IronPort Web Reputation Technology: Protecting Against URL Based Threats

Evolving Web-based Threats

An increasingly common characteristic of malware is the presence of a URL that a user must visit to be attacked. Spam, URL based viruses, phishing attacks and spyware all direct the user to a malicious URL. If these URLs can be accurately analyzed and a reputation associated with them, then stopping these attacks can be done much more quickly and accurately and the URL can be avoided, in whatever method it is disseminated.

Download Web Reputation Whitepaper

IronPort Web Reputation Technology provides dynamic analysis and protection against sophisticated blended threats.

IronPort Web Reputation Tracking—an Innovative Approach

IronPort Web Reputation tracking helps protect against a broad range of URL-based threats. This solution asks a simple but powerful question—"What is the reputation of the URL?" When assessing the trustworthiness of a URL, a great deal can be determined by analyzing data that is hard to forge, such as how long the domain been registered, what country is the Web site hosted in, is the domain owned by a Fortune 500 company, is the Web server using a dynamic IP address and more.

IronPort Web Reputation tracking is enabled by IronPort's common security database—the SenderBase Network, the world's largest email and web traffic monitoring network. SenderBase tracks over 50 distinct parameters that are excellent indicators of a URL's reputation.

IronPort Web Reputation tracking differs from a traditional URL blacklist or whitelist in that it analyzes a broad set of data and produces a highly granular score of -10 to +10, instead of the binary "good" or "bad" categorizations of most malware detection applications. This granular score offers administrators increased flexibility; different security policies can be implemented based on different Web Reputation scoring ranges.

Web Reputation in Use

Web Reputation data increases efficacy and catch rate of every URL-based type of malware. This powerful technology is used in IronPort's C-Series email security appliances.

Spam and URL based Viruses: Traditional spam solutions ask the following questions to evaluate whether an email is spam or not by answering the basic question of "what", such as "What is the nature of the content of a message?". The difficulty with this approach is that spammers have found a variety of techniques to fool these filters such as adding blocks of legitimate text (called Bayesian busters) or using numbers not letters (L0ve). As a result, first generation anti-spam filter efficacy has decreased. Almost every spam message contains a URL link in it as a way to enable the reader to view the advertising website. Web Reputation adds another dimension to spam analysis by asking "Where"—where does the URL take me?

Phishing: Phishing site creators can spoof the content of their websites to perfectly replicate legitimate banking and e-commerce sites. Phishing sites cannot, however, spoof the URL on which they are located. IronPort Web Reputation has a detailed and up-to-date score for the vast majority of URLs and can therefore protect users from phishing attacks.

Blended Attacks: In late December 2005 a WMF vulnerability that allowed the execution of potentially malicious code was discovered. To become infected, a user merely had to browse to a site that had a WMF file (usually a picture) embedded in it. No explicit end-user action was required to download the malicious code.

Initially, this vulnerability was exploited by spyware vendors who placed spyware infected WMF files on URLs that were typos of legitimate popular websites.

Traditional anti-spyware solutions were not quick enough to determine this new presence of spyware and write signatures for it. And anti-spam and anti-virus solutions were not able to recognize that emails sent by infected hosts contained links to sites that exploited WMF vulnerabilities. IronPort Web Reputation technology, however, sees the presence of new URLs on the web and immediately assign them a Web Reputation score based on factors such as the use typos of popular domains, the rapid increase in volume, and presence of downloadable code. And only IronPort Web Reputation technology has the power to block users from accessing these sites whether they were attempted to be viewed through a typo in a website query or by a link in a spammed email. Finally, the broad Web Reputation scoring range allows administrators to configure security policies to fit their specific security profile.

Botsite Defense and URL Outbreak Detection: Existing solutions that rely on traditional URL filtering have not been effective because most rely on manual classification techniques. The infected sites hide behind a variety of benign categories (including finance, entertainment and news), thereby rendering traditional classification-based URL filtering ineffective as a defense.

IronPort's URL Outbreak Detection is designed to identify and defend against URLs that have no reputation or signature - typically hosted on a botsite and controlled by a botnet.

The IronPort SenderBase Network has one of the largest email and Web-traffic footprints in the industry, allowing IronPort to detect and block these new URL outbreaks rapidly. Real-time analysis of global Web traffic allows analysts in the IronPort Threat Operations Center to proactively publish reputation scores for such URLs prior to signatures being available from anti-malware vendors. Ironport's security modeling techniques provide dynamic protection against threats that target legitimate websites as well as "always on" detection, which tracks the infrastructure behind malware attacks, then adjusts to rapidly block them.

Exploit Filtering: According to IronPort's Threat Operations Center, which provides real-time monitoring and analysis of Web traffic, exploited websites are responsible for more than 87 percent of all Web-based threats today, with an increasing number of malware writers targeting well-known, trusted websites.

Ironport Exploit Filtering utilizes IronPort's distinctive Web reputation technology to protect users from malware delivered through compromised websites, which may not be identified by traditional URL filtering or signature scanning. Exploit Filtering is available now on the IronPort S-Series™ family of Web security appliances. Exploit Filtering zeros in on the latest security threat: trusted websites that have been compromised to deliver Trojans or phishing attacks through techniques such as cross-site scripting (XSS) exploits, buffer overflow attacks, SQL injections and invisible iFrame redirects.