Feeds

Snort team aim to scent malformed email attachments

Razorback, the truffle-hog with a forensic back end

Next gen security for virtualised datacentres

Interview The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks.

Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines. Such previously unseen attacks are liable to slip by anti-virus and other security defences because no anti-virus signature has yet been created, and because heuristics and even cloud-based approaches are still fundamentally reactive, according to Marty Roesch, CTO of Sourcefire and the developer of Snort.

Roesch told El Reg that firewalls and IDS systems are designed to have high throughput and low latency, so these security devices are ill-suited to analysis of documents – the niche Razorback is trying to occupy. Razorback would offer "deep file inspection" with a forensics backend that provides near-real-time warning that something is amiss, for example, in an email sent to a firm's finance department. The document analysing software does not include a blocking function but "lets you know where to look and what to look for", according to Roesch, who said the technology offered software hooks to Snort and Clam AV.

The software includes a protocol anomaly detector that, for example, would detect Flash components in an Excel file. These flash components are passed on to parts of the technology that understand Flash files. If these handlers say that the file concerned is not a Flash file, then an alert would be generated that a malformed Flash file was found in a spreadsheet, a clear sign that something very odd and probably malign is going on. The approach doesn't rely on looking for patterns matching previously known bad stuff.

The idea is akin to data loss prevention (DLP) technology used for locking down USB ports and preventing the accidental or deliberate export of confidential data via email or other routes, it seems to us. However Roesch said DLP technology would be hard to apply to the detection of "zero-day" document-based targeted attacks, because it doesn't look for "heap sprays or buffer overflow" attacks (Razorback's particular forte).

Adding deep file inspection to client and server anti-virus, intrusion prevention and content inspection adds to the complexity of overall security set-ups, especially when much of this technology is designed to thwart targeted malware-based attacks. Roesch countered that higher-end enterprises had already seen the benefit of the extra line of defence.

Roesch said that Razorback is currently in the alpha stage of development. "The technology might be adapted over time to quarantine or stop suspicious files but that's not its function just now," Roesch added.

More about the project can be found on the Sourcefire labs portal here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.