If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

F5 Friday: Is Your Infosec Motto ‘Compone Accomoda Supera’?

That’s “Improvise. Adapt. Overcome.” and it should be if it isn’t. The right tools can help you live up to that motto. 


If you Google “Zeus Trojan” you’ll find a wealth of information. Unfortunately all that wealth appears to be draining into the bank accounts of miscreants leveraging the tenacious trojan to steal funds from organizations. Despite attempts by just about infosec everyone to detect and prevent this nasty piece of software from infecting data centers around the world, it continues to mutate and wreak havoc across the globe.

It’s not just Zeus that’s a problem, though it is certainly gaining notoriety and will likely be remembered as one of the more vile trojans of the decade. It, like many other attacks, succeeds because it continues to evolve – to evade detection by getting smarter and more adept at acting like real users and thus confusing the heck out of infrastructure and solutions designed to stop it.

blockquote The Georgia Tech Information Security Center (GTISC) last week released its Emerging Cyber Threats Report, which offers insight into the malicious tactics it expects to be prevalent in 2011. The report, based on GTISC research and collaboration with security industry experts, covers the increasing sophistication of botnets, mobile attacks and related cybersecurity issues.

Mustaque Ahamad, director of the GTISC, said botnet creators are succeeding in covering up botnet attacks by causing distractions to mask primary attacks. Typical botnet detection efforts focus more on larger scale attacks, creating a cover of sorts for smaller, more targeted malicious attacks, which makes them more difficult to track.

Attackers getting creative, thwarting botnet detection, research finds 

Before you throw up your hands in despair, there is hope. Creators of these viruses and botnets aren’t perfect and neither are their digital minions.


What makes Zeus in particular so difficult to detect is that it makes completely valid requests. These requests are no different than those that would be made by a user: there’s no anomalies at the network or application protocol layers nor does the data appear odd or incorrect in any way. The requests are valid and thus almost every intermediate piece of infrastructure sees the requests but allows them to pass, undetected, to the applications it is targeting.

imageThe good news is that’s only technical correctness. The logical correctness of those requests – the path through the application – is not accurate nor does it mirror the actual behavior of a user when interacting with the application. Web applications are, for the most part, comprised of steps that make up a business process. Order entry, for example, requires that items are selected first, and then the user is guided through a series of steps that gathers the information necessary to “checkout” or “submit” that data. Users do not, for the most part, remember the URIs that represent those steps in the process – they navigate to them using a series of buttons or navigation aids contained in the page. They follow a specific application flow that closely models the business process.

Trojans like Zeus, however, are not users and are not aware of that process. Requests generated by such trojans do not necessarily follow the process and instead make requests that if they were to be plotted on a flow diagram would fall outside the normal patterns of access by a real user. They’re basically using an attack vector known as “forceful browsing.” And forceful browsing can be detected and even prevented if you take the time to leverage the tools at your disposal.


This is the demesne of the web application firewall, where application awareness is a critical component to successfully imagedetecting and preventing requests from botnets like Zeus from successfully completing. An intermediate web application firewall like  BIG-IP Application Security Manager (ASM) can track the flow of requests through an application and enforce certain navigational paths and stop forceful browsing-based attacks like Zeus. 

Some of these paths are obvious: you can’t get to /checkout.do before you’ve visited /login.do. Some may be more subtle, and require capturing real user sessions as those users legitimately navigate the application to discern how customers and users will move through the application. Application developers may already have such application flow charts as they will have worked with business stakeholders to understand how to build the application in the first place. This may give rise to the idea of having developers put in place such controls and indeed such hard-coded controls will aid in preventing forceful browsing but will result in more rigid applications that cause challenges when attempting to integrate, upgrade, or modify in the future and cost more in the long term to maintain. Leveraging an external enforcement solution in a strategic point of control within the data center architecture affords the organization with agility and the ability to respond quickly to other attacks or modifications in behavior of existing trojans/bot nets.

A web application firewall like BIG-IP ASM provides an externalized, agile means by which such security policies can be implemented and rapidly adjusted to meet the challenge of new or modified attack vectors without incurring risk while developers modify and/or update application code.


It should be noted that neither the implementation of application flow control policies in an intermediary or in the application itself is a complete solution to the problem of trojans like Zeus. Miscreants are forever modifying, updating, and learning how to circumvent security measures designed to stop their evil plans and thus information security professionals must remain ever vigilant in their efforts to prevent the successful exploitation of corporate resources by such malware.

The use of a web application firewall is a more agile, cost-effective solution precisely because of the rapid rate of change occurring in the malware “industry”, as it were. Web application firewall policies can be modified nearly on-demand to address newly discovered techniques and behaviors leveraged by miscreants. In-application solutions, however, require constant coding, testing, and redeployment to keep pace with the rapid evolution of malware and while they can certainly be as effective in practice as a web application firewall they are not as agile a solution and can inadvertently introduce errors or new vulnerabilities that can be exploited.

Follow me on Twitter  View Lori's profile on SlideShare  friendfeed icon_facebook AddThis Feed Button Bookmark and Share

Related blogs & articles:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.