In October 2000, MessageLabs, a relatively unknown ASP (application service provider) based in the UK, intercepted more than 30,000 e-mail messages carrying viruses. Why was MessageLabs intercepting these messages? It was saving its customers a lot of aggravation, time, and money by denying these viruses the chance to reach their targets. Filtering out viruses as far away from internal networks as possible on the Internet is a fast-growing trend, and MessageLabs has taken a pioneering role in this area.

How is MessageLabs different?
While most ASP-level scanning is performed using a single antivirus product, MessageLabs has taken the belt-and-suspender approach. It uses three scanners, with a total of five antivirus engines deployed. They are as follows:

  1. Network Associates provides the VirusScan engine, based upon the famed Dr. Solomon’s Olympus technology.
  2. F-Secure provides a three-in-one package:
  • The well-reputed AVP engine from the Moscow-based Kaspersky Lab
  • The equally well-reputed F-Prot engine from Iceland’s Frisk Software
  • F-Secure’s own internally developed Orion engine
  1. VFind, the engine from CyberSoft, rounds out the arsenal of virus detection engines.

MessageLabs uses multiple scanners because it found in its testing that in some circumstances, antivirus scanners fail to detect viruses. One product’s scanner database might be updated on a different frequency than the others, making it quite possible that a scanner will not yet be aware of Virus XYZ.

When testing antivirus scanners, Alex Shipp, antivirus technologist at MessageLabs, said, “Usually it’s the new viruses they miss, so their heuristic detection has let them down. Some antivirus vendors do not have heuristic detection at all, so they will always miss new viruses until someone sends them a sample and they can work on a fix. For instance, some products consistently score 100 percent in Virus Bulletin tests, but this is because the test set used is always several months old. When pitted against the real current in the wild set (what we see happening on the Internet in real time), they miss many viruses.”

Speaking about the strength of the much-touted heuristics, Shipp commented, “We find the F-Secure scanner is good at picking up new macro viruses, whereas the Network Associates scanner is good at picking up variants of existing macro viruses. Most vendors had a lot of trouble with Kak, and some had to make engine changes to be able to catch it. Some still haven’t. (Our number one help desk call from noncustomers is, ‘You say I have Kak but I have checked my disk with Norton, and I haven’t.’) We still get instances of Kak that pass through all scanners except Skeptic.”
Skeptic is a virus detection tool developed internally by MessageLabs to detect new viruses in e-mail. It has specific heuristics for .exe files, VBS, Office macros, HTML script, and Java, as well as heuristics for known security vulnerabilities.
Skeptic has been very successful, trapping a number of viruses before antivirus companies had updated their databases, including W32/ExploreZip, JS/Kak, VBS/Stages, W32/PrettyPark, and VBS/LoveLetter. All of these viruses caused significant damage worldwide, and filtering them out before they reached customers’ networks represents a significant benefit.

Looking for patterns
Skeptic also looks for e-mail traffic patterns in any type of file. For example, if an e-mail was intercepted that was addressed to 20 or more recipients and it contained an Office document with a macro, it would be considered suspicious. If the macro contained code that mass-e-mailed to other addresses, it would be considered very suspicious and blocked until a MessageLabs technician could analyze it. Skeptic can also be configured quickly to counter new threats by searching for e-mails containing certain attachments.

Following the discovery of BubbleBoy, MessageLabs added analysis of HTML-formatted e-mail, searching for virus-like executable scripts buried within HTML e-mail. In addition, the company added heuristics for various other scripting languages, such as VBS and JavaScript. It was this capability that enabled Skeptic to detect and trap the LoveLetter virus more than 10 hours before antivirus companies made their signatures for LoveLetter publicly available.

Process of elimination
Each e-mail that passes through the MessageLabs Virus Control Center is first run past all three of the commercial virus scanners. Where the virus scanners disagree, a virus researcher intervenes to investigate and then identifies the incident as either a false positive or a missed virus. Using three scanners together ensures that a more complete filtering is achieved without an overly negative impact on throughput performance.

MessageLabs also uses various check-summing algorithms, so once it has positively identified one sample as a virus, all subsequent identical samples will also be identified as the same virus. Suspect files are sent to the virus lab, where researchers use a variety of tools to analyze them and determine whether a real virus has been intercepted. Like many other virus labs, MessageLabs has created its own virus analysis tool sets, which include:

  • MacroMan: A program that attempts to replicate infected documents by opening and closing the infected document, performing various common actions, creating new documents, and so on.
  • ExtractVBA: A tool that can extract VBA macro code from a document for further analysis.
  • Splitshs: A tool that analyzes OLE compound documents.

MessageLabs also purchased HMVS, a supplementary tool that can extract macro code from a document, as well as registry comparison tools, hex editors, port monitors, network sniffers, and so on.

One infection per 1,500 e-mails
Based on MessageLabs’ two years of scanning for viruses in more than two million e-mail messages per day, the average figure for virus detection across all e-mail is one virus in every 1,500 e-mails. From this, one can estimate that an average of 66 viruses will pass through an ASP’s network for every 100,000 messages handled.

Analysis has also shown that a greater percentage of viruses come from “free” mail accounts than from general private domains. Further investigation revealed that the average number of viruses contained within popular, free mail accounts soars to one in 500, three times the general rate. With the constant growth in the use of e-mail and the steady rise in the number of virus-carrying messages, the importance of filtering out these infections at the ASP level will increase. During the weeks following the outbreak of LoveLetter, numerous major organizations reported stopping thousands of messages per day at the e-mail gateway level. This puts a strain on their systems, and given the inherent limitations of antivirus products using MAPI-based virus scanning, the chances of an infected message slipping past are high.

Moving the filtering process one level up to the ASP not only reduces the resource load on enterprise e-mail gateways but can also provide better protection, especially if the ASP uses multiple antivirus scanners.
If you’d like to share your opinion, start a discussion below or send the editor an e-mail.