When Signature-less Security Requires Signatures

In many ways much of corporate security is a bit like dealing with those pesky odd-jobs around home. There’s always something that needs fixing, painting or screwing back in. All too often we find that many of the smaller jobs get pushed back and postponed for some reason or another despite ourselves. There’s a litany of things that should be done – like installing a doorstop behind the bathroom door to prevent the kids from slamming open the door and the handle inadvertently punching a hole through the drywall.

You know how it goes – despite the best of intentions, things get put off and then Wham! Instead of the original $5 and 15-minute effort guestimate, you now have to deal with something considerably bigger and more expensive; and there goes the entire weekend.

For the last few weeks many corporate security teams and CISO’s have been facing the same frustrated, self-induced, Homer Simpson “doh!” experience in face of the Apple Mac Flashback malware outbreaks.

They’d heard the rumblings about malware for Mac’s for years, they’ve received the glossy literature from antivirus and IPS vendors at the last few RSA conferences, and it was on their list for doing something about… soon. Next thing, they turn around and there’s ten times as many corporate Mac’s and BYOD notebooks as they thought there were, and half of them are already leaching out important files and stuff.

But why didn’t their newest anti-malware protection platforms work? Why didn’t the new tools that were meant to fill in the holes of the holes in the devices that were meant to fill in the holes of the desktop antivirus products work? Simply put, because nobody has been that interested in protecting against non-Windows 32bit malware, and the money hasn’t been there for the vendors to offer up solutions in the realm.

Take for example the latest and greatest gap-filler antivirus technology – appliance-based virtual machine malware dynamic analysis systems. It’s a mouthful, but some simply call it next generation antivirus (NGAV) or next generation IPS (NGIPS). What they’re supposed to do is automatically intercept copies of Windows 32bit executable files that are being downloaded from the Web or shuttled over email, throw them in to automated virtual machines so that the binary file is made to run, flag files that look to be malicious and, in a lot of cases, create a signature that can be deployed within the IPS component of the NGIPS solution.

So here’s the shocker, the Flashback malware infecting Apple Mac’s isn’t a Windows 32bit executable! So all those lovely shiny NGAV/Sandboxing and NGIPS appliances being deployed out there are blissfully incapable of observing the threat (lest we forget also missing Windows 64bit malware, Android malware, iOS malware, Blackberry malware, Linux malware, etc.).

It’s not the vendor’s fault. Their products are working exactly as marketed and probably performed perfectly in the proof-of-concept and evaluation deployments as the corporate security teams chucked sample after sample of 32bit Windows malware at it. These signature-less malware detection systems just aren’t designed or built to handle the other operating system threats.

Automated dynamic analysis of malware is hard. The vast corpus of knowledge in that area is almost exclusively tied to the types of malware that affect Windows XP and Windows 2000. Handling suspicious binaries and malware that affect other operating systems and environments is more difficult, and is not quite at a level that it can be tin-wrapped and sold as an array of appliances.

The stopgap for those corporations seeking to mitigate this one specific threat (i.e. the Mac Flashback malware) who have purchased and deployed signature-less NGIPS technology is to deploy a vendor-supplied signature.

Is it just me, or is it kind of messed up that the new-fangled signature-less protection systems (which are essentially gap-fillers for signature-based network inspection engines, which are in turn gap-fillers for host-based antivirus software) require their own batch of vendor-supplied signatures to work? It’s not supposed to work this way. This is kind of like throwing a cushion behind the door after the kids have already knocked that hole in the drywall so they don’t make the hole any bigger. It neither fixes the more serious problem (i.e. the hole in the wall) nor prevents it from happening elsewhere (e.g. the other doors around the house that you haven’t extended your budding DIY home maintenance skills to).

If you were looking to deploy dynamic defense architectures and signature-less detection systems, I’d strongly advise you to examine the full spectrum of threats you’re going to face today (and next week) and choose wisely. If your organization has a mix of operating systems, devices or BYOD strategies (and don’t they all nowadays), make sure that your evaluation and testing strategy extends to these newer threats if you want to avoid another “doh!” moment and mad scrabbling for post-breach fixes.


– Gunter Ollmann, VP Research

Tags: , , , ,