Information security vendors cannot ignore the fact that the dynamics of malware are changing. The traditional signature-driven approach works well with highly prevalent threats such as CodeRed, Nimda and Conficker where many users have been impacted.
However, the threat landscape has changed significantly over the last thee years and increasingly malware is either being micro-distributed to only a handful of machines across the entire internet or is highly variable with the exact same file only being used to infect a small number of users. At the same time, the way in which malware is used has changed, with more malware being used as part of a single attack. This of course has lead to the sheer number of malicious files that need to be detected to rise: In 2008 Symantec added over 1.6 million anti-virus signatures, which was more than we had written in the last 17 years.
In years past, the main approach Symantec had taken with malware was to identify suspicious files via our Global Intelligence Network, analyse it and write a signature if it was determined to be malicious. Although we have 240 000 sensors in over 200 countries, the fact that some viruses are designed to exist for only a couple of hours or to be downloaded by one or two machines is incredibly problematic.
Rather than ignore this issue and let viruses seep through, we are tackling the problem head-on. Playing to our strengths, we have the ability to monitor malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed our anti-virus products. Over eight billion email messages and over one billion web requests are processed each day across our 16 major data centres.
These resources give our analysts unparalleled sources of data by which they can analyse and identify emerging trends in attacks, malicious code activity, phishing, and spam. This means that, although it may be impossible to monitor every threat, we can catch the majority and have an unparalleled knowledge of the threats in the internet and what constitutes malware.
As the industry gets closer to a potential 'tipping point', where more new malicious programmes are being created than good programmes, we need to create new and innovative ways to tackle the criminals. With this in mind, we have recognised the need to supplement not only the classic blacklist approach but the heuristic and behavioural technologies we already have in our toolkit as well and have developed a reputation-based security technology that we have built from the ground up.
Symantec has moved to a model where instead of just providing information about malicious files, we will provide information about all executable files - both good and bad - to help our technology and ultimately our users make the right choices about what to run on their system.
Effectively, when a user attempts to a run an unrecognised file on their computer, our security software assesses the likelihood of whether or not it could be malware. It does this by checking its 'reputation', anonymous data contributed by tens of millions of Norton Community Watch members, data provided by software publishers, and anonymous data contributed by enterprise customers in a data collection programme tailored to large enterprises.
The data is continually imported and fed into the reputation engine to produce a security reputation rating for each software file, all without ever having to scan the file itself. The technology uses information such as the file’s prevalence, age and other attributes to compute highly accurate reputation scores. For example if millions of people have used it then it is probably safe, but if only ten people have run it before then the user should think twice.
By checking the reputation of a programme, a user is given the opportunity to adopt an educated approach to personal computing. Flagging an executable file as a potential threat presents the user with all the facts and therefore an additional layer of protection from unwittingly running malware. We have already integrated this advanced technology into our Norton range and we plan to add it into our enterprise product portfolio next year.
The most visible way to see this technology in action in Norton Internet Security 2010 and Norton AntiVirus 2010 is to download a new executable file off the internet. The new Download Insight feature uses the reputation information to help determine each downloaded file’s safety - the user is then informed of the file’s reputation, and bad-reputation files are automatically blocked. In addition, a user can right click on any executable file and find out where the file came from, how many other Symantec users are using the file, when Symantec first saw the file and what the security reputation is for the file.
2010 is already set to be a challenging year in the world of IT security - with the emergence and propagation of new, fast spreading threats. Using this reputation based security approach, in conjunction with our global team of security specialists to monitor and blacklist malware, we plan to stay one step ahead of criminals and protect users against tomorrow threats, today.