Slashdot Mirror

← Back to Stories (view on slashdot.org)

A New Approach to Mutating Malware

Posted by Zonk on from the bigger-hammers dept.

mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."

4 of 80 comments (clear)

  1. What happens when... by LiquidCoooled · · Score: 2, Interesting

    What happens when I buy a new game and it connects to the other players in a tight mesh.
    It might send out a storm of packets to each of the possibly hundreds of other servers.

    Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?

    --
    liqbase :: faster than paper
  2. Deterministic flaws and P2P networks. by Short+Circuit · · Score: 3, Interesting

    This will (mostly) work on worms which attack flaws which behave in a nondeterministic fashion; A worm isn't guaranteed an infection by only one connection attempt. I don't think it would work for flaws that require only one connection to infect, though.

    That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  3. Re:a high rate of homogeneous connection requests by dgatwood · · Score: 3, Interesting

    I suspect that every mailing list server would be a false positive, too.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. Maybe I missed something: Whats new here? by jofny · · Score: 2, Interesting

    The ability to block things by numer/frequency/type/foo of connection attempts is pretty old...it's just not particularly useful in cases as open-ended as this (trying to block worm activity based on no other information than connection behavior). It seems someone here is, as usual, reporting on the rediscovery of the wheel. (Not to mention the fact that the fast moving DoS worm is out of fashion right now. The heat is too much for people looking for kicks and people looking to make money from it have better tools.)