Professional Documents
Culture Documents
IDC OPINION
Despite the massive deployment of antivirus solutions, viruses and other types of
malware are still the greatest security threat for enterprises. Fighting malware is a
perpetual war, in which attackers constantly identify and target emerging
vulnerabilities order to stay one step ahead of defenders. Today, many rapidly
propagating attacks are aimed at the weak spot of traditional antivirus solutions,
which are based on developing new signatures for new threats – a time-consuming
process (hours-long at best) that creates a window of vulnerability where end users
are unprotected. In light of these threats, organizations can no longer solely rely on
reactive signature-based solutions. To protect against new and unknown threats,
more proactive approaches should be applied, providing improved response times
without compromising detection levels.
METHODOLOGY
IDC developed this white paper using a combination of existing market forecasts and
direct, in-depth, primary research. To gain insight into the challenges of fighting
modern malware, especially sophisticated rapidly propagating threats, and to learn
about how Commtouch's Zero-Hour Virus Protection can help mitigate associated
risks, IDC interviewed the company team on the issues of technology, product
offerings, competitive landscape, and go-to-market strategy. IDC also interviewed
vendors employing Commtouch's technology including BlueCat Networks and
VirusBuster.
SITUATION OVERVIEW
Malicious software, or malware, is a general term for any software that is designed to
cause damage to computer systems when executed. This definition refers to various
types of malicious code (e.g., viruses, worms, Trojan horses, zombies, trapdoors,
logic bombs, key loggers), but the most common and damaging are replicating
malicious code programs, known as viruses.
Viruses have come a long way since the early days in which they spread from one PC
to another via diskettes. To a large extent, it is no longer the playground for amateurs
that fall into the stereotype of bored teenagers seeking notoriety. Today's malware is
in many cases the business of professionals and even criminals. Correspondingly, the
motivations that drive malware authors are changing and a growing number of attacks
are financially-driven rather than simple pranks.
On the surface, these findings may seem puzzling given the fact that antivirus
solutions are used by the vast majority of organizations. Still, in a recent IDC survey,
90% of large companies were hit by a successful virus attack this year; moreover,
40% reported 11 or more successful attacks in 12 months (see IDC's Enterprise
Security Survey 2004, #32593).
2 # ©2005 IDC
FIGURE 1
n = 477
Note: Small companies are those with 1-99 employees; medium-sized companies are those with
100-999 employees; large companies are those with 1,000-9,999 employees; and very large
companies are those with 10,000+ employees.
Source: IDC’s Enterprise Security Survey, 2004
©2005 IDC # 3
to AV-Test, a German-based independent lab that is constantly testing the
performance of leading antivirus products, the response time of signature-based
antivirus solutions averages 10 hours (see Table 1 below). These results were
received from a testing done last year, which was aimed at measuring the response
times in 45 major malware outbreaks.
TABLE 1
Notes:
Beta definition updates from McAfee (DailyDats) and Symantec (Rapid Release Definitions) were usually available within
less than 4 hours.
Many larger AV companies have Service Level Agreements (SLAs) for a predefined response time with special signature
updates (which are not publicly available).
Response times refer to the time required to detect the main malware component, but not for (possible) dropped files (e.g.,
keyloggers). Only 7 out of 24 tested AV companies were able to detect the dropped components with the first update (or
with a second update that was available a few hours later): AntiVir, AVG, eTrust (VET), McAfee, Panda, Sophos, and Trend
Micro.
Some companies required a few days to weeks for full detection (or even full repairs).
Source: Antivirus Outbreak Response Testing and Impact, Andreas Marx, AV-Test.org (presented at the Virus Bulletin 2004 Conference in
Chicago)
As seen in Table 1, given current response times, signatures developed against new,
rapidly propagating attacks can only slow an outbreak but cannot prevent the mass
infection in the first hours. In the notorious MyDoom attack, for example, it took 6.5
hours from first detection (by MessageLabs) for the outbreak to peak, but the initial
signature was released (by McAfee) almost 8 hours after first detection. It took nearly
9 additional hours before most leading antivirus vendors released production-level
4 # ©2005 IDC
vaccinations. The speed of propagation was a key to the "success" of MyDoom,
which according to different estimates caused more $30 billion worth of financial
damage.
Recent malware propagation techniques can be categorized into four main classes –
all of which aim to exploit the early-hours weak spot of the signature-based antivirus
approach.
Achieving high propagation rates is clearly one of the main design goals of malware
authors today. Modern viruses and worms are not immune to vaccinations – they are
designed to infect as many computers as possible before vaccinations are available.
Attacks using such zombie propagation methods can distribute 100-200 million
messages within several hours (usually less than 5 hours). In other words, by the time
the first antivirus production-level signatures are ready, the distribution cycle is
already completed. This technique is highly effective for Trojan and spyware
distribution, and is therefore often being used in attacks made for material gain.
©2005 IDC # 5
released in time intervals, by the time antivirus providers produce a signature for one
variant, a new variant has already been already released.
Such an attack not only exploits the AV window of vulnerability, but it also extends it –
keeping end users virtually exposed throughout the entire duration of the attack.
Some of the latest multi-variant attacks lasted days, with a new variant released every
day. Other recent attacks used intervals of about 4 hours, aiming at the estimated
minimum time required for developing new signature.
Blended threats often come in the form of (but are not limited to) Trojan horses used
to create backdoors for sending spam or for launching a Distributed Denial of Service
(DDoS) attack. In this scenario, the attacker uses the backdoor to remotely control a
group of infected machines (zombies), and to take down a specific Web server by
flooding it with multiple simultaneous requests.
The term "phishing" refers to an online fraud technique where a spam message is
sent or pop-up appears that seems to be from well-known of banks, credit card
companies, insurance companies, online retailers, and ISPs. Disguised as a
legitimate request for updating or verifying personal information, the spoof message
refers users to the phisher's phony Web site, tricking them into revealing personal
financial information such as credit card numbers, social security numbers, bank
account numbers and passwords. The data can then be used for credit card fraud,
identity theft, stealing money, and so on.
From the security standpoint, phishing presents acute detection and blocking
challenges, for antivirus as well as anti-spam engines. Technically speaking, phishing
is neither spam nor a virus: since it involves no malicious code or even an
attachment, antivirus solutions are completely ineffective against it.
From a technical point of view, phishing campaigns are no different from spam, and
often use the very same propagation techniques. But since most anti-spam solutions
are designed to block spam according to specific text and content attributes, they are
not always successful in blocking phishing messages that appear legitimate.
Unlike spam, which is marketing-driven, phishing has malicious intent; more than just
annoying, it is considered a security threat. Like malware (but not spam), a failure to
block even a few phishing messages at the gate can result in severe damage.
6 # ©2005 IDC
Security managers therefore tend to group phishing with malware, and expect it to be
blocked by their antivirus providers.
Malware attacks are becoming much less predictable and more sophisticated, and
are being undertaken using multiple methods. They differ in form, in propagation
technique, and in the nature of their payload. In order to efficiently fight modern
malware that is aimed at the weak spot of signature-based solutions, the security
industry is continuously seeking new tools to shorten response times to attacks. The
proactive approaches that have previously attempted to complement signature-based
solutions can roughly be divided into two main categories according to the techniques
employed.
Sandbox: The sandbox approach is based on running executable and other active
email attachments in a virtual, contained environment, while monitoring them for pre-
defined illegal or suspicious behavior (e.g., modifying registry entries or changing
system settings). Email identified as suspicious is treated accordingly (sustained or
quarantined). A few challenges cloud the sandbox approach: first, the inherent lack of
capacity to detect delayed viruses, as well as "silent" malware such as worms
containing spyware or adware payloads (designed to leave no traces of malicious
activity), and of course phishing. Second, having to actually run the attachments of
each email that enters the organization or ISP is costly and CPU-consuming
(gateways usually avoid this technology).
©2005 IDC # 7
In light of this, rapidly propagating attacks are still an unsolved problem. As firms try
to address this challenge, an alternative approach of inspecting real-time email traffic
to identify malware outbreaks by their distribution pattern has emerged. This network-
based proactive approach is based on analyzing the attributes of the outbreak itself
(rather than the virus or malware that has already arrived). In addition to improved
accuracy and response times, which are virtually unmatched by any other antivirus
approach, another benefit of the network-based approach is its being agnostic to
specific content attributes. Hence, at least theoretically, any outbreak can be detected
regardless of its content – a significant advantage in times when malware is
becoming increasingly sophisticated, dynamic, and elusive.
The major hurdle of applying the network-based approach is that in order to provide
adequate coverage of threats, huge amounts of data must be collected from multiple
locations all across the Internet, and analyzed in real-time. Otherwise, the ability to
track new malware outbreaks as they occur would be significantly reduced. Given this
requirement, the network-based approach is mainly applied by providers of managed
email security services such as MessageLabs and FrontBridge that have access to
large volumes of email traffic.
FIGURE 2
Zero-Hour™ Effective
Zero-Hour™ detection:
20-30 hours
8 # ©2005 IDC
Based on the analysis of the characteristics of modern malware outbreaks,
Commtouch's patented Recurrent Pattern Detection (RPD) technology serves as the
foundation for the company's email protection solutions. The first solution developed
with this technology was an anti-spam solution that enables the detection of spam
outbreaks as they occur, using sophisticated algorithms that analyze Internet traffic in
real time. The solution is licensed today by providers of messaging security software,
security appliances, messaging solutions and managed security services, and is used
for the protection of about 35 million mailboxes.
The second solution developed using the RPD platform is the Zero-Hour Virus
Protection, a real-time malware detection and blocking solution that is designed to
identify new outbreaks as they occur. The Zero-Hour solution analyzes email (SMTP)
traffic in real-time, using massive amounts of data collected at different key points
over the Internet to achieve a representative sample of worldwide traffic. In a fully
automated process, data is then analyzed for recurrent patterns of malware
outbreaks, to identify new outbreaks as soon as they are distributed (usually long
before their first instances reach the protected organization).
FIGURE 3
The Zero-Hour architecture (see Figure 3 above) consists of the Real-Time Detection
Center, which serves as a central repository for storing recurrent patterns along with
classifications that represent the level and type of threat. At the customer's side the
Zero-Hour Engine, which is used for filtering incoming mail, samples "suspicious"
messages that are not recognized as known viruses and proactively queries the
Detection Center. According to the classification received, the incoming message is
deleted, quarantined, forwarded, or so on.
©2005 IDC # 9
Aimed at detecting mass outbreak indicators, Zero-Hour is differentiated from other
proactive virus detection technologies by several advantages. First and foremost is
the immediate and accurate detection of new outbreaks. Second, as Zero-Hour is not
focused on identifying specific content attributes, it can capture any type of attack that
carries the characteristics of a massive outbreak, regardless of its payload. This
applies even for blended and other emerging threats that sometimes fall between the
cracks, as in the previously mentioned “silent attacks” (e.g., phishing and spyware).
Product Offering
Commtouch is positioning Zero-Hour as a complement to existing antivirus solutions,
as it provides the necessary early virus protection layer. By blocking, delaying, or
quarantining suspicious messages long before the availability of the signatures, it
allows antivirus providers to perform the in-depth analysis required for developing
new virus signatures, while keeping customers protected in the meanwhile.
CASE STUDIES
BlueCat Networks
The Meridius appliance protects organizations against spam and virus threats. On the
spam side, it applies various protection techniques, including blacklisting, whitelisting,
heuristic analysis/Bayesian filtering, and other options. In light of the growing
sophistication of spam, which is becoming increasingly harder to detect, BlueCat last
year decided to enrich its product offerings with additional pre-emptive spam
detection capabilities. After several tests, it signed an agreement to license
Commtouch's Spam Detection Engine, which is based on RPD technology.
Incorporated into the Meridius appliance, it now offers a first line of defense against
new spam for BlueCat customers.
10 # ©2005 IDC
Michael Hyatt, BlueCat President and CEO, finds a similarity between spam and
viruses, which have both reached a point where new approaches need to be applied
in order to fight them efficiently. "What was once acceptable – for both viruses and
spam – is now not. There was a time when if you stopped 90% of spam that was okay
but now the volumes are so high that 90% could cripple you. Regarding viruses, most
antivirus companies were coming out with updates in 6-12 hours. But looking forward
that might not be acceptable anymore. It is just a cat and mouse game."
BlueCat also emphasizes the ease-of-use and management of Zero-Hour and the
fact that it requires no tweaking of settings. As such, it fits well into Meridius, which is
designed to operate with full transparency for end users and with minimal
administration.
VirusBuster
According to IDC research, VirusBuster is one of the leading antivirus vendors in the
Central and Eastern European region. The company's products are used by other
antivirus vendors, including Sybari Software, which was recently acquired by
Microsoft.
Peter Agocs, VirusBuster’s CTO, notes that right after starting to use RPD
technology, the company recognized the potential of using it not only for spam
detection but for detection of malware groups spreading through email. "The
technology's reactivity has excellent performance, setting a new industry standard for
reaction time, which is such a critical issue nowadays. Commtouch reduces reaction
©2005 IDC # 11
time to minutes. Zero-Hour, as an online technology, allows users to stop new
malware without updating the client side, which cannot be done in most cases by any
other proactive solution".
FIGURE 4
120.0%
Malware Detection Rate
100.0%
80.0%
60.0%
40.0%
0.0%
March March April May July 1 July
1 30 30 31 24
Notes:
Detection rates refer to VirusBuster's product featuring Zero-Hour, as measured from March 1st
to June 29th in a real ISP environment.
Detection rates over 100% are caused when Zero-Hour detects malware that the virus scan
engine database fails to detect.
Source: VirusBuster, 2005
12 # ©2005 IDC
CHALLENGES AND OPPORTUNITIES
Commtouch's Zero-Hour Virus Protection addresses a growing market need for
protection against rapidly propagating malware outbreaks, which are becoming a
major threat to organizations. Unlike other proactive antivirus solutions, the
company's approach is focused on the most intrinsic characteristic of modern
malware – achieving mass distribution in a short period of time. This makes Zero-
Hour suitable for closing the early-hours window of vulnerability.
The market opportunity for proactive virus detection solutions such as Zero-Hour
could be a significant one, but there are some challenges involved. For example, as
Zero-Hour is a complementary product rather than a comprehensive antivirus
solution, the decision to license the technology to antivirus and secure messaging
vendors makes sense. But there is a limited target audience for OEM agreements,
and success is therefore dependent on partnering with numerous key players.
In the longer term, the "consolidation" of threats that use multiple attack vectors to
spread could spur the convergence of security solutions, mainly at the gateway level.
This situation could create a market opportunity for Commtouch. Although the
company's roots are in the messaging security space, with the right partnerships,
RPD technology could be adjusted to cover HTTP, FTP, and other network channels,
as well as wireless networks. Covering multiple channels with a single underpinning
technology could be a significant advantage in the future market for security solutions.
CONCLUSION
Malware authors today are aiming their efforts at a major window of vulnerability in
traditional defense systems – the reliance on signature-based antivirus solutions. As
the time-consuming process of developing specific vaccinations against specific
threats exposes organizations to mass infections by rapidly propagating malware
outbreaks, proactive technologies are increasingly required.
©2005 IDC # 13
Copyright Notice
External Publication of IDC Information and Data — Any IDC information that is to be
used in advertising, press releases, or promotional materials requires prior written
approval from the appropriate IDC Vice President or Country Manager. A draft of the
proposed document should accompany any such request. IDC reserves the right to
deny approval of external usage for any reason.
14 # ©2005 IDC