Tag Archives: Threat Research

Novel Approach to Malware Discovery in today’s Threat Landscape

Posted on by

By Grayson Milbourne

There are a number of similarities between biological viruses and those which infect our PC’s. For one, both types of infections rely on mutations to evade detection and survive. The faster the mutations, the more difficult an infection is to combat. This is because those who spend their time and effort fighting such infections are likely to miss a mutation and therefor lack the chance to create a cure. This point is especially true with traditional antivirus technology where discovery and detection techniques have not kept up with the rapid pace of mutations common in today’s threat landscape. The recent NY Times article ‘Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt’ reported that, “On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses.”

Meet the Webroot Intelligence Network (WIN), a novel new approach to malware intelligence, discovery, detection and protection which scales with the pace of the malware industry. How did we do it? By first creating the most powerful threat intelligence engine the world has ever seen. A cloud hosted engine which correlates live data from millions of user endpoints, honeypots, and sensor networks from around the globe, all in real-time. This engine has populated the Webroot Intelligence Network with detailed data on millions of malicious programs, is aware of over 8.7 billion URL’s, 550 million IP addresses and 2 million mobile applications. WIN provides the necessary visibility into a rapidly mutating and evolving threat landscape to provide Webroot products the intelligence needed to keep users secure.

One key element to the success of WIN has been leveraging the power of our users. By turning every customer endpoint into a malware discovery node capable of sending newly discovered file data to WIN, Webroot researchers around the world are able to analyze and classify incoming data in real time. When a new malicious program, URL or IP is discovered, the entire user-base is immediately protected; no definition updates required. There are a number of benefits to this approach; one of the biggest being that malware variants don’t slip through the cracks. If a Webroot user is the first to see a new infection, it is only a matter of minutes before a researcher discovers the infection and creates a rule to detect and protect the entire user-base. Compare this to traditional signature based AV’s which must first collect the sample (if they can find it – in many cases samples are missed due to the intentionally short lifespan of today’s malware variants), analyze it, and finally release a new detection signature which lastly has to be sent to the endpoint. As the NY Times article mentions, “Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years.” Most often, by the time a new signature is released, the malware variant it is designed to detect is no longer relevant.

The strength of a security solution is directly related to the quality of its intelligence. By enabling our products to participate in the discovery of new infections, WIN ensures our researchers have the visibility needed to keep up with a malware landscape which relies heavily upon flooding the market with newly compiled infections designed specifically to evade traditional AV methodologies. In many ways, the AV industry is responsible for the current day problem. The lack of innovation and adaptation to the problem created an easy out for malware authors. Webroot aims to change this paradigm by including the force of its entire user-base to combat the problem. It has long been said that the AV industry is at a disadvantage because for every security researcher fighting these infections, there were certainly 100 if not 1,000 hackers creating such infections. Webroot has upped the ante by recruiting its millions of users to help in the fight to keep our personal data and online activities secure. Malware has nowhere to hide when up against the Webroot Intelligence Network.

Introducing the Threat Blog

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Welcome, readers. I’m a member of the Threat Research team at Webroot, and I’ve been asked to contribute to Webroot’s new Threat Blog. I’d like to take a moment to introduce myself, tell you a little about what we do, and explain how we plan to use the blog to keep you informed.

Webroot’s threat experts are responsible for defining new malware, and variants of existing malware, that are being introduced every day. We spend the bulk of our time, to summarize in a massively oversimplified manner, breaking PCs by infecting them with Trojan Horse applications, virii, worms, rootkits, password stealers, and other malicious and undesirable software, then figuring out how to fix them again. We infect our PCs, over and over and over again, so you don’t have to; then we make sure Webroot’s products will protect against or remove the infections.

As you can imagine, our perspective on the front lines of Internet security gives us significant insight into the workings of these unwelcome software pests. And we’re now seeing an unprecedented volume of infected PCs and networks, and greater sophistication employed by those doing the infecting. We were compelled to create a vehicle to share that insight with the rest of the world.

My role is to serve as an information conduit between our malware, spam, and Web security experts and you, the reader. I and others will post details about the most dangerous and difficult security threats we encounter, and how to avoid them. We’ll also be sharing trending data we collect about spyware, computer viruses and other infections, and the origins of the infectious agents that propagate them. Our goal is to provide useful information that will, hopefully, help you protect yourselves from what seem — to us, anyway — like wave after wave of increasingly hostile, damaging, and obnoxious malware.

So, thanks for stopping by. We look forward to chronicling the threat landscape for you. Please add us to your RSS feed using the link that looks like a little billboard at the top of the page. And feel free to let us know what you think by sending your comments, questions, or requests to the address on the right side of the page.