Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Guarantee Malware Detection

Posted by CmdrTaco on from the pardon-my-skepticism dept.

itwbennett writes "Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to guarantee the detection of malware, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed. The solution comes down to this, says Jakobsson: 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.'"

5 of 410 comments (clear)

  1. In case anybody was wondering... by fuzzyfuzzyfungus · · Score: 5, Informative

    He is indeed selling something...

  2. Re:At least one byte by dmgxmichael · · Score: 5, Funny

    Not a fair comparison. Malware usually does what it's supposed to.

  3. Some amazingly bad assumptions by nahdude812 · · Score: 5, Insightful

    Sure, malware has to occupy memory. That doesn't mean it has to be its own memory. Buffer overflows are all about corrupting another application's memory space.

    His basic argument is that if you want to scan RAM, the kernel can halt all processing except its RAM scanner, and have a go at the RAM safely. If it's particularly insidious malware, it'll try to hide itself in various ways, one of which would be to masquerade the portion of RAM it was using with something legitimate looking (maybe erase that portion of memory). But you know it did this because you can see that memory which was supposed to be free is no longer free. Except the hardware has no concept of free or occupied memory. It just has memory, and the OS keeps track of what's free and not. The OS - the same space where malware is running.

    OR, the malware could simply not do this, then its behavior is no different from any legitimate program. So how do you detect it now? You still need definitions that say, "When running in memory, this virus looks like X," then look through memory for that pattern.

    Besides, who's to say that the kernel space is guaranteed free of malware itself? Even if you would have successfully identified the threat in RAM, you have no guarantee that the malware hasn't corrupted the identification routine.

    It's like someone came along and said, "Hey, you guys are looking for malware wrong. You have to look for it! And I mean really look for it!"

    --
    Slay a dragon... over lunch!
  4. Re:At least one byte by Chris+Burke · · Score: 5, Funny

    While it might be true that any application will take up at least a byte of memory, there is no reason malware couldn't masquerade as another binary down to the exact number of bytes.

    Oh see he didn't finish explaining.

    Any program that wants to be resident has to occupy at least one byte of RAM. And that byte should include the Evil Bit, which all malware should set. Then your anti-virus program just checks the Evil Bit and problem solved!

    --

    The enemies of Democracy are
  5. Refuting the imaginary article in your head by spun · · Score: 5, Informative

    Still haven't read the article, eh? The technique is to swap everything out except the scanner, then write random bits to the entire memory space, then hash the memory. I could explain it all in greater detail, but, you know, there's this article, already there. Please do try to constrain your criticisms to things that actually apply to the article that was written, you know, the one we can all read. Refuting the imaginary article in your head does nothing for the rest of us.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton