Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Machines To Analyze Malware

Posted by ryuzaki0 on from the bugs-under-glass dept.

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

7 of 55 comments (clear)

  1. The future is now by Umbral+Blot · · Score: 4, Insightful

    Obviously solutions like this will be the way of the future, combined with a finer grained permission system. I just hope you can manually exempt programs. For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware. I am also curious if their system could defeat a rootkit, which will do its best to hide its activity and existence almost completely from the system.

    --

    Philosophy.
    1. Re:The future is now by bmo · · Score: 4, Insightful

      "Why cant I just sue the owner of that IP?"

      Because the owner of the IP is not always the originator of the malware, but a victimized third party? Ya think? Haven't you ever looked at your phishing spam URLs?

      Only a seriously stupid criminal would illegally collect information at a machine that he owns himself.

      That said, the prisons are not full of geniuses.

      --
      BMO

  2. Advantages? by bsdluvr · · Score: 4, Insightful

    Does this new classification method really have any advantages for the average user? I'm sure most people just want to keep their systems malware-free, and could care less about the names of the individual threats.

  3. Better classification means better naming by mrogers · · Score: 5, Funny

    Now instead of obscure names like W32/worm.169/06A they can give them meaningful names like W32/fucks.your.harddrive.and.emails.itself.to.all. your.friends.169/06A.

  4. "us" ???? by Wingsy · · Score: 4, Funny

    "...bots and viruses that plague us" What's this "us" shit Kemosabe? I've never experienced any bots and/or viruses in the past 5 years or more. What kinda system are you running that has this affliction?

    --
    If I didn't have absolutely NOTHING to do, I wouldn't be here.
  5. I now present... the Polymorph by packetmon · · Score: 5, Insightful

    After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.

    --
    Infiltrated dot Net
  6. You can already buy a product that does this by Anonymous Coward · · Score: 4, Informative

    Internet Security Systems already provides a product that does this called "Proventia Desktop". Whenever the user tries to run a program, it first boots a virtual machine, runs the program, looks at all these behaviors (opening connections, setting itself as the Run entry in the registry, etc.). When the right combination of behaviors are detected, it marks it as malware and refuses to run it in the real machine. The entire process takes as much time as it would for anti-virus to scan it. It's about 99% effective, which means that it catches almost all 0-day viruses, but it will occasionally let something through (which is why you should probably also have traditional anti-virus as well).