Inside Sourcefire's Vulnerability Research Team
Sourcefire VRT Senior Director Matt Watchinski discusses the type of malware Snort is picking up these days, as well as recent improvements to ClamAV.
By Bill Brenner , Senior Editor
May 12, 2010 — CSO —
In many IT security shops, administrators rely on open-source tools to keep up with the malware bad guys continue to toss their way. One industry favorite is Sourcefire, parent of the Snort IDS tool and ClamAV.
Matt Watchinski, senior director of Sourcefire's VRT, gave CSO a behind-the-scenes look at what goes on in the vulnerability research team and how the most recent research paints a concerning picture of evolving malware and the applications that fall into the crosshairs.
CSO: Let's start with a description of what the vulnerability research team does.
The Sourcefire VRT is a group of network security experts working around the clock to discover, assess and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities. Some of the most renowned security professionals in the industry, including the ClamAV Team and authors of several standard security reference books, are members of Sourcefire VRT.
The team is supported by the vast resources of the open source Snort and ClamAV communities, making it the largest group dedicated to advances in the network security industry. The VRT develops and maintains the official rule set of Snort.org. Each rule is developed and tested using the same rigorous standards VRT uses for Sourcefire customers. The VRT also maintains shared object rules that are distributed for many platforms in binary format.
Describe the malware and vulnerabilities the team has uncovered in recent months. Anything different about the newest research?
Watchinski: As an open-source vendor, we're bringing in 4 gigs of malicious binary a day. From ClamAV logs alone we see 30,000 pieces of malware a day, 95 percent of which is traditional, the rest exploitable. We continue to see a lot of the big malware families like Zeus and the Rustock botnet.
The bad guys change their stuff pretty quickly on a daily basis. We process 50-60 samples a day that show that. Our challenge is to keep up with our own updates in real time.
ClamAV is something Sourcefire acquired a few years ago. What can you discuss regarding the integration of ClamAV into the wider Sourcefire arsenal?
Watchinski: We recently announced a partnership to deliver a free, Windows-based version of ClamAV that uses Immunet's Cloud-based Collective Immunity technology, linking together a user's network of friends to identify new threats in real-time, providing instant protection across the product's user-base. The beauty of this is that the cloud helps everyone process data quickly. Users don't have to do updates on their box and don't have to worry about uploading signatures. Updates happen in real time.