Topic: Anti-malware defense uses junk e-mail's sheer volume as a weapon

[Amker]

 Each escalation of defenses against spam, e-mail-borne malware, and phishing attacks seems only to bring even more of the pernicious stuff to enterprise gateways -- which means that defense mechanisms need to become even more effective. It was just last April that Campbell, Calif.-based Barracuda Networks added Predictive Sender Profiling to better identify spam in its Spam Firewall appliances. On Monday the company announced that it has used that product to create a better malware barrier with the release of its Barracuda Real-Time Protection technology, which is designed to fight malware outbreaks within minutes of their launch.

According to Steve Pao, Barracuda's vice president of product marketing, the new anti-outbreak technology uses sender profiling to determine the likelihood that a malware purveyor sent a code-carrying e-mail message.

"After the carrying message has made it past all of our other defensive layers, and the code has not been identified as a virus, we profile the message, mainly by looking at the diversity of its sources and destinations," he says, "which will immediately tell us if this unknown code is likely to be a virus." He adds that the likelihood of detecting a malware-infected transmission in this way is quite high given the massive volume of spam traffic today.

"We originally implemented the Barracuda Spam Firewall to stop spam, which it has consistently done," says John Gerlach, Park Nicollet Health Services' senior network engineer, "but we have been pleasantly surprised by other benefits of the appliance driven by Barracuda Networks' constant innovation and new features, now including zero-hour virus protection."

He adds that Barracuda's automatic updates free his staff from worry about constantly escalating threats. "We just let the Spam Firewall do its thing," he says. The St. Louis Park, Minn-based integrated health care service employs 8,100 professionals.

If the new Barracuda system determines that the code in the message is likely to be malware, the message stream can be immediately blocked -- not only at the Barracuda Spam Firewall that detected the message, but at all Barracuda appliances in the network (some 40,000 of them).

The code-carrying message is then sent to the Barracuda Central for further analysis. "The human staff there is very quick at determining if it's really malware," says Pao, "because they have all the analytical tools and 'sandboxes' they need to reverse engineer and actually run the code."

If the code is determined to be malware, the staff creates its signature and sends it to all appliances in the Barracuda network so that they can immediately block any messages containing the bad code as they pass through each appliance's signature layer. "It's not like just one machine picks up on the outbreak," says Pao, "but the first one to send the code in will be the first one to have it analyzed and then they'll all get the results at the same time."

Pao showed reports that demonstrated a complete block of a real malware outbreak in less than four minutes, and a distribution of the malware signature in just over one hour.

Barracuda Real-Time Protection technology is available to all Barracuda Spam Firewall customers without charge if they are subscribing to the company's Energize Update service. New customers will automatically get the latest software. Barracuda Spam Firewalls come in a variety of models, starting at $899.
CW