Introduction to Anti-Bot and Anti-Virus

The Need for Anti-Bot

There are two emerging trends in today's threat landscape:

• A growing cyber crime profit-driven industry that uses different tools to meet its goals. This industry includes cyber criminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off these attacks.
• Ideological and state driven attacks that target people or organizations to promote a political cause or carry out a cyber warfare campaign.

Both of these trends are driven by bot attacks.

A bot is malicious software that can invade your computer. There are many infection methods. These include opening attachments that exploit a vulnerability and accessing a web site that results in a malicious download.

When a bot infects a computer, it:

• Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult to detect since they hide within your computer and change the way they appear to Anti-Virus software.
• Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your knowledge. These activities include:
  • Data theft (personal, financial, intellectual property, organizational)
  • Sending SPAM
  • Attacking resources (Denial of Service Attacks)
  • Bandwidth consumption that affects productivity

In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers.

Check Point's Anti-Bot Software Blade detects and prevents these bot threats.

The Need for Anti-Virus

Viruses are a major threat to network operations and have become increasingly dangerous and sophisticated. For example, worms, blended threats (which use combinations of malicious code and vulnerabilities for infection and dissemination) and trojans.

The Anti-Virus Software Blade scans legitimate and malicious file transfers to detect and prevent these threats. It also gives pre-infection protection from outside malware attacks from different file types (PDF, Word, Excel, and PowerPoint) and downloads from the internet.

The Check Point Anti-Bot and Anti-Virus Solution

To challenge today's malware landscape, Check Point's comprehensive threat prevention solution offers a multi-layered, pre- and post-infection defense approach and a consolidated platform that enables enterprise security to deal with modern malware:

• Anti-Virus - Pre-infection blocking of viruses and file transfers.
• Anti-Bot - Post-infection bot detection, prevention, and threat visibility.

The Anti-Bot and Anti-Virus Software Blades use a separate policy installation to minimize risk and operational impact. They are integrated with other Software Blades on the same gateway to detect and stop these threats.

The Anti-Bot Software Blade:

• Identifies bot infected machines in the organization by analyzing network traffic using the multi-layered ThreatSpect engine.
• Uses the ThreatCloud repository to receive updates and queries it for classification of unidentified IP, URL, and DNS resources.
• Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.
• Gives the organization threat visibility using different views and reports that help assess damages and decide on next steps.

The Anti-Virus Software Blade:

• Identifies malware in the organization using the ThreatSpect engine and ThreatCloud repository:
  • Prevents malware infections from incoming malicious files types (Word, Excel, PowerPoint, PDF, etc.) in real-time. Incoming files are classified on the gateway and the result is then sent to the ThreatCloud repository for comparison against known malicious files, with almost no impact on performance.
  • Prevents malware download from the internet by preventing access to sites that are known to be connected to malware. Accessed URLs are checked by the gateway's caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not. If not, the attempt is stopped before any damage can take place.
• Uses the ThreatCloud repository to receive binary signature updates and query the repository for URL reputation and Anti-Virus classification.

Identifying Bot Infected Computers

The Anti-Bot Software Blade uses these procedures to identify bot infected computers:

• Identify the C&C addresses used by criminals to control bots

  These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.

• Identify the communication patterns used by each botnet family

  These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.

• Identify bot behavior

  Identify specified actions for a bot such as, when the computer sends spam or participates in DOS attacks.

Check Point uses the ThreatSpect engine and ThreatCloud repository to find bots based on these procedures.

ThreatSpect Engine and ThreatCloud Repository

The ThreatSpect engine is a unique multi-tiered engine that analyzes network traffic and correlates information across multiple layers to find bots and other malware. It combines information on remote operator hideouts, unique botnet traffic patterns and behavior to identify thousands of different botnet families and outbreak types.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

The Security Gateway gets automatic binary signature and reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified IP/URL/DNS resources that it finds.

The layers of the ThreatSpect engine:

• Reputation - Analyzes the reputation of URLs, IP addresses and external domains that computers in the organization access. The engine searches for known or suspicious activity, such as a C&C.
• Signatures - Detects threats by identifying unique patterns in files or in the network.
• Suspicious Mail Outbreaks - Detects infected machines in the organization based on analysis of outgoing mail traffic.
• Behavioral Patterns - Detects unique patterns that indicate the presence of a bot. For example, how a C&C communicates with a bot-infected machine.

Preventing Bot Damage

After the discovery of bot infected machines, the Anti-Bot Software Blade blocks outbound communication to C&C sites based on the Rule Base. This neutralizes the threat and makes sure that no sensitive information is sent out.

Analyzing Threats

SmartView Tracker and SmartEvent let you easily investigate infections and assess damages.

The infection statistics and logs show detailed information per incident or infected host and a selected time interval (last hour, day, week or month). They also show data for overall scanned hosts in the system how many are infected and the malware detected including percentages.

The malware activity views give you insight as to the originating regions of malware, their corresponding IPs and URLs, and outgoing emails that were scanned.

The Threat Wiki shows extensive malware information. It includes malware type, description, and all available details such as executables run and used protocols.