Slashdot Mirror
Auto-Detecting Malware? It's Possible
itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"
If antivirus protectors could collect data from machines and users
This idea stopped being a good one here.
Malware generally moves the same way any other software moves. The user downloads and installs it.
Give me Classic Slashdot or give me death!
"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
Malware writers and credit card phishers would have an immensely easier time.
It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?
" And the moment malware gives up what allows us to detect it, it also stops being a threat."
Sounds like we will get a computer filled with malware that is configured to wait until exact date/second and kill everything.
This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).
Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.
It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.
Ave Molech Setting
The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD volunteers have been doing that for many years.
In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.
When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.
Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.
How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?
Tsukasa: All I really want, is to be left alone...
Consumer protection laws? Hmmm, I don't think the bank lobbyists in DC are going to be in favor of that.
There's no -1 for "I don't get it."
Hello,
," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.
What Dr. Jakobsson has described is a reputation system.
At Virus Bulletin 2009, Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail
One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.
Regards,
Aryeh Goretsky
Dexter is a good dog.
And include whether the component can run as limited or root permissions.
I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.
Once I was a four stone apology. Now I am two separate gorillas.
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
If you think Linux is inherently more secure than Windows, you're absolutely nuts.
Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.
This is a "feature" of the way Windows and its application suite are designed.
Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.
So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.
Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.
And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.
My other signature is a car
Hell, Steve Ballmer keeps repeating over and over how much more expensive the Mac is. If that's true, then people with Macs have more money. Where's the shitstorm of malware trying to steal identities from all those Mac users with hefty bank accounts?
If you mod me down, I shall become more powerful than you could possibly imagine.
"The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."
But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.
Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.
I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.
Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.
Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.
About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.
Just another "Cubible(sic) Joe" 2 17 3061
... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.
Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".
Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.
Depends on how stable the codebase is, how much backwards-compatibility is needed, how much of a kludge the component code bits in question were in the first place, how modular the overall design is/was, etc.
Sure - Microsoft can do it, but judging from complaints by former Microsofties, and the leaked code from way back in Windows 2000 as a design guide of sorts? Well, on the same note I can, with the same probabilities, dig out Mount Everest and relocate it by using nothing more than a pick axe with a busted handle.
Those operating systems have fewer vulnerabilities because they were designed to be secure.
More importantly, they were designed to be modular in nature. This means that you can rip out and re-write parts of, say, the kernel, without worrying as much about borking the whole thing by doing so*, or inducing even worse problems elsewhere in it.
*assuming you don't do anything outright stupid, of course...
Quo usque tandem abutere, Nimbus, patientia nostra?
IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.
Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.
What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.
I still wonder if the No Such Agency still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix fans really hated it, but the entire development of the OS was done using good, tested Software Engineering principles. It was fun when everyone was screaming about the world ending because of the Y2K problem. Alas, I can't find the great response one of the engineers - basically saying that Y2K was not an issue due to the internal date format, and Y10K would only be a problem for displaying the dates.
Where's the Kaboom?
There's supposed to be an Earth-shattering Kaboom.
The vulnerabilities are apparently the result of Microsoft release policies:
It was widely reported that Windows 2000 was released with 63,000 known defects.
It was widely reported that Windows XP was released with more than 100,000 known defects. (I don't have time to find a better link.) Microsoft reported that Windows XP Service Pack 2 fixed several hundred bugs, several of them very serious.
Windows Vista was released against the wishes of some Microsoft managers, who said it was not ready for release. There was a court case that revealed emails saying that. (Again, I don't have time to find a better link.)
try this on a solaris box:
# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /executables_digest
then every week, do:
# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /tmp/weekly_digest /executables_digest /tmp/weekly_digest
# diff
pretty much what software like tripwire works.
what those crooks on TFA want is collect a bunch of information about everybody's computers, then sell to the highest bidder.
fuck them. not on my solaris boxes. not on my linux boxes.
What ? Me, worry ?
Ok now I am almost positive I'm going to incite some flames with this comment, but I'm actually curious about the opinion here.
If this same idea were to be proposed by an open-source anti-malware solution, would you still be so hesitant about it?
How about if the proprietary companies were able to provide concrete evidence of the anonymity of your collected information?
Again, I'm NOT trying to incite a flame war with this, but it just seems so often that people rally a (mostly deserved) hatred and distrust of any and all companies that are proprietary, while having a (possibly detrimental) implicit trust of open-source solutions.
Besides, this could actually be a good idea. After all, we can't cure the common cold, but we can somewhat effectively stop it in it's tracks because we know how it's transmitted from person and can thus take appropriate measures against it. What's more is that the same goes for most all acquired illnesses. I'm not saying mandate the submission of such data, but having it as an option for users could provide anti-malware researchers with a powerful tool in studying them akin to biologic researchers and strain discs.
Windows Vista was released before it was ready. Even Microsoft middle managers complained about that. Customers rejected Vista; here is one of the hundreds of articles about that: Corporate America's rejection of Vista: Many companies delay or denounce Microsoft's flagship product.
One magazine collected 210,000 signatures against adoption of Windows Vista and for keeping Windows XP: The campaign to save Windows XP.
The fact is that we are not seeing the kind of weaknesses in Linux, OS X, or BSD that are commonly found in Windows. Windows XP was an expensive hassle for us until SP2.
Here is an interesting fact: The latest version of Firefox, and all the versions before it, have a bug which causes Firefox to crash when there are too many windows and tabs. That bug corrupts Windows; sometimes Windows crashes, also. It is always necessary to re-start the computer.
Linux remains stable when Firefox crashes, however.
Oh yes, the smug "users are dumb" argument. ... let's face it, anything at all apart from a badly setup Microsoft box.
Since the same people typically have ADSL modems which are NOT infected with any sort of malware I think the argument is complete rubbish and we're suffering from a platform where "developers are dumb".
Microsoft are waking up to it very slowly, but there are a vast number of third party applications developed by those still asleep at the wheel of the speeding malware trainwreck in progress. Just about any effort Microsoft make at improving security is rendered pointless by those that insist their stuff has to run as Admin or the functionally equivalent "power user". It takes great whopping security holes that should never exist before anything as trivial as clicking on a link could do anything horrible to the computer.
Being smug apologists for broken systems doesn't get us anywhere. With a few good choices you can have a Microsoft based system as immune to being broken by users clicking on things just as if they were on a Mac, Sun, linux, BSD