Antisploit: antivirus industry in the fight against exploits (essay)
The exploitation of vulnerabilities in software on the side of the end user has become one of the main trends on the black market. Forecasts of analytical companies demonstrate a steady growth in cybercriminals' revenues from the services of providing means of compromise and, as a result, growth in related areas of criminal activity: loading virus code, stealing sensitive information, renting bot networks, and so on.
BCG-matrix of the cybercrime market
Exploit is a tool for organizing the initial stage of the malware life cycle. The result of the use of vulnerabilities in software can be not only the stable development of a botnet, but also an incident that will later receive wide publicity in the media.
The reasons for the threat are in the abundance of errors in the code of software products. Imperfection or complete non-observance of the requirements of safe programming, banal human inattention in this process provide all the necessary conditions for initializing the life cycle of malicious software that uses the exploit as its delivery to the recipient and further distribution. That is why it is necessary to combat the threat with complex security measures at the level of special software solutions offered by vendors of the antivirus industry. Consider the technologies to combat exploits on the side of end users, provided by the leading representatives of the Russian anti-virus market (according to an analysis of the anti-virus protection market in Russia 2010-2012).
')
While Microsoft is seeking universal ways to combat exploits at the operating system level ( ASLR and DEP technologies have not been sufficiently sophisticated in combating new exploitation tools), by announcing fees to developers, Kaspersky Lab goes in this direction in its own ways, one of the first to announce the technology of “automated protection against exploits”, which, based on the specialized tests of independent analysts of the MRG Effitas laboratory, demonstrates impressive results.
The results of testing technology "Automatic Exploit Prevention"
It is difficult to call this testing completely “independent” because it was initiated by Kaspersky Lab, which means that “innovation”, for obvious temporary reasons, had no analogues at the time of the tests.
The testing methodology was to use the Metasploit framework and the set of exploits it provides based on vulnerabilities for which there was no patch from the official vendor at that time (the so-called “zero-day vulnerability”). A system was considered to be protected if the initialization of its payload was blocked during the launch of the exploit.
The technology “ Automatic protection against exploits ” (the second name - AEP ) is based on the behavioral analysis of already known instances of this type of malware, as well as data on the current state of applications that are in the “risk” zone and are receiving great attention from intruders. AEP also enhances the built-in address space randomization (ASLR) tools of the Windows operating system. Combined with traditional protection methods, such as signature analysis, content filtering and cloud services, in real-world conditions this technology has even greater potential to repel attacks based on exploitation of vulnerabilities in third-party software.
The second in terms of market share in Russia, the representative of the antivirus industry does not make direct statements about the fight against exploits, but distributes this highly specialized function according to the technologies of ESET Live Grid, ESET ThreatSense and ESET ThreatSense.Net. The first is a distributed analytical center that collects data on the operating parameters of the target information system and the suspicious processes taking place in it, and builds a risk assessment of each running application based on the reputation system.
The technology “ThreatSense” is an advanced heuristic technology that directly combats the initialization of the payload during the exploitation of a vulnerability. Using the results of heuristic methods in conjunction with the results of emulation (technology, also known as sandbox) and signature-based methods for detecting malicious code, antivirus software decides whether there are any infection attempts. The effectiveness of ThreatSense and advanced heuristics is demonstrated by the scramble reports provided by the independent IT security institute AV-TEST: in the “Protection” section (this section of the report determines the software’s ability to protect the workstation from the initial phase of the malware’s life cycle ) The antivirus has successfully identified 90% of the exploit instances using the “Zero-day vulnerability”. Noteworthy is the fact that the anti-virus solution of Kaspersky Lab, which was certified by AV-TEST during the same time interval (September-October 2012), successfully determined 98% of the instances of the same set of exploits.
Symantec is a pioneer in the use of cloud infrastructure to protect against virus threats. The so-called “SONAR protection” (Symantec Online Network for Advanced Response) is designed to prevent the consequences of exploiting 0day vulnerabilities by using behavioral analysis of targeted applications and a rating system for assessing the level of danger. One of the key factors in the implementation of this technology is an indicator of the level of community trust (Norton Community Watch). The results of the statistical data obtained from the single user knowledge base of Norton Community Watch significantly influence the decision of the anti-virus application about the belonging of a file to the malicious environment.
The “AV-TEST” certification report on the latest version of Symantec Norton Internet Security 2013 demonstrates the effectiveness of SONAR version 4.0 protection in 96% of attacks aimed at exploiting zero-day vulnerabilities, vectors of which were web applications containing malicious code and e-mail. The data contained in the “Protection” section of this report also allows us to conclude about the speed of updating information on new samples of malicious code in the cloud-based knowledge base: none of the products competing in the Russian segment showed 100% protection against known instances of malware 2-3 months. Remarkable is the fact that the SONAR cloud infrastructure was in second place in terms of productivity in the fight against exploits, which was organized by MRG Effitas, and showed the second result in testing after the AEP technology from Kaspersky Lab.
Less than 13% of the anti-virus protection market in Russia is shared by such vendors as Doctor Web, Trend Micro, McAfee and other players. There have not been any direct statements or announcements of anti-exploit technologies from the above companies in the last year in the media, however, the product Panda Cloud Antivirus, whose sales in the Russian segment do not even fall within the margin of error, since version 2.1 has counter mechanisms in place with this type of threat.
The cloud knowledge base, where each user can contribute, resembles the above-described Symantec SONAR infrastructure. The Panda Security technology based on a distributed environment currently, according to data from AV-TEST reports, demonstrates its ability to detect 0day exploits on average only in 80-85% of attacks, depending on the version of its product. Perhaps these numbers are associated with a small but steadily growing base of user sensors that the technology relies on.
The developers of the antivirus industry are especially acutely aware of the sophistication of modern attacks and are forced to provide their products with comprehensive protection tools, literally turning the outdated term “antivirus” into a “client-side information security software package”.
The development of so-called “targeted persistent threats” ( Advanced Persistent Threat , APT) now also affects end-users. And, as practice shows, the implementation of any even currently unknown technology of infection of the target information system begins with the exploitation of zero-day vulnerabilities. It is at this stage that the developers of LC offer to cut the head of the "snakes", known as APT. This idea is supported by other major players in this market, gradually introducing "anti-exploit" in their products. However, if you look at this problem from a different angle, from the point of view of the attacking side, then a number of problems lagging behind with the “panacea for exploits” become noticeable.
First, who said that anti-virus software does not contain 0day vulnerabilities? The human factor, cunningly distributing errors in the program code, takes place in the process of developing any serious product, and therefore the threats described in this material are applicable to the antivirus itself. In addition, history knows such examples of compromising the user system through errors in the means of ensuring its protection.
Secondly, the idea of crowdsourcing (solution of a complex task by an unlimited number of people) in the antivirus industry leads to the problems of related technologies: transferring data to the “cloud” from each client, reputational rating system, and so on. For example, the tendency to trust data about suspicious files that users send (and in some products and independently evaluate) users can go sideways for developers: an attacker who has numerous botnets in his resources and who knows the anti-virus data exchange protocol with the cloud can information noise in the reputation of a file. The consequences of such actions are obvious.
The built-in tools of the user operating systems of the Windows family for combating the exploitation of zero-day vulnerabilities do not cope with current versions of malicious code being written by skilled attackers. The DEP protection techniques (data execution prevention) and ASLR (address space randomization technology) are successfully used in new types of exploits, and it becomes obvious that this threat needs to be addressed with anti-virus protection tools. However, the fact that vulnerabilities are found in the means providing protection against them also leads to the following conclusion that protection against exploits is, above all, a continuous process.
The task of ensuring the information security of the user from the exploitation of vulnerabilities in his information environment is solved only with the help of an integrated approach. The antivirus industry solves this problem by monitoring using multiple sensors and thereby blocking the initialization of payload penetration vectors in the target system, and the use of cloud infrastructure helps protection developers stay “in trend” with application vulnerabilities as well as representatives of the cybercrime market.
www.anti-malware.ru/russian_antivirus_market_2010_2012 - Antivirus Protection Market Analysis in Russia 2010-2012
www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf - Cisco 2011 Annual Security Report
www.mrg-effitas.com/wp-content/uploads/2012/06/MRG-Effitas-Exploit-Prevention-Test1.pdf - Comparative Assessment of Kaspersky Internet Security 2013 (MRG Effitas)
www.kaspersky.ru/downloads/pdf/technology_auto_protection_from_exploit.pdf - “Automatic protection against exploits”
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123613 - AV-TEST Product Review and Certification Report (Kaspersky Internet Security)
www.esetnod32.ru/company/why/technology - ESET Technologies
blog.eset.com/2012/12/13/advanced-heuristics - Advanced Heuristics (ESET)
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123651 - AV-TEST Product Review and Certification Report (Eset Smart Security)
www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v26386563_N360_N360OEM_6_ru_ru&product=home&pvid=f-home&version=1&lg=en&ct=us - SONAR protection (Symantec Nonononononononononononacton==&&&==&&==== – SONAR protection (Symantec Nononononacton=onme.version=home=ver2
community.norton.com/t5/Norton-Protection-Blog/What-s-New-in-Norton-Internet-Security-2012/ba-p/433160 - Norton Protection Blog
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123662 - AV-TEST Product Review and Certification Report (Symantec Norton Internet Security)
www.viruslab.ru/products/detail.881.html - Panda Security cloud technology
www.av-test.org/en/tests/home-user/producer/panda - AV-TEST Product Review and Certification Reports (Panda Cloud Antivirus Free)
This material reflects only the point of view of the author and is not related to the opinion and position of his current employer.
BCG-matrix of the cybercrime market
Exploit is a tool for organizing the initial stage of the malware life cycle. The result of the use of vulnerabilities in software can be not only the stable development of a botnet, but also an incident that will later receive wide publicity in the media.
The reasons for the threat are in the abundance of errors in the code of software products. Imperfection or complete non-observance of the requirements of safe programming, banal human inattention in this process provide all the necessary conditions for initializing the life cycle of malicious software that uses the exploit as its delivery to the recipient and further distribution. That is why it is necessary to combat the threat with complex security measures at the level of special software solutions offered by vendors of the antivirus industry. Consider the technologies to combat exploits on the side of end users, provided by the leading representatives of the Russian anti-virus market (according to an analysis of the anti-virus protection market in Russia 2010-2012).
')
Kaspersky Internet Security
While Microsoft is seeking universal ways to combat exploits at the operating system level ( ASLR and DEP technologies have not been sufficiently sophisticated in combating new exploitation tools), by announcing fees to developers, Kaspersky Lab goes in this direction in its own ways, one of the first to announce the technology of “automated protection against exploits”, which, based on the specialized tests of independent analysts of the MRG Effitas laboratory, demonstrates impressive results.
The results of testing technology "Automatic Exploit Prevention"
It is difficult to call this testing completely “independent” because it was initiated by Kaspersky Lab, which means that “innovation”, for obvious temporary reasons, had no analogues at the time of the tests.
The testing methodology was to use the Metasploit framework and the set of exploits it provides based on vulnerabilities for which there was no patch from the official vendor at that time (the so-called “zero-day vulnerability”). A system was considered to be protected if the initialization of its payload was blocked during the launch of the exploit.
The technology “ Automatic protection against exploits ” (the second name - AEP ) is based on the behavioral analysis of already known instances of this type of malware, as well as data on the current state of applications that are in the “risk” zone and are receiving great attention from intruders. AEP also enhances the built-in address space randomization (ASLR) tools of the Windows operating system. Combined with traditional protection methods, such as signature analysis, content filtering and cloud services, in real-world conditions this technology has even greater potential to repel attacks based on exploitation of vulnerabilities in third-party software.
ESET Smart Security
The second in terms of market share in Russia, the representative of the antivirus industry does not make direct statements about the fight against exploits, but distributes this highly specialized function according to the technologies of ESET Live Grid, ESET ThreatSense and ESET ThreatSense.Net. The first is a distributed analytical center that collects data on the operating parameters of the target information system and the suspicious processes taking place in it, and builds a risk assessment of each running application based on the reputation system.
The technology “ThreatSense” is an advanced heuristic technology that directly combats the initialization of the payload during the exploitation of a vulnerability. Using the results of heuristic methods in conjunction with the results of emulation (technology, also known as sandbox) and signature-based methods for detecting malicious code, antivirus software decides whether there are any infection attempts. The effectiveness of ThreatSense and advanced heuristics is demonstrated by the scramble reports provided by the independent IT security institute AV-TEST: in the “Protection” section (this section of the report determines the software’s ability to protect the workstation from the initial phase of the malware’s life cycle ) The antivirus has successfully identified 90% of the exploit instances using the “Zero-day vulnerability”. Noteworthy is the fact that the anti-virus solution of Kaspersky Lab, which was certified by AV-TEST during the same time interval (September-October 2012), successfully determined 98% of the instances of the same set of exploits.
Norton internet security
Symantec is a pioneer in the use of cloud infrastructure to protect against virus threats. The so-called “SONAR protection” (Symantec Online Network for Advanced Response) is designed to prevent the consequences of exploiting 0day vulnerabilities by using behavioral analysis of targeted applications and a rating system for assessing the level of danger. One of the key factors in the implementation of this technology is an indicator of the level of community trust (Norton Community Watch). The results of the statistical data obtained from the single user knowledge base of Norton Community Watch significantly influence the decision of the anti-virus application about the belonging of a file to the malicious environment.
The “AV-TEST” certification report on the latest version of Symantec Norton Internet Security 2013 demonstrates the effectiveness of SONAR version 4.0 protection in 96% of attacks aimed at exploiting zero-day vulnerabilities, vectors of which were web applications containing malicious code and e-mail. The data contained in the “Protection” section of this report also allows us to conclude about the speed of updating information on new samples of malicious code in the cloud-based knowledge base: none of the products competing in the Russian segment showed 100% protection against known instances of malware 2-3 months. Remarkable is the fact that the SONAR cloud infrastructure was in second place in terms of productivity in the fight against exploits, which was organized by MRG Effitas, and showed the second result in testing after the AEP technology from Kaspersky Lab.
Other industry representatives
Less than 13% of the anti-virus protection market in Russia is shared by such vendors as Doctor Web, Trend Micro, McAfee and other players. There have not been any direct statements or announcements of anti-exploit technologies from the above companies in the last year in the media, however, the product Panda Cloud Antivirus, whose sales in the Russian segment do not even fall within the margin of error, since version 2.1 has counter mechanisms in place with this type of threat.
The cloud knowledge base, where each user can contribute, resembles the above-described Symantec SONAR infrastructure. The Panda Security technology based on a distributed environment currently, according to data from AV-TEST reports, demonstrates its ability to detect 0day exploits on average only in 80-85% of attacks, depending on the version of its product. Perhaps these numbers are associated with a small but steadily growing base of user sensors that the technology relies on.
Two sides of the same coin
The developers of the antivirus industry are especially acutely aware of the sophistication of modern attacks and are forced to provide their products with comprehensive protection tools, literally turning the outdated term “antivirus” into a “client-side information security software package”.
The development of so-called “targeted persistent threats” ( Advanced Persistent Threat , APT) now also affects end-users. And, as practice shows, the implementation of any even currently unknown technology of infection of the target information system begins with the exploitation of zero-day vulnerabilities. It is at this stage that the developers of LC offer to cut the head of the "snakes", known as APT. This idea is supported by other major players in this market, gradually introducing "anti-exploit" in their products. However, if you look at this problem from a different angle, from the point of view of the attacking side, then a number of problems lagging behind with the “panacea for exploits” become noticeable.
First, who said that anti-virus software does not contain 0day vulnerabilities? The human factor, cunningly distributing errors in the program code, takes place in the process of developing any serious product, and therefore the threats described in this material are applicable to the antivirus itself. In addition, history knows such examples of compromising the user system through errors in the means of ensuring its protection.
Secondly, the idea of crowdsourcing (solution of a complex task by an unlimited number of people) in the antivirus industry leads to the problems of related technologies: transferring data to the “cloud” from each client, reputational rating system, and so on. For example, the tendency to trust data about suspicious files that users send (and in some products and independently evaluate) users can go sideways for developers: an attacker who has numerous botnets in his resources and who knows the anti-virus data exchange protocol with the cloud can information noise in the reputation of a file. The consequences of such actions are obvious.
Summary
The built-in tools of the user operating systems of the Windows family for combating the exploitation of zero-day vulnerabilities do not cope with current versions of malicious code being written by skilled attackers. The DEP protection techniques (data execution prevention) and ASLR (address space randomization technology) are successfully used in new types of exploits, and it becomes obvious that this threat needs to be addressed with anti-virus protection tools. However, the fact that vulnerabilities are found in the means providing protection against them also leads to the following conclusion that protection against exploits is, above all, a continuous process.
The task of ensuring the information security of the user from the exploitation of vulnerabilities in his information environment is solved only with the help of an integrated approach. The antivirus industry solves this problem by monitoring using multiple sensors and thereby blocking the initialization of payload penetration vectors in the target system, and the use of cloud infrastructure helps protection developers stay “in trend” with application vulnerabilities as well as representatives of the cybercrime market.
List of used sources
www.anti-malware.ru/russian_antivirus_market_2010_2012 - Antivirus Protection Market Analysis in Russia 2010-2012
www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf - Cisco 2011 Annual Security Report
www.mrg-effitas.com/wp-content/uploads/2012/06/MRG-Effitas-Exploit-Prevention-Test1.pdf - Comparative Assessment of Kaspersky Internet Security 2013 (MRG Effitas)
www.kaspersky.ru/downloads/pdf/technology_auto_protection_from_exploit.pdf - “Automatic protection against exploits”
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123613 - AV-TEST Product Review and Certification Report (Kaspersky Internet Security)
www.esetnod32.ru/company/why/technology - ESET Technologies
blog.eset.com/2012/12/13/advanced-heuristics - Advanced Heuristics (ESET)
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123651 - AV-TEST Product Review and Certification Report (Eset Smart Security)
www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v26386563_N360_N360OEM_6_ru_ru&product=home&pvid=f-home&version=1&lg=en&ct=us - SONAR protection (Symantec Nonononononononononononacton==&&&==&&==== – SONAR protection (Symantec Nononononacton=onme.version=home=ver2
community.norton.com/t5/Norton-Protection-Blog/What-s-New-in-Norton-Internet-Security-2012/ba-p/433160 - Norton Protection Blog
www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=123662 - AV-TEST Product Review and Certification Report (Symantec Norton Internet Security)
www.viruslab.ru/products/detail.881.html - Panda Security cloud technology
www.av-test.org/en/tests/home-user/producer/panda - AV-TEST Product Review and Certification Reports (Panda Cloud Antivirus Free)
This material reflects only the point of view of the author and is not related to the opinion and position of his current employer.
Source: https://habr.com/ru/post/167779/
All Articles