RE: IDS and Spywares

[Matt Jonkman <matt () infotex com>]

I strongly disagree that IDS is not effective with spyware. I grant that
hids is a good thing. But maybe I'm from the old school of thought, that
you can't trust any system to police itself. That system is corruptable,
and thus needs outside oversight. Security 101. 

That is exemplified by the number of worms that kill AV on their
victims, or alter hosts files so they can't get new dats, etc. The
victim sits there warm and fuzzy because they paid the 40 dollar
Symantec tax, and they're blasting spam to the world, none the wiser.
The code to do these things is easil available, and surely will be used
by spyware once they feel a hit to their pocketbook. If there's money to
be made they'll do it.

Network based detection and BLOCKING is the most effective way I've seen
to find and deal with spyware in a large network environment. But it's
one tool in the toolbox. Once you detect with IDS you have to clean with
spybot, adaware, etc. It's critical that both tools stay effective.

The BEST way I've seen to deal with spyware IMHO is:  (Note: I'm biased,
I wrote many of these sigs and run the project that distributes them.
Look at them yourself and make your own judgement)

Bleedingsnort.com: 
1. Run the DNS Blackhole project maintained by David Glosser. This is
your first line of defense. If you don't give dns lookups for spyware
then you knock out about 80% of the infections and cripple existing
installs.

2. Run the Bleeding Snort Malware signatures. These will catch the vast
majority of known and unknown spyware. Granted, these do require
frequent addition of nes stuff, but there are a few anomaly and behavior
based sigs that we catch most every new package that gets any reasonable
distribution. This is layer 2, detection.

3. Participate in the Spyware listening Post. This is layer 3, future
detection. This is where folks using the dns blackhole above send the
hits that might normaly go to spyware firms to our listening servers. We
analyze the urls and binaries requested, and write new snort signatures
and follow the trails to find new domains. This makes the process a
feedback loop that continues to adjust and improve.

Check out http://www.bleedingsnort.com for more info on there, and a
number of other very interesting tools.

I've spoken a few times this summer pitching the process above, and I've
gotten back a large number of success stories. And the best part is all
of these tools are free. If you can contribute back time or information
you discover all the better, but they're here for the long term, and are
very effective.

Matt




On Wed, 2005-10-12 at 22:52 +0100, Omar A. Herrera wrote:
> > -----Original Message-----
> > From: vipul kumra [mailto:vikumar2 () yahoo com]
> >
> > Hi Dhruv,
> >
> > I agree with what you have said... but then there is
> > no 100% fool proof method for detecting anything. As
> > far as I've seen iPolicy Networks IDS protection is
> > quite strong... :)
>
> Why use a hammer with a screw? Network based detection is able to deal
> pretty well with known network threats, but some sort of malware (including
> some Trojans and spyware) are customized or modified and used with specific
> targets. You won't detect those with generic signatures or network based
> anomaly behavior.
>
> hIDS/hIPS ar much more effective in detecting and preventing these attacks.
> If there is any anomalous activity to be detected or any forbidden action to
> be blocked, it will be host based, not network based. To start, there is a
> considerable number of ways that these threats can travel through the
> network (e.g. web scripts, P2P messaging, email attachments, trojanized
> downloaded software)and they might not even used the network to get to their
> target (Sharing of USB memory sticks, CDs, DVDs,...) 
>
> Personally I doubt that it is even worth trying to catch this kind of
> malware with a network based IDS or IPS. I would rather use the time for
> polishing hIPS/personal firewall policies.
>
> I think this is what Dhruv meant.
>
> Regards,
>
> Omar Herrera
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ------------------------------------------------------------------------
-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------