Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auto-Detecting Malware? It's Possible

Posted by timothy on from the would-love-to-see-the-install-prompt-for-this dept.

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

16 of 178 comments (clear)

  1. Privacy by sopssa · · Score: 5, Insightful

    If antivirus protectors could collect data from machines and users

    This idea stopped being a good one here.

    1. Re:Privacy by gnick · · Score: 4, Insightful

      I see no reason why individuals volunteering information about their machines or habits should be any kind of privacy breech. Just leave it off by default and, should you choose, don't click the box.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Privacy by pseudorand · · Score: 3, Funny

      > If antivirus protectors could collect data from machines and users... ...it would be malware.

      As is, antivirus simply eats up all your CPU and memory, so it's more like a DOS.

    3. Re:Privacy by Z34107 · · Score: 4, Informative

      Well, yes and no; it depends on what kind of data.

      Windows Defender, which is on pretty much every XP and Vista box, already does this. Out of the box, it will submit information on startup programs, malware detected and removed, and which services and startup programs you have disabled, to the aptly named Microsoft SpyNet.

      It's not quite as scary as it sounds; if you're using Windows Defender to decide whether or not to kill that fishy-looking SynTpEnh.exe process from starting, you can see that 99% of SpyNet members leave it enabled because it makes your laptop's touchpad work. </contrivedexample>

      So, maybe be a bad idea, but not a new one - it's already being done.

      --
      DATABASE WOW WOW
    4. Re:Privacy by Orbijx · · Score: 3, Informative

      Usually, the Norton Removal Tool does the job in blowing Norton's software off the system.

      I've had to be able to get enough people there in my line of work that I know the way there. Grab it, and let it wipe that damn thing out.

      --
      One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
    5. Re:Privacy by Mr.+Freeman · · Score: 4, Insightful

      THe people likely to be volunteering their data are probably people informed about what's going on. Which are the people not likely to be infected, because they don't click on every "FREE PORN" ad they see.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    6. Re:Privacy by Orbijx · · Score: 3, Interesting

      Why hell yes, they do.
      In my brief six month stint in working as a phone agent for one of the Devils of the Internet, they rolled out their branded copy of McAfee. End Users, having been scared into clicking NO to anything asking if they trust something, would manage to block themselves off from their high speed connection except in Safe Mode, where most of the time, McAfee would sod off long enough to let them get online to get the McAfee Removal Tool (affectionately named MCPR2.exe).

      One run of this util later, their connections suddenly worked again, and they stopped screaming that their "internets are down".

      It was fun times.

      --
      One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
  2. trojans by Hatta · · Score: 4, Insightful

    Malware generally moves the same way any other software moves. The user downloads and installs it.

    --
    Give me Classic Slashdot or give me death!
    1. Re:trojans by Anonymous Coward · · Score: 3, Informative

      They thought of that:

      Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake â" the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of the day (as does most legitimate software).

  3. an amazingly bad idea by leehwtsohg · · Score: 4, Insightful

    "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
    Malware writers and credit card phishers would have an immensely easier time.

    It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?

  4. Impractical by Null+Nihils · · Score: 3, Insightful

    This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).

    Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.

  5. That's too much by greymond · · Score: 3, Insightful

    It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.

    --
    Ave Molech Setting
  6. Malware vulnerability is profitable for Microsoft. by Futurepower(R) · · Score: 5, Interesting

    The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD volunteers have been doing that for many years.

    In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

    When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

    Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.

  7. Re:I have a better idea by Ungrounded+Lightning · · Score: 3, Interesting

    If you think Linux is inherently more secure than Windows, you're absolutely nuts.

    Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.

    This is a "feature" of the way Windows and its application suite are designed.

    Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.

    So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.

    Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.

    And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  8. And like all active-response systems ... by Ungrounded+Lightning · · Score: 4, Insightful

    ... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.

    Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".

    Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  9. Leaks and emails reveal Microsoft release policies by Futurepower(R) · · Score: 3, Informative

    The vulnerabilities are apparently the result of Microsoft release policies:

    It was widely reported that Windows 2000 was released with 63,000 known defects.

    It was widely reported that Windows XP was released with more than 100,000 known defects. (I don't have time to find a better link.) Microsoft reported that Windows XP Service Pack 2 fixed several hundred bugs, several of them very serious.

    Windows Vista was released against the wishes of some Microsoft managers, who said it was not ready for release. There was a court case that revealed emails saying that. (Again, I don't have time to find a better link.)