Slashdot Mirror

← Back to Stories (view on slashdot.org)

A New Approach to Mutating Malware

Posted by Zonk on from the bigger-hammers dept.

mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."

2 of 80 comments (clear)

  1. high rate of homogeneous connection requests by Anonymous Coward · · Score: 5, Funny

    I don't see what anyones sexuality or promiscuity should matter. Live and let live.

  2. Not a new idea....but still a good one by Arrogant-Bastard · · Score: 5, Informative

    This idea was discussed in considerable depth on various
    anti-spam lists several years ago. Nearly all hosts on the
    Internet talk to one mail server: the one designated for
    mail submission from the network they're on. (s/one/few/
    for networks large enough to have multiple SMTP gateways.)

    Such systems, if observed suddenly making connections on
    port 25 to hundreds (or more) other mail servers, are almost
    certainly spewing spam. This is particularly true if those
    connections meet certain criteria (e.g. traffic sent before
    waiting for SMTP greeting from remote side, or failure to
    send QUIT before closing connection). Slapping a port 25
    block on such systems at least partially quarantines the
    problem, buying time for more thorough investigation.

    The same could be said of systems observed making hundreds
    of SSH connections (to one destination or many), etc. The
    basic concept is to figure out what "normal" looks like --
    which, granted, may vary with what uses a system normally
    has -- and then do something when things don't look normal.
    "something" could be "log it" or "issue an alert" or "rate-limit
    connections" or "rate-limit traffic" or "block" or some
    combination; the trick is to select an appropriate response
    that does something useful while not making the mechanism
    so twitchy that it trips when it shouldn't.