Inside Sourcefire's Vulnerability Research Team

Sourcefire VRT Senior Director Matt Watchinski discusses the type of malware Snort is picking up these days, as well as recent improvements to ClamAV.

In many IT security shops, administrators rely on open-source tools to keep up with the malware bad guys continue to toss their way. One industry favorite is Sourcefire, parent of the Snort IDS tool and ClamAV.

Matt Watchinski, senior director of Sourcefire's VRT, gave CSO a behind-the-scenes look at what goes on in the vulnerability research team and how the most recent research paints a concerning picture of evolving malware and the applications that fall into the crosshairs.

Also see The Botnet Hunters

CSO: Let's start with a description of what the vulnerability research team does.

The Sourcefire VRT is a group of network security experts working around the clock to discover, assess and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities. Some of the most renowned security professionals in the industry, including the ClamAV Team and authors of several standard security reference books, are members of Sourcefire VRT.

The team is supported by the vast resources of the open source Snort and ClamAV communities, making it the largest group dedicated to advances in the network security industry. The VRT develops and maintains the official rule set of Snort.org. Each rule is developed and tested using the same rigorous standards VRT uses for Sourcefire customers. The VRT also maintains shared object rules that are distributed for many platforms in binary format.

Describe the malware and vulnerabilities the team has uncovered in recent months. Anything different about the newest research? Zeus and the Rustock botnet.

Watchinski: As an open-source vendor, we're bringing in 4 gigs of malicious binary a day. From ClamAV logs alone we see 30,000 pieces of malware a day, 95 percent of which is traditional, the rest exploitable. We continue to see a lot of the big malware families like

The bad guys change their stuff pretty quickly on a daily basis. We process 50-60 samples a day that show that. Our challenge is to keep up with our own updates in real time.

ClamAV is something Sourcefire acquired a few years ago. What can you discuss regarding the integration of ClamAV into the wider Sourcefire arsenal?

Watchinski: We recently announced a partnership to deliver a free, Windows-based version of ClamAV that uses Immunet's Cloud-based Collective Immunity technology, linking together a user's network of friends to identify new threats in real-time, providing instant protection across the product's user-base. The beauty of this is that the cloud helps everyone process data quickly. Users don't have to do updates on their box and don't have to worry about uploading signatures. Updates happen in real time.

You mentioned earlier that you're finding 30-40 interesting flaws a day. What can you tell us about them?

Watchinski: An Opera flaw came in last week that looks exploitable with remote code. We're verifying that. We've also seen some targeted .pdf files over the last week or two. It was a multi-staged attack that went to number of specific people in a couple organizations, specifically targeting what those people do.

Adobe has taken a lot of heat over vulnerabilities of late. What are you seeing there?

Watchinski: We're constantly looking at Adobe. The main thing we see is a lot of evasive capabilities being worked into attack kits. Malware is made to escape detection. It's made more difficult to analyze. We'll see a lot more of that; more complex shell code. Adobe is a big target for this stuff. It's tough for companies to determine what shell code is doing and what kind of data is being stolen.

How large is your team and how is it set up?

Watchinski: VRT has three teams, including the ClamAV team, the Snort team and a department of information that manages all the data coming in from the open source community. A lot of people in the community communicate with us over Twitter. They also use the Snort.org forums and mailing lists and developer lists. We get back to them and share our findings, usually on a one-on-one basis. They send us stuff, we take it apart to see if it's just a strange network anomaly or a real threat. All told we have 20 employees in VRT.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies