Razorback project targets malware, zero-day exploits

Sourcefire Inc., best known for its Snort intrusion-prevention technology, Tuesday is unveiling a new open source  project called Razorback that’s designed to spot malware and especially zero-day exploits.

“We want others to test it to see if our idea about this new protection framework is as innovative as we think it is,” says Matt Watchinski, senior director on the Sourcefire vulnerability research team.

Columbia, Md.-based Sourcefire says Razorback is designed with a “defense routing system” that monitors for certain traffic types, such as HTTP, Web or SMTP-based e-mail, in order to forward mirrored data to any means of security analysis system that can be plugged into it.
More from IT World Canada
Security tools supporting Razorback could be either open-source or proprietary.

Razorback monitoring could be integrated directly into security gateways as well as deployed on standalone servers. A typical place to put the main Razorback monitoring component would be directly behind an antivirus filtering point, according to Sourcefire, which also shepherds the open source Clam A/V toolkit. Razorback could also work with security information and event management products.

Razorback “knows the resources in the organization that might have a specific interest in files, such as PDFs, for example,” which could have malicious code embedded in them, Watchinski says. Razorback-monitored PDF files could be sent to a forensics tool that could analyze them for zero-day vulnerabilities or possible exploit code.

Razorback’s “defense-routing system” is not necessarily real-time and it’s not yet designed to directly block suspicious data.
The underlying idea of the open source project is to set up multiple paths to simultaneously transmit any mirrored data of specific security concern onward to designated security points for analysis, output and feedback to Razorback. On a more advanced level, these third-party Razorback-supported tools, after security analysis, could in theory assist Razorback in recommendations to take protective blocking measures or update threat determinations.

Today, Razorback has been developed to work with open source Snort and Clam A/V as well as other open source code, such as Postfix.

Sourcefire has no publicly stated intention as of yet to launch a commercial product based on Razorback. The company does say the defense sector is interested in development of the kind of defense-routing system that Razorback seeks to foster through open source.

Razorback will be licensed by Sourcefire under open source GPLv2 license. In general, Sourcefire expects the code to be available for free to users and vendors — but if Razorback is modified with the intent to sell it as a commercial product, discussion about licensing fees can be expected.

Related Download
Next-generation IPS and firewall Sponsor: HP
Next-generation IPS and firewall
Next-generation enterprise firewalls (NGFW) include intrusion prevention system (IPS) technology that enables them to spot and block cyber attacks. But they do not replace IPS solutions—you need both. This HP business white paper shows how NGFW and next-generation IPS (NGIPS) are complementary security solutions that work together to secure your network.
Register Now