A New Approach to Mutating Malware

← Back to Stories (view on slashdot.org)

A New Approach to Mutating Malware

Posted by Zonk on Friday February 9, 2007 @10:45AM from the bigger-hammers dept.

mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."

28 of 80 comments (clear)

Min score:

Reason:

Sort:

a high rate of homogeneous connection requests by HTH+NE1 · 2007-02-09 10:48 · Score: 4, Funny

The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.
Great, so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net? Did this idea come from Korea?

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
1. Re:a high rate of homogeneous connection requests by dgatwood · 2007-02-09 10:51 · Score: 3, Interesting
  
  I suspect that every mailing list server would be a false positive, too.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:a high rate of homogeneous connection requests by HTH+NE1 · 2007-02-09 10:59 · Score: 3, Insightful
  
  OK, now I've read the article. Doesn't help much:
  Pen Liu, the lead researcher on the project and director of the university's Cyber Security Lab, estimates that under the new system, only a few dozen packets could be sent before an attack is halted. In comparison, the Slammer worm sent about 4,000 packets a second.
  Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?
  
  Oh, they're probably talking about end-user computers emitting too many similar packets quickly. There goes the idea of me running my own server; I will no longer be an equal on the net and will always have to pay someone else to host my content. This will also curb actions like sharing files, posting binaries to Usenet, streaming video out of my SlingBox, or other high-outgoing-bandwidth tasks.
  But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.
  I doubt this will be the same "fractions of a second" that it takes to block. I suspect it's more like human intervention on the order of days or weeks.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
3. Re:a high rate of homogeneous connection requests by Wesley+Felter · 2007-02-09 11:15 · Score: 3, Insightful
  
  This isn't hard to understand; a worm sends thousands of packets per second, each to a different IP address and most legitimate applications don't.
4. Re:a high rate of homogeneous connection requests by abigor · 2007-02-09 13:04 · Score: 3, Insightful
  
  You know, somehow it strikes me that they thought of these dead-simple, everyday use cases.
  
  Also, you need to learn the difference between "connecting" and "sending". If you're interested, you should pick up one of the classic Stevens books on tcp/ip. That should clear things up for you.
5. Re:a high rate of homogeneous connection requests by vux984 · 2007-02-09 21:12 · Score: 3, Insightful
  
  Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?
  
  Unless you download each packet from a different server I can't see how that would possibly be relevant.
  
  Oh, they're probably talking about end-user computers emitting too many similar packets quickly.
  
  No they're talking about a computer emitting too many CONNECTION REQUESTS to too many different computers. If you read the article you'd probably have a better idea of what was going on. ;)
  
  Two types of applications that could in theory trigger a quarantine that would be a mass-mailout, where you are directly delivering mail to thousands of recipient mail exchangers (instead of relaying through your ISP), or running a web-crawling robot of some sort that was traversing thousands of websites.
  
  Typical use, from playing games, to browsing, to sending email, to streaming video... even p2p software wouldn't even register as a potential threat nevermind trigger quarantine. Nor would running a busy web server, as in that case all the connection requests are inbound, not outbound.
What happens when... by LiquidCoooled · 2007-02-09 10:50 · Score: 2, Interesting

What happens when I buy a new game and it connects to the other players in a tight mesh.
It might send out a storm of packets to each of the possibly hundreds of other servers.

Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?

--
liqbase :: faster than paper
Deterministic flaws and P2P networks. by Short+Circuit · 2007-02-09 10:51 · Score: 3, Interesting

This will (mostly) work on worms which attack flaws which behave in a nondeterministic fashion; A worm isn't guaranteed an infection by only one connection attempt. I don't think it would work for flaws that require only one connection to infect, though.

That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.

--
tasks(723) drafts(105) languages(484) examples(29106)
What about wanted high rate requests? by Dark+Kenshin · 2007-02-09 10:56 · Score: 2, Funny

... or is porn just an actively sought out form of malware?

--
"I only know 2 things: The love for me, and the fear of me."
cause and effect by User+956 · 2007-02-09 10:56 · Score: 2

'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.'

So they're focusing on a symptom. But it sounds like this could be used block other "homogeneous" traffic, like Bittorrent, no?

--
The theory of relativity doesn't work right in Arkansas.
Re:From TFA ... by LiquidCoooled · 2007-02-09 11:03 · Score: 4, Funny

Perhaps it performs its detection based upon the evil bit.

--
liqbase :: faster than paper
How does it work? by Aryeh+Goretsky · 2007-02-09 11:06 · Score: 4, Informative

Hello,

There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here and Professor Peng Liu's home page here along with the university's press release here, but I did not see any actual articles on PWC.

A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.

Regards,

Aryeh Goretsky

--
Dexter is a good dog.
1. Re:How does it work? by EvanED · 2007-02-09 11:25 · Score: 2, Informative
  
  There is a presentation about it, but it doesn't go into any more detail about the detection occurs than the article.
2. Re:How does it work? by nuckfuts · 2007-02-09 17:42 · Score: 3, Informative
  
  It's trivial to differentiate between outbound and inbound tcp connections. (The first packet has the SYN flag set to begin a three-way handshake). A busy server woould have a lot of connections coming TO it. A bot would have a lot of connections coming FROM it. In the case of other protocols the SRC and DST information in the packets should suffice to determine direction.
Huh? by EvanED · 2007-02-09 11:08 · Score: 2, Funny

I wish the article didn't pretty much suck...

This is the webpage for the Cyber Security Lab. I don't see anything about this on there, but a Google search for Proactive Worm Containment brings up this presentation.
Safemaker, Safebreaker by sehlat · 2007-02-09 11:08 · Score: 2, Insightful

OK. This will work for a while. However, sooner or later, two things will happen:

1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
it falls below the threshold

and

2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
in their own labs and build worms that work around it, just the way they've gotten a lot of crud
by Bayesian Filters and anti-virus software.

Summary: no magic bullet
1. Re:Safemaker, Safebreaker by EvanED · 2007-02-09 11:17 · Score: 2, Insightful
  
  Is there ever a magic bullet though?
  
  What fix has there ever been that would totally stop a class of attacks in their tracks? The only one I can come up with is typesafe languages.
2. Re:Safemaker, Safebreaker by hedwards · 2007-02-09 11:51 · Score: 3, Insightful
  
  Yes, but forcing them to slow down makes an outbreak easier to contain.
  
  One of the bigger problems has been the speed of infection. Forcing a worm or virus to slow down significantly increases the amount of time that researchers have to identify it and release and update.
3. Re:Safemaker, Safebreaker by mikiN · 2007-02-09 20:58 · Score: 2, Funny
  
  ...like the Kuang Grade Mark 11...
  
  --
  The Hacker's Guide To The Kernel: Don't panic()!
high rate of homogeneous connection requests by Anonymous Coward · 2007-02-09 11:12 · Score: 5, Funny

I don't see what anyones sexuality or promiscuity should matter. Live and let live.
1. Re:high rate of homogeneous connection requests by Dirtside · 2007-02-09 13:35 · Score: 4, Funny
  
  Maybe it's a "Don't ACK, don't tell" policy.
  
  --
  "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
And where's the new bit? by Rich · 2007-02-09 11:16 · Score: 2, Informative

I read the article, and I'm still wondering what the 'new' part is. The text doesn't mention anything that hasn't been around for ages, is this a bad article or bad research?
Not a new idea....but still a good one by Arrogant-Bastard · 2007-02-09 11:18 · Score: 5, Informative

This idea was discussed in considerable depth on various
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)

Such systems, if observed suddenly making connections on
port 25 to hundreds (or more) other mail servers, are almost
certainly spewing spam. This is particularly true if those
connections meet certain criteria (e.g. traffic sent before
waiting for SMTP greeting from remote side, or failure to
send QUIT before closing connection). Slapping a port 25
block on such systems at least partially quarantines the
problem, buying time for more thorough investigation.

The same could be said of systems observed making hundreds
of SSH connections (to one destination or many), etc. The
basic concept is to figure out what "normal" looks like --
which, granted, may vary with what uses a system normally
has -- and then do something when things don't look normal.
"something" could be "log it" or "issue an alert" or "rate-limit
connections" or "rate-limit traffic" or "block" or some
combination; the trick is to select an appropriate response
that does something useful while not making the mechanism
so twitchy that it trips when it shouldn't.
1. Re:Not a new idea....but still a good one by jofny · 2007-02-09 11:29 · Score: 3, Informative
  
  That doesn't work for most machines you'll find on the internet. Network data simply doesn't contain enough information to concistently build a flexible, accurate profile of normal usage. You're either going to miss a significant amount of stuff youd like to catch, or catch so much legit traffic that it's unusable. You might find the right middle ground between them, but it'll be infrequent and coincidental.
Maybe I missed something: Whats new here? by jofny · 2007-02-09 11:23 · Score: 2, Interesting

The ability to block things by numer/frequency/type/foo of connection attempts is pretty old...it's just not particularly useful in cases as open-ended as this (trying to block worm activity based on no other information than connection behavior). It seems someone here is, as usual, reporting on the rediscovery of the wheel. (Not to mention the fact that the fast moving DoS worm is out of fashion right now. The heat is too much for people looking for kicks and people looking to make money from it have better tools.)
Helloo.... by idontgno · 2007-02-09 11:24 · Score: 2, Informative

connectionless packet services?
Or have we forgotten about SQL Slammer, which used a UDP vector?
Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.

--
Welcome to the Panopticon. Used to be a prison, now it's your home.
Simple fix by Quiet_Desperation · 2007-02-09 15:09 · Score: 2, Funny

Hunt down the authors and cut their balls off. Publically. People underestimate the visual deterrent power of a Bowie knife taken to some testicles.

Seriously, we need to start SOLVING problems in this world, and you don't solve problems without leaving at least a few asses in a well kicked state.

Sorry, but welcome to the human race.
Shameless plug by bryan1945 · 2007-02-09 15:46 · Score: 2

We are... PENN STATE!

--
Vote monkeys into Congress. They are cheaper and more trustworthy.