Norman, the Norwegian data security company, has launched a new set of analytical tools that enable large organisations to identify and analyze unknown malware threats, including the custom built programmes that are increasingly being used in targeted attacks on companies’ information assets.
The three new products –SandBox Reporter, SandBox Analyzer and SandBox Analyzer Pro - dramatically reduce the time and resources that organisations need to analyze suspicious files. They enable CIOs, information security and forensics professionals to automate the secure detection, identification, categorization and analysis of zero day malware, encrypted attacks, mutated variants and highly sophisticated targeted attacks, based on the behaviour of the suspicious file.
Norman developed the range in response to demand from large organisations and computer forensics professionals’ for analytical tools to understand rising instances of malicious code which is unknown to, or unrecognised by, signature based antivirus products - despite these products’ near universal deployment by large organisations.
The engine of the new products is Norman’s unique SandBox simulation technology. SandBox enables security and IT professionals to run their own controlled analysis of suspicious files “in the wild” using its computer and network simulator environment. Sandbox tools allow users to identify the behaviours typical of Trojans, keyloggers and viruses and analyse that behavior in depth. This capability frees security personnel from dependency on signature-based scanning which is only sensitive to high volume or large scale threats and reduces the need to send potentially sensitive information to third parties for examination.
Because they are able to identify novel threats, the Sandbox tools help users to safeguard their networks against new or low volume attacks which are normally lost in the background “noise” for antivirus companies. The majority of antivirus solutions focus on protecting against the most prevalent attacks that affect the masses rather than high value corporate data that is vulnerable to under the radar threats.
The three products – Norman Sandbox Reporter, Norman Sandbox Analyzer and Norman Sandbox Analyzer Pro – deliver automated reporting and analysis to suit the user’s requirements and resources:
Norman Sandbox Reporter
Norman Sandbox Reporter summarizes URLs accessed by malware, including target sites containing suspicious code, IRC networks servers running botnets, botnet reporting channels and a summary of the latest files analyzed and identified as suspicious by SandBox technology. This enables administrators to block risks.
Norman Sandbox Analyzer
Norman Sandbox Analyzer provides a full analysis of single files and file batches without user intervention. Users can create their own SandBox summaries, API log views and extracted files from the Sandbox’s hard drive.
Norman Sandbox Analyzer Pro
Norman Sandbox Analyzer Pro delivers full analysis of malicious code as well as advanced features including disassembly, register data, memory dumps, command input and API log views of file activity. Analysis of API log views of file behavior includes the malware’s attempts to make changes to computer’s files, network services accessed, threads called on the processor and window information.
Trygve Aasland, Norman Data Defense Systems’ chief executive officer, “The corporate information security market is seeing a shift away from mass attacks towards numerous individual, sophisticated attacks – often mounted by criminal gangs - that as a result pass “under the radar” of heuristic and signature-based technologies. Our new SandBox tools will help organizations take action against specific attacks by allowing the nature of the threat launched against them to be understood.”
“In particular, users urgently require analytical technologies which detect and categorize sophisticated targeted attacks, based on new forms of malicious code which are only detectable by their abnormal behavior. Used alongside other techniques in a multi-level security hierarchy, SandBox tools empower organizations to defend against targeted attacks and organized online criminal activity.”
The threat of Malware
APACS the UK’s financial clearing association has recently stated,” APACS has noted a rise in reports of targeted malware attacks on financial and other organisations in 2006.
The criminal use of malware such as Trojans to capture sensitive information became apparent in mid 2004. Since then the number, variety and sophistication of attacks has increased. The industry has worked to educate end users about such risks, making it harder for this type of attack to succeed.
Recent evidence shows that the organised crime syndicates behind many attacks are increasingly using custom-written malware which targets the customers of particular organisations.
Our members and the information security industry are cooperating closely to ensure that these threats are understood, rapidly identified and neutralised." Source Sandra Quinn, Director of Corporate Communications, APACS.
The UK Department for Trade & Industry (DTI) Information Breaches Survey 2006 Technical Report states that 98% of UK businesses surveyed have antivirus software. Norman’s Sandbox Information Centre (online reporting centre) receives between 2,000 and 3,000 pieces of new unknown malware or suspicious files every day.
Over a 14 day period in October 2006 Norman released over 20,000 signature files.
In the past 18 months Norman have needed to release more signature files than they had in the whole of the last 15 years.
Norman’s Sandbox technology can be used to observe a suspicious file’s behaviour “the wild”. As an example, SandBox can automatically run an emulation 100,000 times to detect “sleeper” files.
Norman ASA (norman.com) is one of the leading companies in the field of data security and develops and sells virus control, personal firewall, parental control and protection against spam and spyware. Through its Norman SandBox technology, Norman leads the way in the world of proactive antivirus solutions.