Feeds

Snort team aim to scent malformed email attachments

Razorback, the truffle-hog with a forensic back end

Seven Steps to Software Security

Interview The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks.

Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines. Such previously unseen attacks are liable to slip by anti-virus and other security defences because no anti-virus signature has yet been created, and because heuristics and even cloud-based approaches are still fundamentally reactive, according to Marty Roesch, CTO of Sourcefire and the developer of Snort.

Roesch told El Reg that firewalls and IDS systems are designed to have high throughput and low latency, so these security devices are ill-suited to analysis of documents – the niche Razorback is trying to occupy. Razorback would offer "deep file inspection" with a forensics backend that provides near-real-time warning that something is amiss, for example, in an email sent to a firm's finance department. The document analysing software does not include a blocking function but "lets you know where to look and what to look for", according to Roesch, who said the technology offered software hooks to Snort and Clam AV.

The software includes a protocol anomaly detector that, for example, would detect Flash components in an Excel file. These flash components are passed on to parts of the technology that understand Flash files. If these handlers say that the file concerned is not a Flash file, then an alert would be generated that a malformed Flash file was found in a spreadsheet, a clear sign that something very odd and probably malign is going on. The approach doesn't rely on looking for patterns matching previously known bad stuff.

The idea is akin to data loss prevention (DLP) technology used for locking down USB ports and preventing the accidental or deliberate export of confidential data via email or other routes, it seems to us. However Roesch said DLP technology would be hard to apply to the detection of "zero-day" document-based targeted attacks, because it doesn't look for "heap sprays or buffer overflow" attacks (Razorback's particular forte).

Adding deep file inspection to client and server anti-virus, intrusion prevention and content inspection adds to the complexity of overall security set-ups, especially when much of this technology is designed to thwart targeted malware-based attacks. Roesch countered that higher-end enterprises had already seen the benefit of the extra line of defence.

Roesch said that Razorback is currently in the alpha stage of development. "The technology might be adapted over time to quarantine or stop suspicious files but that's not its function just now," Roesch added.

More about the project can be found on the Sourcefire labs portal here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.