Researchers Use Machines To Analyze Malware

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

Better classification means better naming

[mrogers]

Now instead of obscure names like W32/worm.169/06A they can give them meaningful names like W32/fucks.your.harddrive.and.emails.itself.to.all. your.friends.169/06A.

I now present... the Polymorph

[packetmon]

After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.