Can malware be beaten?
As the companies that create anti-malware and virus products develop solutions to combat the malware scourge, so the internet bandits that create them get one better. This one-upmanship is a vicious circle.
Lately the scourge creators have one up on the developers of security protection systems. They no longer only tackle the computer and internet world at large, but tackle specific target areas by simply altering a few strings in their code and creating a new version with which they target a specific group of companies or individuals.
In 2008, Symantec discovered more than 120-million distinct malware variants. In this environment, it is necessary to move beyond traditional security approaches to stay ahead of new malware. The competition between malware creator and malware protector must be broken. Symantec may have come up with the answer in the form of a reputation-based technology which they have called “Quorum”
Reputation-based technology changes the rules of the malware game, shifting the
odds significantly in favour of users by harnessing the wisdom of tens of millions of users. Using this data Symantec was able to detect threats that are invisible to traditional security products.
Traditional antivirus software relies on virus signatures to blacklist those pieces of malware that should be blocked from a user’s machine. Ten years ago, Symantec published an average of five new virus signatures each day. Today, in spite of the fact that each signature can detect many different malware strains, security vendors regularly publish thousands of signatures or more per day.
“Quorum reputation-based security complements traditional security techniques by using anonymous software usage patterns to classify files as safe or unsafe,” Grant Brown, Symantec’s endpoint security specialist told EngineerIT in a recent interview. “The Quorum technology was developed at Symantec from the ground up, and provides a fundamentally new layer of protection from today’s latest threats.”
Symantec Research Labs began development of the technology about three years ago, investigating how small amounts of data regarding file usage on a user’s system, collected from a very large distributed community, could be used to predict the likelihood of a given file being malicious or not. After successful prototyping, a full commercial release was developed and recently incorporated in two of the company’s products.
How does it work?
Symantec’s Quorum reputation-based security leverages data from multiple sources, including: anonymous data contributed by tens of millions of Norton Community Watch members (an opt-in feature of all Norton security products), data provided by software publishers and anonymous data contributed by enterprise customers in a data collection programme tailored to large enterprises. The data is continually imported and fed into the reputation engine to produce a security reputation rating for each software file, all without ever having to scan the file itself.
Quorum uses information such as the file’s prevalence, age and other attributes to compute highly accurate reputation scores. These reputation ratings are then made available to all Symantec users through a large cloud-based infrastructure of the company’s servers.
Quorum has been incorporated in Norton Internet Security 2010 and Norton AntiVirus 2010. To see it in action download a new executable file off the internet. The new Download Insight feature uses Quorum reputation information to help determine each downloaded file’s safety – the user is then informed of the file’s reputation. Bad-reputation files are automatically blocked. In addition, a user can right click on any executable file and find out where the file came from, how many other Symantec users are using the file, when Symantec first saw the file and what the security reputation is for the file.
Quorum defeats an attacker’s ability to mutate their malware to evade traditional signature-based detection. In fact the more an attacker modifies a threat the more obvious it will be that the file is suspicious.
In addition to providing an additional layer of protection, the software also allows existing Symantec security technologies, including heuristics and behaviour-based detection, to be deployed in a more aggressive mode to increase the overall level of protection provided to users.
It seems if the malware bandits have met their match for now, but only time will tell what next they will come up with.
EngineerIT
Loading ...