Enterprise networks still rely on antivirus software and blacklists to keep known malware at arm's length. But researchers suggest another approach, one which promises to spot a dangerous piece of code before it shows up on a list somewhere.

This form of detection doesn't look for malicious code, but for malicious networks communicating with that code.

Internet service providers, and any organization striving for data security on a large-scale network should consider this approach.

A New Approach

Conventional antivirus software and blacklisting schemes have been successful in the past at identifying and stonewalling well-known viruses, Trojan horses, and exploits of various kinds. But they have an inherent weakness: they rely on coded signatures and pre-existing lists that can be utilized only after a particular piece of malicious software has been identified and flagged as being dangerous.

They also tend to be slow, and fast-moving malware can infect a lot of people before signatures can be created or pushed out. They're totally useless at spotting newly hatched instances of dangerous code.

This alternative approach to thwarting attackers doesn't bother looking at the potentially malicious code itself. Instead, it looks at what the rogue code does, or tries to do.

Generally, modern malware attaches itself to a victimized computer and immediately phones home. A piece of shellcode worms its way into a computer and tries to download and execute an even more advanced piece of malware. Once that happens, a computer or network is well and truly inhabited by the enemy, and requires extensive efforts to expunge the offending programs.

Nazca

The Nazca tool, named after the famous geoglyphs in southern Peru, doesn't bother patching potential exploits, checking code against lists of known threats, or expunging malicious code. Instead, Nazca focuses on network traffic, looking for suspicious requests where code is downloaded from external sources, identifying sustained connections with domain names that change names too frequently, and finding droppers or repackaged files with malicious code injected.

First, the system monitors all requests for Internet connections and extracts metadata it can later use for traffic analysis.

Second, it identifies Internet connections that are making efforts to keep themselves hidden from normal network security monitoring systems and flags them for more detailed analysis.

Third, the system aggregates all its metadata on suspicious activity and looks for patterns that may indicate a concerted effort to transfer malicious code into the secure computer or network.

Test Phase

Tests of Nazca to identify brand-new malware that had not yet been included on any blacklist have been very encouraging. It seems to be hardened against efforts to confuse it. Even better, Nazca generates relatively few false positives—alarms that occur in the absence of any actual attack.

One significant advantage of the Nazca approach to antivirus and malware detection derives precisely from its focus on malware's efforts to obtain and install a destructive payload in victimized computers and networks. By attacking and suppressing any software that makes such an effort, Nazca tends to render most malware relatively innocuous, even if it manages to escape detection.

Details about Nazca and the accompanying research can be found here.