Targeted Attacks- the future of malware

I’ve been beating this drum for years.
Joris Evers wrote at yesterday about the problem of targeted virus attacks. The headline calls it the future of malware.
One of the interesting things he notes in the article is that targeted attacks are using exploits in commonly used programs. So if the bad guy has a previously unknown zero day in Microsoft Office, it will get past a virus scanner and it will get past primitive file extension blocks.
The amount of zero day attacks aren’t limitless (it only seems that way). So the attacks would tend to be used against the high value target.
There was another article this week, that suggested its hard to get the antivirus vendors to even write a signature when one company suffers a targeted attack.
As I see it, the solution is the same as before, limit administrator rights, use HIPS, and used heuristics/sandboxing where possible.


  1. Hi Roger,
    Did you come to a decision on HIPS? If so who are you leaning towards? I would like to get your input. Thanks

  2. That project has been pushed back to the spring. I may replace the antivirus and personal firewall at the same time and go with McAfee Total Protection Enterprise, if an eval goes well.
    I fear the HIPS project a lot. Its a very visible project, and it seems like I’d be breaking new ground. the impression I get is that most companies haven’t gone down this road yet.
    Sorry, I couldn’t help much.

  3. Acutally, I have deployed HIPS to >1000 end-user systems. I just wanted to some feedback and the issues that others are experiencing. Feel free to email me if you have questions about Cisco Security Agent. What is the reason you prefer mcafee over cisco? Thanks

  4. Keep in mind this is just what I’m feeling now. Its not that I favor McAfee over CSA here. Its more that I’ve tried CSA, I feel like I know it as well as someone who hasn’t deployed it beyond a test group can know it. I haven’t tried McAfee yet so I have hope for it.
    That I keep hearing from happy CSA people, does tip the scales more towards CSA. I dont seem to know anyone using McAfee HIPS or total protection.
    Here’s my list about CSA, off the top of my head. Some of this is true about any HIPS product.
    1. VMS sucks. I understand its being replaced, but it sounds like for CSA that wont be for a while.
    2. Reporting – with another product, I think I could say attack X occured. For CSA, I suspect all I could say is the email program tried to launch an EXE which tried to install an application
    3. Resources (many of our computer only have 512 Mb of RAM). I didn’t notice a problem in the testing, but Third Brigade was pushing that aspect hard.
    4. All of our users are local admins (yeah, I know, we lost that battle several times now). They may revolt if we lock this down too much. That’s a political concern not a CSA concern.
    5. CSA seems to let bad stuff get on the system, but stop it from executing. Its good, but sounds like a mess to clean up later.
    I guess I do feel a fair amount of fear, uncertainty and doubt about it. I’ve been advocating this to my company for so long that this better work.
    I wish we could start this project now, but I’ve got some HTTP security to buy and some PKI to deploy. Its going to be a busy year.

Comments are closed.