Slashdot Mirror
Internet Immunization
xav_jones writes "Nature.com reports on computer experts from Israel who are proposing a different strategy for combating fast-spreading worms and viruses -- one in which the fix can, theoretically, keep up with or stay ahead of the malicious code. They 'propose a system in which a few honeypot computers lie in wait for viruses. These computers run automated software that first identifies the virus, and then sends out its signature across the Internet. This enables a sentinel program on all the other computers in the network to identify the virus and bar it before it can attack them.' The honeypot computers would reside in a secure, dedicated network. For 'roughly 200 million computers ... [with] just 800,000 [(0.004%)] of them acting as honeypots [it] would restrict a viral outbreak to 2,000 machines.'"
All that to combat worms and viruses? If I am correct, most of the worms and viruses infect because of a vulnerabilitly in the software. So what if these sentinnels of "guardian angels" themselves have some flaws which these viruses exploit. How about spending some money on training developers to practise safe coding. How about educating average joe to not click on the Britney's image and let him know that she is not going to blow him? How about lobbying to pass laws to force software companies to pass a higher standard? Heck even children toys have certain standards that the companies have to adhere to.
Seems like rational ideas are just an illision now a days. Don quixote suddenly seems more reasonable to me than this guy.
Except that no system is prefectly secure.
And once someone finds a hole in this magic system, it will become the most effective means of distributing viruses ever invented.
The honeypot computers would reside in a secure, dedicated network Wouldn't that make it just a little difficult for the honeypots to contract a virus? Or is this some new definition of the word "secure" that I'm not familiar with?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
...for the ~1 million honey-pots, their connectivity, and their management?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
So now, instead of getting spam for viagra, I get spam for v1agra, vi4gra, vyagra, viegra, etc.
Virus writers will just add mutational code to their virius, so each instance of infection will have a unique signature.
I always wondered if the future of human defense against viruses was similar. Use "honeypots" with human-like susceptibility (genetically modified pigs or something). Once their immune systems start figuring out what virus is attacking, take a part of the virus DNA and post the code for the world to see.
Individuals at home would have their DNA sequencers crank out a batch and they'd then inoculate themselves, prepping their immune system for the real virus.
This is all future stuff, of course. It could also be prone to problems, such as someone hacking into the system and posting a DNA sequence that does bad things to people. Shucks, the autism/vaccine scares already show people's fear of such things. Might make for a good story, though.
I maintain mail servers with some honeypot addresses. Incoming mail is not only used to train our own filters, but reported to other services like Razor. The whole thing about getting the signatures to travel faster than the worm is easy if you already know where you're sending the data (the worm either has to do scans or pick destinations at random).
Is the novelty
1. Using this technique for viruses?
2. Using a dedicated honeynet?
I make it 0.4% ...
Ok, I think i figured it out!
If I find out a way to infect the singal the honeypots are sending out, then I can infect even more people, because the people relying on the honeypot machines won't be running anti-virus programs themselves.
Hmm, that would be fun!
...it would be like if the internet had peanut allergies and malicious code kissed it after eating Reeses Cups.
However, I'm willing to give these guys a fair shake. No matter what anyone has to say about their politics, the Israelis definitely know how to do high-tech.
From TFA:
[Fuck Beta]
o0t!
I like the magic part where this incredibly advanced piece of software figures out that the machine has been infected. It's so smart, in fact, it can figure out what viral signature can uniquely identify it.
Ya know, if ya had some code that could reliably identify virii without signatures, wouldn't we all be running *that* on all our desktops?
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Symantec, at least, already has a network like this in place and it has been in place for several years. I believe other companies do as well.
I think the reason this is interesting (as an idea anyway) is that it would be automated. Nowadays the anti-virus guys check things out, create patches, and deliver patches... so there is a spread of the immunization. Under this scheme, the signature would be automatically sent out to all computers, so people would become immunized very quickly. The cure would spread as fast as the virus, since everything is automated. But there, as far as I'm concerned is the problem. The article says:
The real trick is to make sure that the antiviral signature travels faster through the Internet than the virus itself,
I disagree. Sending signals to all participating computers real fast isn't such a big deal. After all, the virus has to poke around inside an infected computer, looking for data on "who to infect next." This immunization system will have a built-in table of how to efficiently route the cure. So it will be faster (or at least competitive with) the virus spreading speed. (I know, I know... virus-writers will exploit that very routing table...)
In my estimation, the real challenge is to automate the detection. The honeypot must somehow identify what is a virus and what is not (and do it quickly to be at all effective!). Sometimes this will be easy (the honeypot may have a store of thousands of files that it never touches, and if any one of them becomes modified, it must have been a virus trying to replicate itself, etc.)... other times, it may be darn difficult for a machine to tell it has become infected. After all, the whole point of a virus is that it does something unexpected (exploits a bug that was not known to exist). So determining that a virus is operating is hard.
I also see false positives being a major concern. If the honeypot starts issuing signatures for legitimate net traffic, then the system becomes worse than useless. Just my opinion. I'm no expert.
There are a lot of techniques to do automatic identification of viruses, the problem is that they are too expensive for everyday use--your programs run 40x slower or worse. Below is a selection (small and randomly generated) of related work.
Mostly, you need to do extensive monitoring of what your program is doing, and look for out-of-bound writes (e.g. buffer overflows/stack smashing), or do taint analysis (that is, don't execute or make "important" decisions based on data "tainted" from an untrusted source). But this requires performing many anaysis operations for every "real" operation, so it isn't feasible to do everywhere.
Just google the titles for electronic copies.
Kreibich, C., and Crowcroft, J. Honeycomb - creating intrusion detection signatures using honeypots. In HotNets (Nov. 2003).
Kim, H., and Karp, B. Autograph: Toward automated, distributed worm signature detection. In USENIX Security Symposium (Aug. 2004).
Zou, C. C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In ACM CCS (Oct. 2003).
Wilander, J., and Kamkar, M. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS (Feb. 2003).
Newsome, J., and Song, D. Dynamic taint analysis: Automatic detection and generation of software exploit attacks. In NDSS (Feb. 2005).