Sophos: Protecting the world from The Pentagon

Behind the security lines: In the second part of a special report looking at IT security research centres, ZDNet UK crosses the moat that protects Sophos’ Oxford-based facility

For Sophos, security starts at home. The imposing high-tech facility outside of Oxford, known as The Pentagon, houses the security specialist's antivirus labs. The building, allegedly bullet-proof, comes complete with its own moat to discourage ram raiders. Wedges placed at the entry and exit of the building's car park also create a temporary but effective road-block when raised.

This kind of robust attention to detail is indicative of a security company that has carved out a niche serving the business market and sees between 1500 and 1600 new pieces of malware per month. "The [advantage] in setting up for business users is that with our customers who have 10,000 employees, we speak to only one person in charge of IT rather than having to deal with 10,000 different customers," said Carole Thierault, senior security consultant at Sophos. "That means our response times are faster than our competitors."

Click here for the first part of this special report looking at Symantec's labs.

This also means, according to Sophos, that it can divert more resources to the specific needs of its business customers. "We can tailor our AV software to individual customers. We run antivirus software for OS2, Open VMS and other, older operating systems. Businesses still run on these because of their initial investment," says Graham Cluley, senior technology consultant at Sophos.

Sophos' main team may seem small compared to its competitors but the company claims that fewer staff equals flexibility. "There are 30 guys here who are research analysts, with a further 20 guys around the world," says Vanja Svajcer, principal virus researcher.

Around the world
The UK antivirus and anti-spam analysts do shift work, and can outsource queries to other parts of the company and to external consultants. In addition to its own international group of labs and offices, Sophos has a network of partner organisations in 150 countries that can also provide support.

For photos of The Pentagon, click here.

Sophos traps viruses and analyses them in a secure section of The Pentagon. No one is allowed to bring in any piece of equipment that could infect the machines or itself be infected. Wireless may be flexible but it's not secure enough for Sophos — Wi-Fi enabled laptops and Bluetooth phones must be left outside the labs.

Sophos uses a global network of "honeypots" to harvest the latest viruses, Trojans and worms that may poise a threat to its customers. Honeypots are essentially unprotected PCs...

For more, click here...

...connected to the Internet — the perfect hosts for any rogue programs. "Malware can come into the honeypot, but can't get out because of a separate hardware firewall blocking it," says Svajcer.

Typically honeypots are Windows machine running without XP service pack 2 (SP2) or any antivirus software. There is a 50 percent chance of infection within 12 minutes and a 90 percent chance within 40 minutes.

To be able to tackle the large number of files that need to be checked for viruses (more then 2000 a day), Sophos uses different automated techniques to filter and separate known infected files from known clean files, and from files that are not considered "infectious" (some image and data formats and corrupt files).

All files that pass through the initial filtering stage are forwarded to the automated analysis filtering system known at Mentor. All incoming files are also passed through a manual system where a Sophos technician uses various analytic tools to work out how the malware works and how much of a threat it may be. After the malware is identified and another round of testing and analysis done, it is eventually published and Sophos' products are updated to recognise it.

Report directly
As well as the information gleaned from the honeypot system, many Sophos products, such as PureMessage or MailMonitor, also have the capability to report back to the company directly. Should the customer turn on this capability, Sophos will receive raw data at set intervals. This is then crunched through a reader and organised in a way that can be read and understood.

"As we have large bodies of customers and honey traps all over the world, we can ascertain whether there are differences in the type of threats that are attacking different users. This information is useful when trying to establish trends, and it can also help us report useful information to law enforcement authorities, particularly when you combine trend information with that which might be found inside the virus code — we have even seen viruses with a CV inside them." says Svajcer

Some malware is more of a threat than others. Top of the Sophos hit-list right now is installation of rootkits, the proliferation of bots and the ever-present threat of spam.

Rootkits are pieces of software designed to hide other processes or files on a system, so the rootkit and malicious code doesn't appear on the process list. The recent furore over...

For more, click here...

...Sony Digital Rights Management rootkits, designed to cloak anti-piracy software on music CDs, has served to underline what is seen as a growing threat in the security community.

If the computer gets slower over time, or if the space on the hard drive becomes smaller and smaller, a company may suspect a rootkit has been installed on one of its machines. One way of detecting the presence of a rootkit is by observing which ports are being used to transmit data packets, especially if the open ports are associated with a particular vulnerability.

Another solution to the problem is to install a software tool that captures and displays the contents of packets going into and coming out of a PC. By monitoring this flow of data, it's possible to determine whether any illegitimate mail is being sent.

The growing number of botnets — PC's that are effectively hijacked by hackers and used in spam or denial of service attacks — is also a big problem. Users are usually tricked into installing the code, which hands control of their PC to hackers, not by clever software but by what it is termed "social engineering".

"We've seen social engineering emails that claim to come from Microsoft tech support, with the same graphics and fonts used, claiming to contain a patch. When the file is opened, it contains an .exe that runs code and copies itself to a systems folder with a name like Mspg.32.exe, which makes it difficult to detect as there are so many legitimate files there with similar names," says Svajcer.

The malicious executable code allows the compromised computer to be controlled remotely. The person or persons controlling the bots usually creates a login that only they can use. This increases the saleability of the bot and protects it from being hijacked by any other hacker.

Sharing information
Given the massive amount of malware in circulation, most security companies have a policy of cooperation. Sophos shares information on the latest threats with the likes of F-Secure, McAfee, and Symantec. Newly identified viruses are exchanged using PGP encryption and occasionally even sent on CDs.

Customers also send information — either potentially malicious code, or sometimes code they have found on virus exchange Web sites. Some malicious code is even sent directly from the writers. An example of this is Phage, the first Palm Trojan that was sent to Sophos and other antivirus vendors in September 2000. The virus couldn't spread, but the writer publicised it in an effort to gain notoriety.

Virus writers
Other virus writers send works in progress, in the hope that a warning concerning their code will be put on antivirus vendors' sites. Incomplete malware...

For more, click here...

...normally has bugs, and writers hope that any warnings by the security firms could actually help them complete their work.

Not technically malware, spam is still an important part of the work done at The Pentagon. The Sophos spam operations group of 11 people analyse and look at spam trends full-time. The unsolicited mail is taken from spam traps that work on a similar principle to the antivirus honeypots — anything that comes into them is by definition spam.

For photos of The Pentagon, click here.

"Any mail we receive from the honeypots is not legitimate. Anything with a large attachment will also be analysed by the antivirus guys, because more often than not malware is being spammed out," says Paul Baccas, spam research analyst. The honeypots Sophos uses are all ex-legitimate IP addresses that have been reassigned through agreements with ISP.

Spam blocking
Anti-spam software automatically filters 95 percent of the spam Sophos receives. The remaining 5 percent is automatically channelled through various rules, which look at whether the spam has come from a known spam relay, whether it has a high percentage of HTML and whether there are recognised text strings.

Approximately 0.05 percent of the spam is left after automatic filtering. This is when the analysts step-in to determine its characteristics and hopefully come up with a way of blocking it. One characteristic Sophos looks for is paragraph prints. Each spam has a certain distribution of paragraph breaks that characterises that particular spam and enables Sophos to recognise it and write a rule to block it. Rules are updated all the time and gradually get a lower score depending on their prevalence.