Heuristics could be best defence against Chinese Trojans

Businesses around the world are at risk from a new breed of Trojan that existing signature-based anti-virus software and URL-based web monitoring systems are unable to protect against.

Research from web security firm Finjan highlighted a worrying trend in hacking emerging from China.

Researchers warned that businesses around the world were at risk from a new breed of Trojan that existing signature-based anti-virus software and URL-based web monitoring systems were unable to protect against.

The sophisticated attacks, which are distributed using a network of websites, use zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques. The purpose of the viruses is to steal sensitive data.

Once a user's PC has been infected the Trojan starts to send data to other websites in the network, which are difficult to detect. Additional sites in the network monitor and control the attack using statistics about how many users are visiting the site and how many are being infected.

Data collected by the Trojans includes which operating system is used, the applications that are running, users' personal information, such as log-in names and passwords, and what security systems, anti-virus software, spam filters and firewalls are installed. This information is then fed into other sites in the attackers' network, which refine the virus.

Anti-virus software

Business rely on anti-virus products to protect networks and PCs. The most widely used form of anti-virus software relies on a database containing the electronic signatures of known viruses. By identifying these signatures, viruses can be blocked at the perimeter before they enter an organisation's network.

Finjan said this type of signature-based anti-virus software is unable to protect users against the new type of attack.

Chief technology officer Yuval Ben-Itzhak said, "To have a signature for your anti-virus software, a researcher needs to create a ­signature. But each time this Trojan is downloaded, a new version of the virus is created."

It would be impossible for an anti-virus company to produce signature file updates fast enough to stem this type of computer virus, said Ben-Itzhak. The virus would simply evolve to a form an unrecognised signature file, and so it would pass through corporate defences undetected.

One possible defence would be to use website monitoring tools to block the websites distributing the viruses. Such tools work in a similar way to anti-virus software, with malicious sites only being blocked once they have been identified.

Although this may slow the spread of the virus, Ben-Itzhak said, "The website URLs are being changed dynamically, so you will never be able to keep your website monitoring database up to date. Hackers will change the location of the malicious code."

A more effective defence would be to use heuristics. This works by monitoring virus behaviour rather than relying on a signature file. As a result, any malicious code that appears to exhibit virus-like tendencies will be flagged.

In theory, heuristics should enable IT departments to detect any new virus attack, but it is not without its problems.

In the past, heuristics systems have suffered from poor performance, because suspect code needs be analysed, rather than simply checked against an anti-virus signature. Also, heuristic scanning has been prone to wrongly identify legitimate software as a virus.

Olympics danger

These issues, combined with the fact that signature-based anti-virus systems have been coping fairly well, have meant that heuristics has remained fairly niche. However, as the world tunes in to the Beijing Olympics later this year, information security managers may be forced to reassess the technology.

The Trojans identified by Finjan emanate from a group of websites based in China, and there is a very real threat of hackers hijacking Olympics sites, or creating fake sites around the Games to distribute their malware. This potential threat is highlighted by the fact that one of the websites in the group currently distributing the Trojans belongs to a Chinese governmental office.

The good news is that, although the technology has not been making the headlines, heuristics anti-virus detection has been evolving in the labs. And 2008 could be a proving ground and the first widescale test of its abilities.

Read more on Antivirus, firewall and IDS products