Sophos: Protecting the world from The Pentagon
Published: 28 Nov 2005 16:05 GMT
...connected to the Internet — the perfect hosts for any rogue programs. "Malware can come into the honeypot, but can't get out because of a separate hardware firewall blocking it," says Svajcer.
Honeypots
Typically honeypots are Windows machine running without XP service pack
2 (SP2) or any antivirus software. There is a 50 percent chance of
infection within 12 minutes and a 90 percent chance within 40 minutes.
To be able to tackle the large number of files that need to be checked for viruses (more then 2000 a day), Sophos uses different automated techniques to filter and separate known infected files from known clean files, and from files that are not considered "infectious" (some image and data formats and corrupt files).
All files that pass through the initial filtering stage are forwarded to the automated analysis filtering system known at Mentor. All incoming files are also passed through a manual system where a Sophos technician uses various analytic tools to work out how the malware works and how much of a threat it may be. After the malware is identified and another round of testing and analysis done, it is eventually published and Sophos' products are updated to recognise it.
Report directly
As well as the information gleaned from the honeypot system, many
Sophos products, such as PureMessage or MailMonitor, also have the
capability to report back to the company directly. Should the customer
turn on this capability, Sophos will receive raw data at set intervals.
This is then crunched through a reader and organised in a way that can
be read and understood.
"As we have large bodies of customers and honey traps all over the world, we can ascertain whether there are differences in the type of threats that are attacking different users. This information is useful when trying to establish trends, and it can also help us report useful information to law enforcement authorities, particularly when you combine trend information with that which might be found inside the virus code — we have even seen viruses with a CV inside them." says Svajcer
Rootkits
Some malware is more of a threat than others. Top of the Sophos
hit-list right now is installation of rootkits, the proliferation of
bots and the ever-present threat of spam.
Rootkits are pieces of software designed to hide other processes or files on a system, so the rootkit and malicious code doesn't appear on the process list. The recent furore over...
For more, click here...
Previous
Did you find this article useful?
234 out of 563 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
