Malware Protection. Wavecrest’s Web-use management products protect against productivity loss, legal liability, bandwidth abuse, and malware threats. Before discussing how we counter the last issue, i.e., malware threats, let's take a look at some background information on the subject of malware itself.
Defining Malware. Malware is a general term used to refer to a variety of forms of hostile or intrusive software. Generically, it is software used or created by attackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.
Malware Variations. Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, adware, malicious Browser Helper Objects (BHOs), and other malicious programs. The majority of active malware threats are usually worms or Trojans rather than viruses. Malware can appear in the form of code, scripts, active content, and other software. (Note: For our purposes “malware” also includes Web sites that advocate, encourage, or support hacking.)
Spyware. Another category of malware has emerged, called spyware. These programs are designed to monitor users' Web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses. Instead, they are generally installed by exploiting security holes. They can also be packaged together with user-installed software, such as peer-to-peer applications.
Malware Targets. Malware is sometimes used broadly against government or corporate Web sites to collect (read “steal”) guarded information or to disrupt their operation in general. Left unguarded, networked computers can be at considerable risk against these threats.
Malware Uses. Many early infectious programs, including the first Internet Worm, were written as experiments or pranks. Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. Today, malware is used primarily to steal sensitive personal, financial, or business information for the benefit of others.
Malware Methodology. Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie" computers are used to send e-mail spam, host contraband data such as child pornography, or engage in distributed denial-of-service (DoS) attacks as a form of extortion.
Spreading. The best-known types of malware, viruses, and worms are known for the manner in which they spread, rather than any specific types of behavior. The term "computer virus" is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. On the other hand, a worm is a program that actively transmits itself over a network to infect other computers. These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically.
Virus or Worm? Using this distinction, infections transmitted by e-mail or Microsoft Word documents, which rely on the recipient opening a file or e-mail to infect the system, would be classified as viruses rather than worms. Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.
Exploiting Security Defects. Malware exploits security defects (security bugs or vulnerabilities) in the design of the operating system, in applications such as browsers, or in old versions of browser plug-ins such as Adobe Flash Player, Adobe Acrobat/Reader, or Java. Sometimes even installing new versions of such plug-ins does not automatically uninstall old versions. Security advisories from such companies announce security-related updates. Common vulnerabilities are assigned Common Vulnerabilities and Exposures (CVE) IDs and listed in the U.S. National Vulnerability Database. Secunia PSI is an example of software, free for personal use, that will check a PC for vulnerable out-of-date software and attempt to update it.
Example of Exploitation. Most systems contain bugs or loopholes which may be exploited by malware. A typical example is a buffer-overrun vulnerability in which an interface designed to store data, in a small area of memory, allows the caller to supply more data than will fit. This extra data then overwrites the interface's own executable structure (past the end of the buffer and other data). In this manner, malware can force the system to execute malicious code, by replacing legitimate code with its own payload of instructions (or data values) copied into live memory outside the buffer area.
Sources of Malware. As you undoubtedly know, most malware originates in–and is spread or promoted from–particular Web sites. Unfortunately, many thousands of such sites exist today. And to make matters worse, the number is growing steadily every day at very fast rates.
CyBlock Protection. So how do Wavecrest products protect customers’ computer networks from malware attacks launched from all these Web sites? Simply put, while monitoring employees’ Web requests, CyBlock identifies those that could result in malware attacks—and then it blocks them. But how does CyBlock identify malware-risk requests in the first place?
Starting Point: The URL List. The process works as follows. At Wavecrest headquarters, specialists maintain and continuously update a huge database of high-traffic Web sites and pages. Called the URL List, its records are sorted into more than 70 categories according to content, e.g., Shopping, News, Sports, and Financial. One of the most important of these categories is Malware. Using sophisticated manual and automated techniques, the specialists update the entire URL List every day, giving particular attention to malware-associated URLs.
The List as Part of the Product. When a prospective customer downloads a product for evaluation, a copy of the URL List is included. (Typically, the prospect or customer then automatically downloads an updated list every day.)
Identifying the Culprits. When the product is in use, it compares the URLs of all visit requests with the categorized URLs in the URL List. When the product finds a match, it “labels” the request with the matched category.
Blocking the Requests. If a category (for example, Malware) has been administratively configured in a blocking policy, the request will be denied, i.e., blocked.
Dealing with SSL-Hidden Malware. Wavecrest recently enhanced CyBlock’s malware identification capability by incorporating a feature called “SSL Inspection.” SSL Inspection enables CyBlock to categorize detailed, encrypted (HTTPS) Web traffic—something that was not possible in the past. This in turn will help our customers better identify and defeat malware threats. Note: Traffic in categories that are not included in blocking policies is promptly forwarded to the Web. Traffic in those categories that are included, e.g., the Malware category, will be blocked.
Logging Risky Web Requests. Wavecrest products (Cyfin as well as CyBlock) log all malware as well as other visit requests. This makes the information available for inclusion in appropriate reports to IT and management.