“IT” Infrastructure Protection From Malicious Codes and Malware Protection System using controlled environment

Seema Khanna National Informatics Centre

New Delhi, India seema@gov.in

Harish Chaudhry Department of Management Studies

Indian Institute of Technology New Delhi, India

hciitd@gmail.com

Gundeep Singh Bindra Department of Computer Science

Columbia University New York, USA

gsb2124@columbia.edu

Abstract—In today’s world the number of malicious code/program and other unwanted programs may be exceeding that of legitimate software applications. This paper would be an excellent fit to stop the unauthorized access by other computer users, as well as the automated spread of malicious scripts and software by providing information to assist in the gap that exists in the field, as malware issues are common in computer security today. Organizations struggle to understand malware they encounter while this work intends to increase the awareness and understanding of the various malicious codes that are received by user throughout the world via Internet or e-mails. Effective deployments and various control measures at the users’ and organizational level are also suggested. This conceptual paper is definitely expected to contribute to future research on similar and related topics as spin off from this study.

Keywords-IT; malicious codes; malware; controlled environment; security;

I. INTRODUCTION Electronic mail, commonly known as email or e-mail, is

a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the same time, in common with instant messaging. Today's email systems are based on a store-and-forward model. Email servers accept, forward, deliver and store messages.[1] Email is usually considered to be a one-to-one communication medium, but at the Internet Service Provider (ISP) level, many email flows are mailing-lists (one-to-many) or forwarded traffic (many-to-one). However, the literature contains few, if any, quantitative measures of what is meant by many". [2]

A. Malware Malware[3.], short for malicious software, is software

used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software.[4] 'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.[5]

B. Malware Analysis Service Challenges in defending against inbound threats include

destination URL security analysis ("is this link in email to a bad site"), page analysis ("does the page this URL is about to open contain hostile scripts, code, or credential requests"), and attachment file security analysis ("is this linked or attached file dangerous to open").

Legacy approaches to such security analysis systems rely largely on signature-based techniques (comparing the URL IP address or file against a database of "known bad" IPs or files) or by "sandboxing" the attachment file (downloading it and allowing it to execute in an isolated virtual machine).

Unfortunately, IPs may not have a reputation for a period of days to weeks after setup, “known bad” attachment file comparisons are easily defeated by slight changes in file structure, and sandboxing techniques often require isolated, on-premises appliances that notify administrators of an issue only after users have downloaded malicious attachment files, and can suffer occasional misses – as well as doing little to protect remote or mobile users outside the corporate firewall.

II. STATISTICS Fig. 1 shows where is most malicious code being hosted

in the world? [6]

Figure 1. World Malware Map - July 2012 [6.]

The AV-TEST Institute registers over 55,000 new malicious programs every day. These are examined using the analysis tools Sunshine and VTEST, classified according to their characteristics and saved. Visualization programs then transform the results into diagrams that can be updated and produce current malware statistics.[7]

Advances in Remote Sensing, Finite Differences and Information Security

ISBN: 978-1-61804-127-2 206

Fig. 2. Indicates that over the last two years the malware attacks have nearly doubled to reach its peak of 80,000,000 attacks.

Figure 2. Malware Analysis over Last 10 years[6]

The following statistics were compiled in April using data collected from computers running Kaspersky Lab products:[8.]

• 280 million malicious programs were detected and neutralized;

• 134 million (48% of all threats) web-borne infections were prevented;

• More than 24 million malicious URLs were detected.

III. PROBLEM STATEMENT Email and the web have revolutionized business

communications. Together they are the most prominent and arguably the most critical business applications in the world. It is imperative, therefore, that they be protected in a comprehensive manner.

Complicating matters is the fact that high penetration and usage rates have led to email and web technologies being very attractive targets for intrusions of all types. Everything from conventional file-infecting viruses, mass mailing worms, spam, and denial-of-service attacks to increasingly elaborate and aggressive phishing techniques and blended threats need to be addressed.

Virus writers are becoming craftier and more numerous every year, resulting in huge losses for organizations’ around the world. Phishing is up and becoming more automated. Email/Directory harvesting attacks are an everyday affair.

A. Are we doing our best to handle this threat? With the use of e-mail continually increasing, the need

for protection has never been more evident. All organizations and individuals with computers or networks connected to the Internet are vulnerable to malicious code and viruses. While many individuals and organizations routinely install anti virus software and dutifully update it on a regular basis, this protection is often ineffective against the "new breed" of malicious code (viruses, worms, and Trojans) that is released into the "wild" each day.

To defend an organization from modern day digital disease, one must now employ a proactive, first strike approach to defense, and organizations the world over must immediately take a more vigilant stance in protecting their

computers and networks from digital disaster. Undeniably, the greatest asset and weapon against preventing a virus attack is knowledge. Knowing how viruses and malicious code infiltrate computer systems, how they affect those systems, and how they ultimately spread and cause more damage exponentially is a necessity, not a luxury. In order to engage in combat with technologically savvy virus creators in the new millennium, a new, more comprehensive approach to protection must be adopted.

These new malware writing techniques further enforce the fact that the only way to completely protect your computers on a network is through a defense in depth methodology. Defense in depth doesn’t rely on just one method, system or application, but builds in multiple layers of protection. The use of anti-virus, anti-spyware or even a single engine anti-malware solution alone will not be able to completely prevent such outbreaks. In order to launch an effective attack against this invasion, an in-depth knowledge base is a pre-requisite. The concept and how they operate needs to be understood.

B. Are we clear on the damage it can do? The Malicious code is any program that acts in

unexpected and potentially damaging ways. Common types of malicious code are viruses, worms; Trojan horses, monitoring programs such as spyware, and cross-site scripts. Malicious code can

• Replicate itself within a computer and transmit itself between computers.

• Change, delete, or insert data, transmit data outside the institution, and insert backdoors into organization systems.

• Attack organizations at either the server or the client level.

• Attack routers, switches, and other parts of the organizational infrastructure.

Malicious code can also monitor users in many ways, such as logging keystrokes and transmitting screenshots to the attacker.

IV. THE CHANGING NATURE OF MALWARE ATTACKS Malware attacks are changing from the initial days of

viruses being created and let loose on the Internet. The nature of these changes is summarized in five characteristics below.

A. Malware attacks are much more focused and sophisticated: Gone are the old random-style attacks. Today’s malware

is focused on specific organizations or users with specific behavior patterns. It largely depends on who the organization is or what the user does, what sites are accessed online, whether material is downloaded from risky sites, and how careful he/she is about downloading files attached to emails, and similar issues. The traditional “one solution fits all” approach to stopping attacks is no longer applicable.

Advances in Remote Sensing, Finite Differences and Information Security

ISBN: 978-1-61804-127-2 207

B. Malware changes its code constantly: The latest viruses are designed to avoid detection by AV

engines by automatically changing or mutating every day and every time they send themselves out. Anti-virus vendors either have to use performance-hungry and error-prone heuristics or must create a new signature for each mutation.

C. Some malware removers are actually malware: This ‘greyware’ represents a deceitful trap for users.

Some Web sites are rumored to have deals in place with malware authors. E.g. when someone accesses the site they get a fake error message that his/her system is compromised and is urged to click a link and download a “test utility” to scan. This “test utility” is usually a piece of spyware disguised as a seemingly benign system cleaner or something similar.

D. Standard antivirus programs are often ineffective: The malware designers constantly test their creations

against Trend Micro, Norton, McAfee, and other popular anti-virus and anti-spyware systems, so they know those programs will not detect their malware during the zero hour when it is first released. By the time the vendors catch up, the damage is done, and the bad guys change their code to make it undetectable again.

V. EFFECTIVE DEPLOYMENTS TO PREVENT MALICIOUS CODE

Typical preventive measures to protect against malicious code use technology, policies procedures, and training, all applied in a layered manner from perimeters inward to hosts data and servers. The controls are of the preventative and detective/corrective variety. Controls are applied at the host, network, and user levels:

The protection suite can be elaborated under the following heads:

1) Anti-Malware (Anti-Virus and Anti-Spyware also) 2) URL Blocking and Content Scanning 3) Host-Based Intrusion Prevention 4) Patch Management 5) Network Access Control/End-Point-Compliance It can be explained by the following:

Figure 3. Multi-layered Protection system from Malicious Code

A. Anti-Malware (Includes Anti-Virus and Anti-Spyware) Anti-Malware can be implemented by ensuring that the

four aspects that govern it are addressed. Whether they are part of an integrated solution or a stand-alone, they must all be properly implemented to be effective. The four aspects of Anti-Malware are Anti-Virus, Anti-Spyware, Anti-Spam and a HIPS (Host based Intrusion Prevention System) component that includes a Personal Firewall. The following needs to be done for effective control and administration:

1) Policies: • Force anti-malware solutions to be resident and

active on all computers • Lock down anti-malware policies so users can’t

disable them or stop scans and updates, implying that a user does not have administrator privileges.

• Verify that all computers receive all product updates and signatures

• Push signature updates out to all clients and servers daily

• Block all non-essential ports from both incoming and outgoing connections at the clients/server

2) Scans • Set up regular, daily and weekly scans for anti-virus

and anti-spyware applications

B. URL Blocking and Content scanning Previously the two areas of URL blocking and content

scanning were managed separately. But now they have merged in recent years, as a result most solution providers now do both. Content scanning involves a gateway solution that inspects all incoming attachments and can block malicious or unwanted contents based on the type of file, size, and kind of attachment or even by key words. URL blocking will deny access by either the contents of the site or through a scanning of possible dangerous conditions unknown to the end user. Many URL blocking systems today can also deny access to websites that are known to infect visitors.

C. Host-Based Intrusion Prevention( HIPS): HIPS work at the host, or individual computer level.

They look at incoming network traffic as well as local logon to the machine to determine if the connections should be allowed. Because HIPS systems can be implemented locally and managed as groups, they’ve become a much easier and faster solution to block both known as well as suspected malicious activity.[9]

D. Patch Management It is mandatory to keep a corporate computer updated

with the latest operating system security updates, application patches and browser patches. It is a difficult proposition for most organizations, considering that most don’t have the luxury of a homogeneous IT environment of just one type of computer with just one OS level. Most deal with literally hundreds of combinations of computer hardware, OS, applications and versions, as well as configurations.

Advances in Remote Sensing, Finite Differences and Information Security

ISBN: 978-1-61804-127-2 208

E. Network Access Control/End-point-Compliance Network Access Control (NAC), also called Network

Admission Control, is a fairly recent development in the protection of IT through the regulation of connections from end user systems. NAC or end point compliance is a method of increasing network security for a closed IT environment by requiring authentication, authorization and security compliance before allowing a connection on the corporate network. NAC can also control or restrict what a user can do once they are on the network. The typical NAC scenario is to check the authentication of a user, verify the system is up-to date with all operating systems, browser and application patches, as well as anti-virus and anti-spyware updates, before allowing a controlled connection on the IT network.

Network access control (NAC)[10] solutions enable organizations to reduce vulnerabilities by defining and managing security policies and deployment of anti-malware solutions, and introducing assessment capabilities and enforcement methods to control access to the network. The best NAC solutions permit regulated access for known and secure/compliant users while also disabling or controlling the use of high-risk applications on those users’ computers. Additionally, leading NAC solutions can be configured to prevent or quarantine access by unauthorized or unknown computers. Although most users do not have malicious intentions, unauthorized computers pose a big security risk to organizations.

It can be configured to ensure access controls for roaming users also and works very effectively for rogue mobile devices including laptops, if connected to an organization’s network.

VI. BEST DEFENSE AGAINST ALL ATTACKS While technology plays a key role in organizational

protection from malware, it needs to be part of a more comprehensive approach that involves user education and policies. Time invested in educating the user results in huge dividends. Unfortunately, updating a system is less time consuming than updating a human, but the latter is more promising an option. The major vulnerability and hole in the best-laid defense is a weak user base.

Education and training plan for all levels of the organization – including administrators, end-users, and developers – on their role and responsibility for information security within the organization is one of the foremost strategies to prevent malware attacks. Effective response to a policy violation and ensuring policy enforcement is the best business continuity plan for any organization.

VII. ENFORCING A MALWARE ANALYSIS SANDBOX Malware Analysis Service should use a combination of

IP analysis, page analysis, sandboxing, big data analysis, and URL rewriting—performed entirely in the cloud—to ensure that each time a user clicks a link, the resulting URL payload is inspected, regardless of whether that payload is a web page or attachment file, regardless of user location, and before malware has the opportunity to take effect.

Malware Analysis Service dramatically increases an organization's ability to defend against targeted attacks and email-borne drive-by downloads. GFI Sandbox [11] enables cyber-security professionals to test files and URLs for potential threats within a controlled environment so they can deploy and implement appropriate defenses when advanced malware and sophisticated cyber-attacks are discovered.

VIII. CONCLUSION While anti-malware protection is still a major component

of an in-depth defense strategy, IT professionals must continue to address malicious code on all fronts. Resilient software, continuous updates, policies enforcement, and especially education are all key to a successful anti-malware strategy. We need to understand that evolution of malware has created a dynamic and unique security challenge for System and Network Administrators. In order to ensure healthy information traffic, the administrator needs to display an ability to integrate a heuristic and proactive approach, which results in greater reliability, increased protection and system high availability.

As mentioned organizations that are firmly committed to security will be: Resilient to attack, Reduce risk of data compromise and Protect sensitive data and reputation [12.]

ACKNOWLEDGMENT Recognition is due to many people for their suggestions

and encouragement; to attempt to name each would run the very real risk of excluding one or more. A big thank you to all my seniors for their specific advice and counsel. It would not be out of place to thank all the authors and researchers whose work I have consulted.

REFERENCES [1] Wikipedia, “Email”. http://en.wikipedia.org/wiki/Email. [2] Richard Clayton, “Email Traffic: A Quantitative Snapshot” ipedia,

“Email”. http://en.wikipedia.org/wiki/Email. [3] Wikipedia, “Malware”. http://en.wikipedia.org/wiki/Malware. [4] US-CERT Control Systems Security Center, “An Undirected Attack

Against Critical Infrastructure - A Case Study for Improving Your Control System Security” Case Study Series: Vol 1.2. http://www.us-cert.gov/control_systems/pdf/undirected_attack0905.pdf

[5] "Malware: FAQ". technet.microsoft.com. Retrieved 2009-09-10. [6] Trustwave, “Malware Statistics: World Malware Map –July 2012”

https://www.trustwave.com/support/labs/malware-statistics.asp [7] AV-Test – Independent IT-Security Institute, “Total Malware”.

http://www.av-test.org/en/statistics/malware/ [8] SecureLits, “Monthly Malware Statistics: April 2012”

http://www.securelist.com/en/analysis/204792228/Monthly_Malware_Statistics_April_2012/

[9] Securigy, “HIPS: Host-Based Intrusion Prevention Systems”. http://www.securigy.com/hips.html

[10] Sophos, “Sophos NAC Advasnced”. http://www.sophos.com/en-us/products/endpoint/nac-advanced.asp

[11] GFI ,“Malware Analysis with GFI Sandbox” http://www.gfi.com/malware-analysis-tool

[12] Trustwave SpiderLabs, “ 2011 Global Security Statixtics and Trends”. https://buildsecurityin.us-cert.gov/swa/presentations_032011 /CharlesHenderson-2011GlobalSecurityStatsAndTrends.pdf

Advances in Remote Sensing, Finite Differences and Information Security

ISBN: 978-1-61804-127-2 209