Slashdot Mirror
A New Approach to Mutating Malware
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Behaviour blocking.
Everything old is new again!
What happens when I buy a new game and it connects to the other players in a tight mesh.
It might send out a storm of packets to each of the possibly hundreds of other servers.
Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?
liqbase
This will (mostly) work on worms which attack flaws which behave in a nondeterministic fashion; A worm isn't guaranteed an infection by only one connection attempt. I don't think it would work for flaws that require only one connection to infect, though.
That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.
tasks(723) drafts(105) languages(484) examples(29106)
... or is porn just an actively sought out form of malware?
"I only know 2 things: The love for me, and the fear of me."
'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.'
So they're focusing on a symptom. But it sounds like this could be used block other "homogeneous" traffic, like Bittorrent, no?
The theory of relativity doesn't work right in Arkansas.
It appears to be magic.
I can see isolating a box when its connection pattern changes. But I don't see any way to identify whether it has been infected without a person looking at it or comparing it to existing signature files.
Hello,
There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here and Professor Peng Liu's home page here along with the university's press release here, but I did not see any actual articles on PWC.
A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.
Regards,
Aryeh Goretsky
Dexter is a good dog.
I wish the article didn't pretty much suck...
This is the webpage for the Cyber Security Lab. I don't see anything about this on there, but a Google search for Proactive Worm Containment brings up this presentation.
OK. This will work for a while. However, sooner or later, two things will happen:
1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
it falls below the threshold
and
2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
in their own labs and build worms that work around it, just the way they've gotten a lot of crud
by Bayesian Filters and anti-virus software.
Summary: no magic bullet
You wouldn't happen to be a writer on Tom Goes to the Mayor, would you?
The theory of relativity doesn't work right in Arkansas.
I don't see what anyones sexuality or promiscuity should matter. Live and let live.
I read the article, and I'm still wondering what the 'new' part is. The text doesn't mention anything that hasn't been around for ages, is this a bad article or bad research?
This idea was discussed in considerable depth on various
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)
Such systems, if observed suddenly making connections on
port 25 to hundreds (or more) other mail servers, are almost
certainly spewing spam. This is particularly true if those
connections meet certain criteria (e.g. traffic sent before
waiting for SMTP greeting from remote side, or failure to
send QUIT before closing connection). Slapping a port 25
block on such systems at least partially quarantines the
problem, buying time for more thorough investigation.
The same could be said of systems observed making hundreds
of SSH connections (to one destination or many), etc. The
basic concept is to figure out what "normal" looks like --
which, granted, may vary with what uses a system normally
has -- and then do something when things don't look normal.
"something" could be "log it" or "issue an alert" or "rate-limit
connections" or "rate-limit traffic" or "block" or some
combination; the trick is to select an appropriate response
that does something useful while not making the mechanism
so twitchy that it trips when it shouldn't.
The ability to block things by numer/frequency/type/foo of connection attempts is pretty old...it's just not particularly useful in cases as open-ended as this (trying to block worm activity based on no other information than connection behavior). It seems someone here is, as usual, reporting on the rediscovery of the wheel. (Not to mention the fact that the fast moving DoS worm is out of fashion right now. The heat is too much for people looking for kicks and people looking to make money from it have better tools.)
connectionless packet services?
Or have we forgotten about SQL Slammer, which used a UDP vector?
Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.
Welcome to the Panopticon. Used to be a prison, now it's your home.
A really simple solution to most virus problems is a good firewall. This project seems to be not much more than a glorified firewall with heuristics.
A firewall won't protect you much from the initial infection, but it will stop you from spreading the malware or becoming a spam-bot. A smart firewall could also accurately warn the user of suspicious activity, as evil connections are a much more reliable symptom to check than signatures.
The government can't save you.
I'm not sure if this is a totally idea or not, but any help with this is a positive thing. Watching a machine and trying to find signs of malware behavior isn't new. NAV and other programs already have heuristics built in.
What is needed is more of a "block all, allow only what is needed" policy rather than "permit all, find bad things, block them" which is a never-ending cycle. For example, unless an ISP's customer specifically requests it (and signs that he/she is fully responsible for any damage), a number of outgoing ports should be blocked by default (with obvious notice to the user on signup and in the ISP's help pages. For example, outgoing SMTP should be blocked, and the ISP will unblock it on user request as well as offer a mail server for authorized relaying.)
Maybe one idea is for programs (doesn't matter what OS) to have a manifest (which after installation is stored somewhere protected by the OS) of what ports the program will be using for incoming/outgoing connections. Program uses a port different from what is listed in its manifest, the connection either is blocked, or the user is prompted to manually add an ACL entry allowing it. If a program is updated to use more ports, the manifest can be changed (although an administrative user will need to allow the request.)
"This paper gives an overview of Virus Throttling, a new technique to limit the damage caused by fast spreading computer worms and viruses. Rather than preventing a machine becoming infected, the technique prevents the virus propagating further from the infected machine. This addresses the two main ways that viruses cause damage: the spread of the virus will be slowed (less machines infected) and the traffic created by the virus will be reduced(less likely to overload network infrastructure)."
9 .html
http://www.hpl.hp.com/techreports/2003/HPL-2003-6
A large amount of malware configures itself so that it starts up each time you reboot. If something just popped up and said program x wants to start each time you boot your computer, do you want to allow this, yes/no, a ton of crap could be stopped right there. I know that is similar to a firewall asking if it is ok for an application to access the internet, but I have haven't ever seen anything that monitors programs that start on boot up.
On my list of windows annoyances, is that there are too many ways for a program to load itself at boot time, several of them pretty hard to understand for people who aren't too computer savy.
I have started putting the Startup Control Panel, by Mike Lin, on a lot of people's computers and it really makes it easier for them to control this crap. Plus, from time to time, someone actually gets a clue that huge amounts of stuff running in the background slows your computer down.
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Malware authors will just throttle the rate at which their software sends spam (or exploit payloads or whatever dirty work it happens to be doing).
Deploying this kind of detection will mitigate the spam problem somewhat by slowing down the propagation of spam -- but this isn't a silver bullet to stop malware.
When I saw the title "A New Approach to Mutating Malware", I was looking forward to an excellent piece on how to develop polymorphic destructive code, or maybe a way to infect viruses with Polonium-210. But all I got was some cheesy article on how to use a network intrusion detector to shut down malware. Boooring.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This sounds more like a mutated form of spam greylisting than a completely new method of detection. And this packet watching by itself is going to have a very high false positive rate unless they are truely doing it in the method of spam greylisting which learns who is "okay" to receive packets from.
Now I suppose if this was designed to prevent an infected computer from sending packets out.. wait thats a firewalls job. I guess I don't understand the usefulness of this new feature unless it is designed to hinder users even further. AV software and their current methods are used because of the very low false positive rates. Most of the heuristic technologies by default are set at minimal settings because of the high false positive rates in these types of technologies.
Hundreds of connections to many clients on the same set of ports? Sounds like someone is running a bittorrent client. They would have to only do this on a certain set of ports or something. Would block too much legitimate traffic otherwise.
-molo
Using your sig line to advertise for friends is lame.
Hunt down the authors and cut their balls off. Publically. People underestimate the visual deterrent power of a Bowie knife taken to some testicles.
Seriously, we need to start SOLVING problems in this world, and you don't solve problems without leaving at least a few asses in a well kicked state.
Sorry, but welcome to the human race.
We are... PENN STATE!
Vote monkeys into Congress. They are cheaper and more trustworthy.
This idea was discussed in considerable depth on various
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)
Or you could just block all connections on port 25 to all servers other than the designated SMTP server for all computers on the network (unless, maybe, the owner of that computer asked nicely.)
paintball
Excuse me, that is a "generic paper for gaining Attention" case.
Ingredients:
1) Old Method (heuristic approach, is around since the 1980's and never worked)
2) Well known Countermeasure (Block outgoing ports)
3) Implication that false positives are not so bad as false negatives (cite from the link: "...cancel the quarantine in the event of a false alarm.", without a specification how to do that.
4) A Newspaper reporter who obviously does not know anything about security
A Remark: Implementing this Method enables an escalation of some minor problem (e.g. when an attack targe can be forced to make connections to other hosts) to a DOS.
...then you are a "malware carrier".
Cool! It's not every day that you get to witness the creation of a new DoS attack vector.
This technology will be toast as soon as somebody defaces Yahoo or some other popular home page---by adding a dozen or so IFRAMES to random http://hostport/ URLs---thus causing anyone "protected" by this system to drop off the Internet.
http://outcampaign.org/
You can check Radware and their IPS called DefensePro. You will see that they use what they call Behavioral DoS protection. So this is not really a new thing in the world of combating malware.
Change is certain; progress is not obligatory.
so what if i DoS 127.0.0.1?
Just evaluate the TCP packet signatures and identify MS platforms, and deny all traffic from it. Malware would stop dead in its tracks.
Seems like just a few changes from the Graph-based Intrusion Detection System developed by UC Davis 8 years ago.