3 posts from October 2010

About This Blog

The Content Security Research Team's Mission: Deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in our eSafe solutions.

Learn More

Follow Us on Twitter


Protecting the perimeter in SMB’s

A few weeks ago, a research was published regarding the response time of AV products. They compared several of the main and known products, and checked how much time it took them to release an update for their virus definition in order to detect new threats.

While reading it, I asked myself: will this research interest anyone apart from the AV companies themselves? Does a customer who is about to buy an AV/security product really care about it? And most importantly, what are the parameters that a customer should consider when looking for a new security solution?

When buying a network and local security solution for SMB’s, you probably will not be looking to purchase variety of specialized solutions for each security domain. It is more likely that you will combine between several modules and features that will provide the best security solution for your perimeter.

Today, there are various products that combine several modules, with each module being developed separately as a standalone module.

4 important things to consider before choosing a security solution for your SMB:

  1. AV Engines - 10 minutes, 5 minutes or maybe 6 minute? Is it relay relevant? No. If the malware was not detected, it is not important if the detection definitions for it were released 5 or 8 minutes after it has been detected. It only means that the customer was exposed to infection.
    There is no 100% detection. Yet, if the product has more than 1 engine, it improves the statistics for detecting new malicious code. Saying that, bear in mind that a product could have 20 engines, but it will cost in performance, so it is not necessarily the bigger the better.

  2. Support – maybe the most important parameter when checking for a new security solution. False positives, false negatives, updates, installations, network architecture and so on. Since these products are installed on networks, which don’t always have a straight or typical topology, the support quality that is given by the software manufacturer is crucial.

  3. Additional Features – more features and modules that provide more capabilities, should also be carefully considered. Some of the content security products have features that help strengthen  your security and make up for AV response time, for example:
    1. Application filtering – the ability to block specific applications and protocols. In some cases you have the ability to block specific features/operations of an application and not the whole application.
    2. DLP – Data Leak Prevention. A very hot trend in the content security field. Helps prevent leakage of important data from our perimeter, be it unintentional or with malicious intent.
    3. URL filtering – the ability to block groups of web sites, based on their content.
    4. Anti spam – an integrated module, that combines technology and provides both real-time reputation and deep content analysis technologies, will give you a better solution.
  4. Management and Reporting – in large scale networks, where there is a need to install several units of the product, in order to prevent traffic overload, it is important to have a central management platform, to configure, maintain and get reports for all the units.

As I mentioned above, there is no AV or content security product that gives you 100% protection. It always reminds me the “Die Hard” movie, where the criminals were trying to penetrate a vault with 7 locks. In order to do that, they had to break each lock in a different way; this is why it took them so long and we all know what happened in the end…

Same goes for a security solution. There is no one mega product that will give you a 100% protection; you need to put several locks, different locks (features/modules), in order to make the hacker’s life harder.


100% protection promises by Shimon Gruper, CISSP

Recently I have talked to a customer who said that he chose a certain vendor for his email security gateway product because he promised him 100% blocking of all viruses. After looking closer at the SLA (service level agreement) of this vendor I found out that the promise was to block 100% of “email-based” viruses.

This statement made me realize how good the marketing department of this vendor is and how easy it is to provide empty promises to customers who are not experts in security.

A short history – email-based viruses were prevalent about 10 years ago when the famous LoveBug was spreading all over the world cluttering mail servers and mail boxes.

Fortunately we learned a lot from it. Since then Microsoft has built many security safeguards into Exchange and Outlook (for example you cannot open by default executable attachments), every organization has an email security gateway or a service that cleans viruses before they arrive to your inbox. Even for individual users, email anti-virus is a standard thing. Gmail gives it for free as well as many ISPs and web-mail providers. The anti-spam measures we are using today also very effectively block viruses, since they have a distribution pattern of spam.

Unfortunately hackers and other malicious people learned a lot as well. They understood that creating email viruses is not worthwhile because the number of computers they will be able to infect will be very small and that there is no ROI here. Thus they moved on to a less protected medium, which is the world-wide-web.

Today, the majority of infections happen from the web by unknowingly downloading malicious programs or even by simply visiting malicious websites that will try to exploit security vulnerabilities in your browser, or in one of its plug-ins.

Have you noticed the dramatic increase in the number of patches and updates Adobe is releasing for its PDF reader?  The PDF format was one of the main targets of hackers. They were able to find bugs in the way the PDF reader interprets the PDF file format and exploit those bugs to inject malicious code and eventually infect computers. 

It is not uncommon to receive an email, sometimes with a nice socially engineered message, that will ask you to click on a link, open your browser and… be infected by an exploit embedded in the visited web page.

In a simplified scenario, you receive an email with a PDF attachment that can even come from somebody you know. You open the attachment that contains a small exploit code, which in turn downloads the real virus from the web. 

Now back to the promise of 100% email-based virus protection – is this PDF an email-based virus? No, technically there is no virus in the PDF it is just a malformatted file which exploits a bug. The real virus is coming from the web, which is obviously not covered by this bogus 100% email-based virus blocking promise.

Again and again, our decisions are affected by nice marketing messages that hide the real issue: that having the best email anti-virus in the world will provide you almost no protection. Today it is necessary to include also a Web Security Gateway, which will make sure that those email exploits will not be able to download their malicious payload from the web.


About the Author: Shimon Gruper, CISSP
Strategic Consultant - eSafe Content Security
Shimon is a noted worldwide expert in the fields of Anti-Virus, Security, and Anti-Vandal software. As one of the first to discover malicious code contained in Active-X, Java, etc. he is often sought out by professional journals for advice and comments on Internet security issues.
Shimon is responsible for all eSafe development and technologies and is the "creator" of the generic process to trap and nullify malicious code and vandals.


Stunext demonstration at the Virus Bulletin 2010

Symantec gave a presentation yesterday (30 Sept, 2010) at the VB2010 – Vancouver Conference. This time it was not just a presentation of slides describing the virus’ work, we actually had a live demonstration.

Symantec did an absolutely great job, analyzing the virus. All the information can be found here:
Symantec's Stunext analyze paper

Symantec’s team brought a PLC machine, which is the one the virus targets, and connected to it a blower with a balloon at the end. The PLC machine in its clean state was programmed to pump the balloon for 2 seconds and then stop.

Then, the PLC machine has been infected with the POC of the virus and the blower started to work, and... it got into an endless loop and never stopped, the balloon was blown eventually.

The demonstration was photographed by the Sophos team:



Following that, the Symantec team explained that the virus was mostly found in Iran, it has a flag that "tells" the virus to turn on or off, and the key name is 05091979 which is 05/09/1979. On this date a Jewish business man by the name of Habib Elghanian was executed in Iran.

They also said that it was a very meaningful date in Jewish history, and about that I am sorry to say - not really. If you will ask Israelis about the Habib Elghanian case, it is most likely that they will not know what you are talking about.

To conclude, nobody really knows what exactly the virus was intended to do, except for the fact that it looks for specific SCADA systems configuration and it is giving the ability to change these configurations.

Was it written by the Israelis? maybe and maybe not. One thing is certain, this was not written by a script kiddy, it was written by a funded organization and by several engineers.

Oren Medini, at VC2010 – Vancouver.

« September 2010 | Main | November 2010 »