Trend Micro Gives Web Sites a Bad Reputation
Here's the question VARBusiness recently posed to Eva Chen, CEO and co-founder of Trend Micro: Is conventional antivirus technology dead (or dying)? "It's not dead," says Chen, who practically invented gateway scanning. "But you can't survive by just doing [scanning and signature matching]; you must expand beyond that technology."
The battle against viruses, worms, Trojans and other malicious mobile code is still fought with conventional weapons that have existed for more than a decade--namely, signature-matching technology. In that time, the number of signatures required to effectively detect malware has blossomed into the tens of thousands for most of the leading antivirus engines.
The malware threat, which continues to evolve, now includes spyware, spam, rootkits and phishing, adding more burden to the signature-based engines. And while conventional antivirus technology is reasonably effective, malware persists and gets through the defenses.
The next stage in the antivirus evolution, according to Chen, is reputational analysis. The newly released Trend Micro OfficeScan 8.0 will include endpoint security features that block access to Web sites that have a reputation as sources for malicious activity. In other words, it will keep you from going into the Internet's bad neighborhoods.
From what Chen describes, this is more than just the real-time blackhole lists (otherwise known as RBLs) from the early days of the spam wars. Trend Micro will actively scan more than 300 million Web pages--home pages, directories and downloadable materials--for evidence of bots, viruses and other such contagions.
"The nature of the Web threat is to always look back to the hacker," she says. "Instead of investigating each crime, we link back to the command and control center of the attack."
Indeed, botnets are the preferred method for compromising hundreds--if not thousands--of machines for launching denial of service, or DoS, attacks, spam floods and spyware distribution. Oftentimes, compromised Web sites, servers and host machines are invisible to the casual user. By giving security software automatic updates to block sites with the worst reputations for spreading malware, users could, in theory, cut down on the propagation of malware.
Reputational analysis isn't a new idea, and the theory behind it is a reasonable one.
McAfee has a free tool, SiteAdvisor, which basically does the same thing as Trend Micro's OfficeScan analyzer, albeit independently of the antivirus engine. E-mail security pioneer CipherTrust, which is now owned by Secure Computing, introduced reputational awareness a few years ago to combat spam and phishing. Websense and SurfControl operate on the presumption of inspecting Web traffic for malicious content before it hits the perimeter.
Trend Micro's implementation would deliver reputational protection from the network level to the host.
Here's the problem Trend Micro and everyone else who tries reputational analysis face: pure volume. Last November, the number of domains passed 100 million, doubling the size of the Internet in just more than two years. Roughly half are very active sites, in which content changes frequently. If the Internet is doubling in size every two years, and 50 percent of the sites are active, keeping accurate intelligence of all the bad apples is, to say the least, challenging.
Reputational analysis feels a bit like behavioral analysis, a form of security monitoring and intrusion prevention based on anomalous network traffic that was pioneered by companies such as Arbor Networks, Lancope and Mazu Networks. The problem with behavioral analysis is that, the more information you collect, the less certain the end intelligence becomes. In other words, keeping up with all of the possible variations and exceptions vs. real-world activity is extremely difficult.
Time is the other issue. As many Web sites discovered before the age of the CAN-SPAM Act, getting off an RBL is significantly harder than getting on. Reputational analysis may tag a site as being malicious, but what will it do about remediation? Will the system notify the site owners, or will a sudden drop in traffic be the indication of a larger problem? Even if the site is remediated, it will be interesting to see how long it takes for the Trend Micro scanners to swing around to do a reassessment.
Now, is this a completely bad idea? Is it so complicated that it's not worth trying? As Chen says, "the Web threat is still invisible; it's a silent killer." Indeed, conventional signature-matching antivirus scanners and other anti-malware technology aren't enough. Working in concert with conventional antivirus tools, reputational analysis could add more punch in the war against malware.
How well will reputational analysis work in the real world? If history is any measure, the malware writers will escalate in this arms race and come out with something that will require a defense that's even more innovative.