MessageLabs: Filtering your email sewage
Published: 30 Nov 2005 13:45 GMT
...email monitoring company use antivirus engines from McAfee and F-Secure, having switched last year from Sophos.
Short-term projects arrive as-and-when for ad hoc fire-fighting. Every day MessageLabs stop 12,000 items that are not stopped by the antivirus engines alone. Dedicated mailservers are used to filter emails for malware by analysing how much 'chaos' is contained in the code. Good files such as legitimate updates have a different stat distribution within the code. If the code has a number of different values, it is classed as chaotic. "If the code has 64 bytes, and every single byte is different, then the code is likely to be malware," said Shipp. For example, bad files often have encryption, and look different from good files because they are trying to hide themselves.
MessageLabs also compares new code with its signature file databases, which is between 2GB and 3GB of information. This database is constantly being updated, "so having caught variant A, we're confident of catching B, C, and D," says Shipp.
Initially defining viruses is "processor intensive". MessageLabs take the potentially malicious code and analyse it. Unusual features in email immediately mark code down as being suspicious. "If the code has IRC, FTP and email — not many legitimate programs have all of those capabilities," says Shipp.
MessageLabs also look for profanity, and virus writer handles. "Virus writers have big egos — they like putting their own names into the code. This never appears in good files," he adds.
Knowing their code contains indicators has led hackers to attempt more subtle social engineering tactics to propagate malicious code, including sending links in emails. This circumvents this problem as the malicious code is not actually contained in the email. "That's why the bad guys are sending links," said Shipp. One example of social engineering tactics is an email pretending the recipient has been sent an e-card. When the person clicks on the link to the card, they are redirected to a site containing malware, and infected.
MessageLabs work around this by detecting if the links have been obfuscated in an email to hide the URL or URI of the site the user would go to. There is also a link-following system which feeds into a discrete network that is dedicated to analysing the links.
Antivirus knowledge is also increased by MessageLabs sharing virus information with other companies, and law enforcement agencies. The company provides virus samples to sharing networks such as AV Gurus. This site maintains and publishes a collection of viruses using PTP encryption, and can only be accessed by legitimate users, according to Shipp.
The threat landscape: A new threat that the antivirus team has seen are data-stealing Trojans sent in spam. The email only has to be opened and the Trojan — hidden in a word document — is activated. These are being repeatedly sent to banks and government agencies in the hope that some information can be stolen.
"High-end criminals" are targeting aerospace companies with just these kinds of Trojans in the hope of gaining valuable information that can...
Previous
Did you find this article useful?
282 out of 486 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
