Host Intrusion Prevention: Behavioral Analysis

June 13, 2008

Host Intrusion Prevention Technologies or better known as HIPS have been around for some time in the market. HIPS technologies work on the premise of providing end-point intrusion prevention against anomalous system behavior.

HIPS over the years has been developed for the anti-malware space in order to compliment existing technologies (signature and heuristics) and to improve detection capabilities. This was all part of a strategy to thwart 0-day malware by using a proactive, rather then a reactive approach to virus identification, therefore; this technology is not new to the market.

But, the ways in which the vendor goes about full-filling this model varies depending on the architecture involved. Interestingly enough there have been many misconceptions regarding the quality and effectiveness of HIPS technologies on the market today. In fact the only standard I have seen in terms of architecture has been defined by Gartner analyst Neil MacDonald.

For example rules based technologies work to a certain degree in terms of proactively defending against 0-day malware, however; often at times they require initial training and tuning before they can with confidence block an unknown threat; subsequently this results in high operating costs over-time. This is especially true given the existing complexity of diversified networks.

Most vendors on the market today have included HIPS in their technology portfolios, however; what’s missing in many offerings is behavioral analysis (very different then behavioral blocking or that of policy enforcement and control).

What is Behavioral Analysis and why is it important?

Behavioral analysis works on the premise of intelligently inspecting a running process and terminating it depending on it’s behavior (the closest thing in the computing world would be that of a neural network). In other words it’s looking at a process and it’s behavior in context and deciding if it should terminate or block that process. This is obviously not a static linear process, but a dynamic evolving process. Whereas behavioral blocking focuses on denying specific actions coming from a process relating to illegal behavior.

Similarly we have behaviroal analysis technologies included Panda TruPrevent Technologies:




SQL Injection Attacks: The future of mass hacking campaigns (updated)

June 11, 2008

SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.


These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.


In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.


The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.


However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.


However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.


So exactly how do hackers gain access to web-sites without administrative privileges or by exploiting site specific vulnerabilities? Good question! It’s quite obvious that hackers are doing this through automation as it’s impossible to hack these sites manually. Some recent hacking campaigns have shown numbers in the range of 250,000 to 500,000 sites generically compromised almost overnight.  What is not entirely clear is how they are gaining access to these sites at such a high rate without really customizing the attack on a site-by-site basis. 
One theory is tools that incorporate the Google API framework to automate the tasks of discovering and validating if a site may be vulnerable to a SQL injection attack; a process that normally would require a visual inspection. An example of a query string that could be used is: intitle:”<iframe src=http”. This tool would also have the capability of constructing a specific injection routine to be performed against discovered targets. Certainly there are tools out there capable of conducting automated blind SQL Injection attacks including the discovery of vulnerable targets.