Inside Sourcefire's Vulnerability Research Team

Sourcefire's VRT senior director discusses the type of malware Snort is picking up, as well as recent improvements to ClamAV.

In many IT security shops, administrators rely on open-source tools to keep up with the malware bad guys continue to toss their way. One industry favorite is Sourcefire, parent of the Snort IDS tool and ClamAV.

Matt Watchinski, senior director of Sourcefire's vulnerability research team (VRT), gave CSO a behind-the-scenes look at what goes on in the vulnerability research team and how the most recent research paints a concerning picture of evolving malware and the applications that fall into the crosshairs.

Also see The Botnet Hunters

CSO: Let's start with a description of what the vulnerability research team (VRT) does.

The Sourcefire VRT is a group of network security experts working around the clock to discover, assess and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities. Some of the most renowned security professionals in the industry, including the ClamAV Team and authors of several standard security reference books, are members of Sourcefire VRT.

The team is supported by the vast resources of the open source Snort and ClamAV communities, making it the largest group dedicated to advances in the network security industry. The VRT develops and maintains the official rule set of Each rule is developed and tested using the same rigorous standards VRT uses for Sourcefire customers. The VRT also maintains shared object rules that are distributed for many platforms in binary format.

Describe the malware and vulnerabilities the team has uncovered in recent months. Anything different about the newest research?

Watchinski: As an open-source vendor, we're bringing in 4 gigs of malicious binary a day. From ClamAV logs alone we see 30,000 pieces of malware a day, 95 percent of which is traditional, the rest exploitable. We continue to see a lot of the big malware families like Zeus and the Rustock botnet.

The bad guys change their stuff pretty quickly on a daily basis. We process 50-60 samples a day that show that. Our challenge is to keep up with our own updates in real time.

ClamAV is something Sourcefire acquired a few years ago. What can you discuss regarding the integration of ClamAV into the wider Sourcefire arsenal?

Watchinski: We recently announced a partnership to deliver a free, Windows-based version of ClamAV that uses Immunet's Cloud-based Collective Immunity technology, linking together a user's network of friends to identify new threats in real-time, providing instant protection across the product's user-base. The beauty of this is that the cloud helps everyone process data quickly. Users don't have to do updates on their box and don't have to worry about uploading signatures. Updates happen in real time.

You mentioned earlier that you're finding 30-40 interesting flaws a day. What can you tell us about them?

Watchinski: An Opera flaw came in last week that looks exploitable with remote code. We're verifying that. We've also seen some targeted .pdf files over the last week or two. It was a multi-staged attack that went to number of specific people in a couple organisations, specifically targeting what those people do.

Adobe has taken a lot of heat over vulnerabilities of late. What are you seeing there?

Watchinski: We're constantly looking at Adobe. The main thing we see is a lot of evasive capabilities being worked into attack kits. Malware is made to escape detection. It's made more difficult to analyse. We'll see a lot more of that; more complex shell code. Adobe is a big target for this stuff. It's tough for companies to determine what shell code is doing and what kind of data is being stolen.

How large is your team and how is it set up?

Watchinski: VRT has three teams, including the ClamAV team, the Snort team and a department of information that manages all the data coming in from the open source community. A lot of people in the community communicate with us over Twitter. They also use the forums and mailing lists and developer lists. We get back to them and share our findings, usually on a one-on-one basis. They send us stuff, we take it apart to see if it's just a strange network anomaly or a real threat. All told we have 20 employees in VRT.

Join the CSO newsletter!

Error: Please check your email address.

Tags sourcefireopen sourceclamav

More about Adobe SystemsCisco SecurityetworkFireEyeRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place