HPs Virus Throttle Aims to Halt Worms Spread

By applying the principle of least privilege when assigning rights to applications, the software prevents programs from accessing files they don't need-which in turn stops attackers from manipulating apps.

Hewlett-Pachard Co. on Friday announced the release of its long-awaited Virus Throttle software, a small application designed to halt the spread of worms and viruses by limiting the number of outbound connections they can establish.

The company also offered a peek at some research that scientists in the HP Labs have done on attack containment on client machines. This solution is not ready for public release, and in fact may never see the light of day, but HP security officials said its a good indicator of the labs capabilities.

Virus Throttle has been rattling around at HP for some time, and company officials have been very excited about its potential for limiting the damage done by fast-spreading worms and viruses.

Mass-mailing viruses and network-aware worms propagate themselves through a variety of techniques, all of which share one thing in common: the need to establish multiple outbound connections to other machines.

This behavior often leads to network congestion, and sometimes to the failure of mail servers that become overloaded with requests. When its installed on a ProLiant server, Virus Throttle monitors the network for large spikes in connection requests and immediately begins to scale down the number of network connections the malware can make, eventually stopping all of its connections completely.

The software will be available for ProLiant servers and for the HP BladeSystem architecture.

HP Labs has come up with a piece of experimental software that applies the principle of least privilege when assigning rights to applications. This means that programs are given only the minimum amount of authority they need in order to accomplish their tasks. This prevents programs from accessing files they dont need, which in turn stops attackers from manipulating applications.

"We were looking for ways to contain and cope with attacks," said Joe Pato, distinguished technologist at HP in Palo Alto, Calif. "The core mechanism is restricting user capability. We encapsulate applications to run with the least privilege."

HP Labs has been testing the software on Windows XP machines.

/zimages/2/28571.gifClick here to read about a security suite from Hewlett-Packard.

The company is adding a similar technology to the forthcoming release of HP-UX 11iv2. Known as Security Containment, the technology can work with the companys Virtual Server Environment to compartmentalize a PC during an attack, placing applications and files in separate containers.

The applications can continue to run normally, but they cant communicate with each other and are prevented from accessing the kernel.

The goal is to prevent attackers from being able to use compromised applications to manipulate other processes or applications. The new capability will be available next week, HP executives said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.