RealTime IT News

Detecting Malware Without Software?

Web applications come under attack every day from malware that runs on end-user PCs.

A new solution from security vendor Trusteer aims to help protect websites from malware infected users, without the need for the end-users to install additional security software. The Trusteer Pinpoint solution runs on the web application server and is able to identify if a client PC that is attempting to connect to an application is infected with malware.

Yaron Dycian, vice president of products for Trusteer explained to InternetNews.com that Pinpoint has a sensor that is deployed on a website. The sensor detects actions in the behavioral patterns of connected users. He noted that the Pinpoint system can compare the behavior to malware signatures, and determine if a connected end-user is infected with malware.

"The key to this is our ability to collect very deep knowledge of malware behavior," Dycian said.

Dycian added that Trusteer has multiple methods of collecting malware information to help enable the Pinpoint service. For Pinpoint, the sensor is looking at information sent by an end-user via their web browser.

"Malware does things, it's not just there, it operates and has very specific behavior that is tailored to attack websites," Dycian said.

Trusteer has another product called Rapport which is an application for locking down and protecting communication between end points and websites. Dycian noted that Rapport collects data from end-points and sends malware samples to the Trusteer cloud for analysis. It's that basis of information which helps to enable the Pinpoint service with its malware identification capabilities.

The Pinpoint service is specific to browser based connections to websites.

"If the malware is trying to mess with a website we'll definitely look at it," Dycian said. "The real attacks that are out there are coming through the browser."

Malware behavior can leave traces in the HTTP headers that browsers send to websites, according to Dycian. In his view HTTP headers are just another fingerprint that can help Pinpoint to determine if malware is present.

Pinpoint will not however protect websites against vulnerabilities such as Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF). Dycian noted that Trusteer is not in the business of scanning websites for vulnerabilities. Rather, his company is focused on detecting attacks in real time. Other vendors, such as Dasient, focus their business on scanning for website malware.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.