Razorback project targets malware, zero-day exploits

Sourcefire Inc., best known for its Snort intrusion-prevention technology, Tuesday is unveiling a new open source  project called Razorback that’s designed to spot malware and especially zero-day exploits.

“We want others to test it to see if our idea about this new protection framework is as innovative as we think it is,” says Matt Watchinski, senior director on the Sourcefire vulnerability research team.

Columbia, Md.-based Sourcefire says Razorback is designed with a “defense routing system” that monitors for certain traffic types, such as HTTP, Web or SMTP-based e-mail, in order to forward mirrored data to any means of security analysis system that can be plugged into it.
More from IT World Canada
Security tools supporting Razorback could be either open-source or proprietary.

Razorback monitoring could be integrated directly into security gateways as well as deployed on standalone servers. A typical place to put the main Razorback monitoring component would be directly behind an antivirus filtering point, according to Sourcefire, which also shepherds the open source Clam A/V toolkit. Razorback could also work with security information and event management products.

Razorback “knows the resources in the organization that might have a specific interest in files, such as PDFs, for example,” which could have malicious code embedded in them, Watchinski says. Razorback-monitored PDF files could be sent to a forensics tool that could analyze them for zero-day vulnerabilities or possible exploit code.

Razorback’s “defense-routing system” is not necessarily real-time and it’s not yet designed to directly block suspicious data.
The underlying idea of the open source project is to set up multiple paths to simultaneously transmit any mirrored data of specific security concern onward to designated security points for analysis, output and feedback to Razorback. On a more advanced level, these third-party Razorback-supported tools, after security analysis, could in theory assist Razorback in recommendations to take protective blocking measures or update threat determinations.

Today, Razorback has been developed to work with open source Snort and Clam A/V as well as other open source code, such as Postfix.

Sourcefire has no publicly stated intention as of yet to launch a commercial product based on Razorback. The company does say the defense sector is interested in development of the kind of defense-routing system that Razorback seeks to foster through open source.

Razorback will be licensed by Sourcefire under open source GPLv2 license. In general, Sourcefire expects the code to be available for free to users and vendors — but if Razorback is modified with the intent to sell it as a commercial product, discussion about licensing fees can be expected.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now