact that the system acts immediately as soon as it has gathered enough evidence that a process is malicious: it is specifically designed to avoid false positives (detection as malware of processes that really are not) and the system functions autonomously, it does not require the end user to have to take decisions, unlike what happens in other products from the competition that merely ask the user whether the malicious actions that they halt can or cannot be performed.
The products that are based on the application of a set of simple rules (allow/deny) on the actions that the processes perform in the system are prone to generating false positives since they do not have enough information about the context of the process in question and its history in the system in order to take the appropriate decision. These kinds of products based on the application of atomic and uncorrelated rules are usually guilty of being highly restrictive (they generate many false positives) or on the contrary they only combat the actions that very clearly and unequivocally show malicious activity (they are hardly capable of detecting malware).
The TruPrevent Technologies analysis is based on considering all the information available from the process, so by assessing its actions in the suitable context it is decided whether the process is malicious or not. It should be taken into account that many legal applications (installers, specific network management applications ...) perform operations that when considered in isolation might be considered as suspicious and however the usual operation of these programs is not affected by the action of TruPrevent Technologies.
TruPrevent Technologies can also act on two levels depending on the seriousness of the evidence gather from a process:
In either case, and once we have the administratorâ€™s approval, the malicious program will be sent automatically or manually to PandaLabs, where an identifier for it will be developed and the Panda antivirus will be updated so that henceforward, the process will go on to form part of the list of known virus and will be stopped immediately as soon as it is intercepted by Panda antivirus.
TruPrevent Technologies have detected, amongst many others, the following virus with every one of their multiple variants: Mydoom, Bagle, NetSky, Gaobot, Sdbot, Passer, Blaster, Bobax, Bugbear, Dumaru, Klez, Sasser, Sober, Zafi, Nachi and so on, up to over 500 different virus in just the first few weeks since it appeared.
Compatibility of an additional layer of protection:
TruPrevent Technologies are compatible with the rest of solutions and technologies used for protecting our network. Besides it provides an additional layer of protection by adding a combination of technologies capable of securing the machine with a degree of effectiveness greater than that achieved by any of the solutions available on the market.
Integration of TruPrevent Technologies with the rest of the security technologies in our network with the rest of the security technologies in our network:
The information contained in this document represents the current view of Panda Software, S.L. on the issues discussed herein as of the date of publication. This document is for informational purposes only. Panda Software, S.L. makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Panda Software , S.L. Panda Software, S.L. may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Panda Software, S.L. the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business