Post Mon Feb 25, 2008 10:25 pm

DHS Project Delivers New Malware Capture Method

A project funded by the Department of Homeland Security (DHS) promises to give security researchers a new way to kill botnets and targeted malware attacks before they infect computers.

This week, Endeavor Security plans to launch its Active Malware Protection (AMP) technology, which it developed as part of the DHS's Small Business Innovation Research (SBIR) program, at a DHS-sponsored event. Endeavor delivers AMP as a software-as-a-service product.

AMP captures malware "on the wire," before it infects an enterprise's networked computers, and then relays it directly to anti-virus vendors, Christopher Jordan, CEO of Endeavor Security, told SCMagazineUS.com. This has two major benefits to vendors and end-users, he said.

First, it permits "us to see how the malware code has been modified," he said. "We can see the actual code as opposed to finding the file after it obfuscates itself."

Second, it allows the vendors to generate new anti-virus signatures as much as six days faster than is now possible, he said. And with 200,000 to 300,000 malware files generated annually, this can make a significant difference in protecting enterprise systems, he added.

Endeavor Security's AMP also allows anti-virus vendors to better prioritize malware protection, Jordan said. For example, it would allow an anti-virus developer to respond faster to malware discovered on a large financial services customer's network while delaying a fix for one on a small customer's PCs.

AMP will also target the command and control channel that directs the botnet and targeted attacks that occur after malware has taken over a PC, Jordan said. This is where Endeavor Security's work with the DHS comes in, he added.

"With botnets, the problem is twofold," Jordan said. "One, you want to stop the initial attack. Our phase one project with the DHS to capture malware allowed us to detect the network vector of the attack, so we can prevent the infection and work with the anti-virus vendors to get the malware off the desktop."

In phase two, Endeavor Security will reverse engineer the captured malware. This will allow Endeavor Security to find the botnets often associated with malware infections.

Also as part of the second phase, Endeavor Security will work to break the botnet's command and control structure, which allows the malware writer to control bots and initiate attacks, such as sending spam, Jordan said. Breaking the command and control structure may not free the infected PC of its virus, he admitted, but "if the botmaster can't control the bots, he doesn't have a botnet."

Once that step is taken, Jordan says that Endeavor Security will focus on grabbing command control signatures and creating signatures to prevent the botmaster from taking control of the bots inside networks. That will destroy the botnet.

Endeavor Security has another year left on its contract with the DHS to complete that project, Jordan said.


Original story:
http://www.scmagazineus.com/DHS-project ... le/105381/

Don
CISSP, MCSE, CSTA, Security+ SME