Scanner Identifies Malware Strains, Could Be Future of AV

An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."

you cannot identify bad intention

[CBravo]

So even good snippets of code, combined, will form malware.

Re:you cannot identify bad intention

[DKlineburg]

I think Java proved that. It seems to have had a bad run recently.

Re:you cannot identify bad intention

[physicsphairy]

You misconstrue the nature of the battle. It is not against malware, anymore than a modern war is againsts guns and bullets. It is against the malware authors. Yes, some variant of "malware" can always be imagined to succeed against any software-level security. But the vast majority of that hypothetical malware is completely irrelevant because no one is ever going to write it. What is missing from consideration is the time and money invested into making the malware work, to how long it is effective, and what the financial payoff will be. The more you increase the burden and reduce the payoff, the more you have shifted the balance toward the good guys. More flexible malware identification mechanisms are big wins not because they are undefeatable but because they make the bad guys work harder. And, as a matter of fact, if you can generalize malicious code based on a few samples, you can effectively have the bad guys working against each other. (Virus 1, using exploit, is successful, second guy notes virus 1's success, analyzes it, produces virus 2 using same exploit, virus 3 also uses same exploit; based on comparison of three viruses, database is able to identify common exploit and innoculate against all subsequent programs which would otherwise rely on said exploit.)

Re:you cannot identify bad intention

Not really. It's more of a beat-up than a reality.

99% of all active malware is still ordinary Windows executables (around 15-20 common variants) with the few exceptions hyped beyond belief to give the impresssion that other platforms are as vulnerable.

Buggy-whip makers are scared that their buggy OS will vanish and leave them stranded.

Re:you cannot identify bad intention

Except the analogy is crap. If you have found an exploit, that means that the software it is attacking is faulty. The proper solution to that is to fix the broken software, not to add more complexity in the form of AV software that itself is likely to contain additional vulnerabilities. That is particularly true given that there is this apparently little-known result from theoretical computer science called the halting problem that implies that equivalence of programs cannot be decided in the general case - whereas known vulnerabilities in software can actually be fixed, and fixed in a way that is 100% reliable.

Re:you cannot identify bad intention

I don't know why this post would receive a -1. I agree with the poster here.

A: What this researcher is doing is nothing new. He's, once again, taking something old and presenting it as new. AV software has long had methods of detecting similar threats based on a few samples of previously known threats and the algorithms and methods they used are no different than what this person proposes.

B: The best solution to a vulnerability is to patch the vulnerability in the software.

C: People can try to find all sorts of ways to disable the anti-virus. The AV may detect against one method after which someone may find another.

If the AV has to detect a broader range of problems it will either take longer or lead to more false positives (or both). Fixing the vulnerabilities and ensuring an operating system that's much less susceptible to intrusion (without compromising useability) and allowing the AV to only detect the problems that are more difficult to otherwise fix is a better solution than letting the AV do what the operating system should already be doing.

Operating systems have been getting better though. Operating system files are generally digitally signed and my operating system will not allow me to delete or modify operating system files within Windows which, if implemented correctly, can make it more difficult for a virus to embed itself into the operating system.

The biggest problem, really, is user error. and that's something that can be difficult to correct.

Re:you cannot identify bad intention

[Lotana]

If you have found an exploit, that means that the software it is attacking is faulty.

In reality is it impossible to have perfect non-trivial application. Software's first and foremost purpose is to carry out the task it was designed for. Second priority is to have it made as quickly and as cheaply as possible. To achieve that, quality must be sacrificed.

It is prohibitively expensive to keep patching software every singly time something is discovered. Not to mention that a lot of software is legacy that is no longer under active maintenance.Even if you had all the money and time, it is still impossible given the number of variables are involved. The sheer complexity of large applications is overwhelming for any one developer to fully grasp.

Re:you cannot identify bad intention

[dreamchaser]

Even the java exploits out there are generally used to inject native executable code as malware.

Re:you cannot identify bad intention

Working for a company that runs old java, the java exploits run at large, usually drops a windows "fake-antivirus" and new variants come weekly.

Re:you cannot identify bad intention

don't forget that the AV company can be hacked and distribute a virus instead of an update.

Re:you cannot identify bad intention

[machine321]

Try Microsoft's EMET if you're in a position to do so; it's usually able to block the exploit from working on old Java if you can't upgrade.

Re:you cannot identify bad intention

The proper solution to that is to fix the broken software

You are correct to a degree. But there are such a wide variety of systems, software titles, levels of patches & updates, and combinations of all of these that fixing the broken software isn't a realistic solution. Countless companies are using an old version of <insert product here> because the updates or patches will cause problems or conflict with their needs/usage. The costs to upgrade their systems, implementation and compatibility far outweigh the cost of AV software.

Yes, we need far better testing and patching in the entire software industry. But until "software utopia" arrives we're going to need to check and double-check everything that enters our networks and systems.

Re:you cannot identify bad intention

First, in order to fix known vulnerabilities, there is no need to have a perfect application, so that is kinda a straw man.

Second, yes, fixing broken software costs money. Now, on what kind of trees does AV software grow? And what is the success rate of AV software in comparison to security fixes? And where is the cost-benefit analysis that shows that stockpiling bandaids really is economically more sensible than building bridges that don't collapse? I know that reliable bridges are more expensive, but that alone does not exactly convince me.

Re:you cannot identify bad intention

[Fnord666]

Second priority is to have it made as quickly and as cheaply as possible. To achieve that, quality must be sacrificed.

Good, fast, cheap. Pick any two.

Phylogenetic tree

[antant007]

It would be interesting to see a Phylogenetic tree of malware built using this software.

Re:Phylogenetic tree

The problem with cladograms is that they assume each species has only one ancestor. That is not necessarily the case for software (and even for living organisms).

Eh?

[trifish]

Heuristics doesn't work? Huh? It's actually exactly the kind of analysis that this security researcher seems to be presenting.

(I only read TF ./ summary though, so correct me if I'm wrong.)

Re:Eh?

[hvm2hvm]

Not really, heuristic analysis means looking for specific patterns in code or other data. Things like the program setting himself to start at bootup while deleting itself from the initial run location and so on.

What this guys does is divide the code in small pieces and comparing those. The thing is I know for a fact that AVs today already do that so unless he has some really smart way of analyzing those "structures" his research is too late.

Disclaimer: I used to work at an AV company and actually I used to work on the part of the product that does exactly what this guys does.

Re:Eh?

It's either heuristic analysis of behaviour or features. What's your point again and who was the moron modding you up?

Re:Eh?

[PNutts]

(I only read TF ./ summary though, so correct me if I'm wrong.)

This is /. You were correct to read only the summary and comment.

It unlikely it is the 'future'

The first exe packer with mutating header will destroy any semblance of even the same strain. I doubt they do full virtual machine analysis, do they?
Heuristic AV is better AND it is already present.

the real test

is to determine how many false positives this thing detects

Re:the real test

[kasperd]

false positives

That is so true. It takes less than one minute to write a scanner, which never produces a false negative. But of course in that case it would produce false positives all the time.

Devoid

Article(s) are devoid of any useful information on what techniques were used. The only useful information to be found is in the book he co-wrote (Here is a table of contents). Assuming the techniques in the book are the ones used to develop the heuristic, I don't see anything new here. Also, being a IT Security graduate from Deakin myself, I found the people involved CompSec there to be very underwhelming and years behind the times...

Meanwhile

[jamesh]

Meanwhile, the bad guys will keep tweaking their malware until none of the big players detect it, and then will release it. Just like always.

Re:Meanwhile

[Joce640k]

This. As soon as any AV product starts to actually work, the writers will change the virus until it doesn't.

AV products are 99% snake oil.

Re:Meanwhile

[eulernet]

No need to tweak anything.
Just change the compiler and the optimization's level, and the malware will be undetectable.

Re:Meanwhile

[Lotana]

I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

Re:Meanwhile

[jamesh]

I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

No you're not getting it. Currently, any decent malware released right now will not be detected by AV products. AV vendors will get hold of a copy of the malware, tweak their dictionaries, and a subsequent update will detect the malware. Running AV products is a good idea because they will detect malware not too long after the malware is released, but TFA changes nothing about this.

Re:Meanwhile

The truth is the AV vendors nowadays can't cope with the increasing flood of malware out there: http://it.slashdot.org/story/13/01/02/0348247/antivirus-software-performs-poorly-against-new-threats

It's harder than solving the halting problem - since in many cases you're not even given the full source and inputs.

The better way to deal with malware is sandboxing. Instead of solving the halting problem by trying to figure out whether a program will halt or not, you get the OS to set a limit to the program.

Even getting the program to declare up front what sort of sandbox it wants from the OS is useful.

Re:Meanwhile

[jamesh]

The truth is the AV vendors nowadays can't cope with the increasing flood of malware out there: http://it.slashdot.org/story/13/01/02/0348247/antivirus-software-performs-poorly-against-new-threats

It's harder than solving the halting problem - since in many cases you're not even given the full source and inputs.

And if you are writing malware, why release one version tweaked to evade the top 10 AV products, when you can release 1000 variants that the top 10 AV products won't catch.

The better way to deal with malware is sandboxing. Instead of solving the halting problem by trying to figure out whether a program will halt or not, you get the OS to set a limit to the program.

Even getting the program to declare up front what sort of sandbox it wants from the OS is useful.

Agreed. Every so often malware will find a way to exploit a 0-day bug and break out of the sandbox, but such things will be much rarer than what we have now. The problem will always be the user though... "This naked lady picture viewer is incompatible with sandbox. Cancel or Allow?".

Re:Meanwhile

[Joce640k]

I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

AV products work fine against last month's virus?

This weeks virus? The only solution is to drop a bomb on Microsoft and start over.

eg. I used to think mp3 files couldn't contain a virus - they're just data files, right? Bugs in the player aside, they can't execute code.

Wrong. Microsoft added a VBScript extension to them.

Also ... make "safe" mode, well, safe! ie. Make it not execute any old program that happens to have added a registry entry for itself. Safe mode should only execute fully signed code.

Also ... AV vendors need to make their products able to run off a pen drive. Booting the fundamentally-flawed-and-infected OS before you can run the antivirus? It's laughable.

I can come up with a dozen other things if you like, but I stand 100% by my statement that AV products are snake oil.

One sample tested, false positive

[Antiocheian]

Tested the Gmer rootkit detector, AV doesn't report it as malicious but heuristics does. And also,

The following cluster is related to your sample. The similarities between your submission and samples in our database are shown below. If one of the listed variants in the cluster is malicious, then it is likely that your submission is malicious also.

Cluster [W32] [Trojan]

Similarity Filename Hash AV Results
0.734592 aedbfccbfbbddcbebbcbcadf ed839568ee1c2906ea0b42612d04f6bd BC.W32.Xpaj
0.718620 deafabbcffdbdcefecffeea 151d4e03f8ffc6adc50facc2e561dab7 BC.W32.Xpaj
0.714916 bcdadffaecdeaefbdbcaccdfed f74f33bcdcff1e97048f2576abb03467 Win.Trojan.Agent-39884

How "likely" ?

Re:One sample tested, false positive

With a probability of about 0.72, apparently.

not going to work.

A polymorphic virus only has a very small polymorphic piece of code: its decryption function. The rest is encrypted with a different key each time it replicates, and does not contain any recognisable patterns.
It's simple to avoid this detection: Instead of a fixed decryption algorithm which polymorphic variations in the generated code, make the decryption algorithm itself polymorphic. Could even work without a "key", the randomly generated decryption algorithm itself could be the key. There are infinite decryption algorithms, so few recognisable patterns without tons of false positives.

Re:not going to work.

[t4ng*]

How about a runtime simulator to simulate execution of the decryption function, then analyze the decrypted results with any variety of other analysis techniques?

Re: not going to work.

Then you would stumble into the halting problem

Whew!

Just in time!

You fandroid lusers need this with your recent text message forwarding malware!

No it isn't. - Whitelists

[Karmashock]

The future is and always has been and always will be white lists.

Nearly all anti virus software works on the premise of the blacklist. That is there is a list of hundreds of thousands of malware and virus code snippets and if the AV sees some it flags it.

The white list works in the opposite direction. All VALID code gets approved. If it isn't on the list then it gets flagged.

Some people will say "but what about my indy software that isn't on the global white lists!? Well, for one thing we'll assume that the process of getting your code on the white list is no big deal. Under that system it is in everyone's interest to get as much approved code on the white lists as possible so as to make the black listing system which is terrible that much less attractive. That said, you can always approve the code yourself. Tell your home AV system that you vouch for that program and move on.

Uninformed users would be encouraged not to EVER do that since they don't know enough to really have a valid opinion. But power users, programmers, and IT experts obviously should be able to tell without a scan.

White lists. Its how the iPhone is effectively protected. Want people to download your product? iTunes has to approve of it. Doubtless itunes gets scammed occasionally but its nothing compared to what would happen if the average user was installing just "anything" on the machine.

White lists are how AV should work. Top to bottom. Forget blacklists. They're bad.

Re:No it isn't. - Whitelists

Perfect. While we're at it, we'll do that for email as well. We can call it EmailReg.org and anyone with $20 of room on their credit card can be considered to have a legitimate email domain.

You idea couldn't possibly have hilariously unintended consequences at all!

Re:No it isn't. - Whitelists

[Lotana]

Uninformed users would be encouraged not to EVER do that since they don't know enough to really have a valid opinion.

The user will do anything and everything to get what they want. They will accept any kind of warnings you through at them, no matter how scary language you use. If you completely take away their ability to control this (ie. Walled garden like Apple), you end up with much more restricted experience.

There is a cute term for this situation: Dancing Pigs. It is a very well known problem.

Re:No it isn't. - Whitelists

Well, for one thing we'll assume that the process of getting your code on the white list is no big deal.

Ah, an excellent solution! The biggest problem in the proposed system, just assumed away.

Re:No it isn't. - Whitelists

One word about whitelists: corruption. The irony is that the super wealthy groups would simply pay to be included in the whitelist and inevitably this system would lead towards the ability to exploit. This whole construct is man-made after all.

Perhaps the best approach to computer security is a healthy dose of medical philosophy instead of this idea of good and evil. Sickness and disease have no inherent evil nature they are simply the fact of life. Perhaps an enlightened state of security would reveal a stronger more flexible approach, if something breaks, or is starting to break...triage and fix. I think a moving system or dynamic approach would yield better results. Having static infrastructure seems to be getting outdated and slowing down the flow of traffic.

Good times!

Re:No it isn't. - Whitelists

[Alkonaut]

Groups with large resources (such as governments) can always exploit. They can either find a vulnerability that they can exploit without being detected by blacklists, or they can exploit the whitelist system. Whitelists, would not get rid of stuxnet-type attacks, but it would probably get rid of the 99% of attacks that are driving botnets around the world and so on.

Re:No it isn't. - Whitelists

50% of 99% of attacks that are driving modern botnets use holes in buggy software and rest uses dumb users who'll gladly click "dismiss warning" in that proposed whitelisting antivirus system to look at dancing pigs.

Re:No it isn't. - Whitelists

[Alkonaut]

The whitelisting should of course be of the "walled garden" variety. For 99% of users, hardware based protections such as TPM is a good thing. Even having the option to whitelist arbitrary software should probably be a poweruser feature.

Re:No it isn't. - Whitelists

[t4ng*]

The user will do anything and everything to get what they want. They will accept any kind of warnings you through at them, no matter how scary language you use. If you completely take away their ability to control this (ie. Walled garden like Apple), you end up with much more restricted experience.

There is a cute term for this situation: Dancing Pigs.

Simple solution: Rewrite all security warnings to reward the user with lolcats if they pick the secure option.

Re:No it isn't. - Whitelists

[Karmashock]

Easy solution. Warn them with a cartoon.

How do you think we tell people that something is poison?

http://tabzified.files.wordpress.com/2010/10/poison_sign.gif?w=520&h=539

Just throw a cartoon at them. If you make the list of whitelisted applications expansive enough then its unlikely that people will see it very often.

We could even crowdsource the white lists. Work out something so if enough people with the right level of trust click YES to something it gets added to the global lists.

Re:No it isn't. - Whitelists

[Karmashock]

Where did I say you could buy authorization on the whitelist just by sending some mindless system 20 dollars?

Oh that's right... I didn't.

Kindly don't insert your strawmen into my arguments. All you're really saying is "an idea I just came up with is stupid!"... Well okay... but its your idea then... not mine.

Re:No it isn't. - Whitelists

No the biggest problem with the system is that users will do the exact same thing they do now.
Click yes I want to install this; I know what I'm doing.

And there you have it. White list defeated.

And when whitelisted code gets hacked ?

[Antiocheian]

iPhone is just a smart phone. This is about real computers that are supposed to be free to do much more than a handheld device. Try to do the same on personal computer and it's not personal anymore, its just a smart terminal connected to a central iTunes mainframe.

Furthermore, an exploit on a standard whitelisted application such as a web browser or an office suite would expose the system to unrestricted access. A better solution is to monitor running code and prevent it from doing something it wasn't supposed to be doing. For example, neither a web browser nor an office suite should be given direct disk access, driver installation privileges or system directory access.

Re:And when whitelisted code gets hacked ?

[Karmashock]

1. The iphone thing was just an example of a default white list system. It is a computer. I can literally run windows XP on an android and the iphone is easily as powerful. So its as much a computer as anything.

2. I was not suggesting it be done the same way as the itunes system. I hate itunes too. The point was to control application access through a white list system.

3. Browsers and office suites can do the same thing with the white listing. Certain websites with certain bits of java code would be allowed. Code not approved on sites not approved would not be able to run it. Same thing for some of the hacks involving excel spreed sheets or access databases. Permit the ones known to be good, allow the user to allow ones they know are good, but otherwise deny them code privileges.

Beyond all that, we should have more sandboxing.

The program "sandboxie" is quite popular. Make that a more standard feature of most programs and operating systems so that while code might be allowed to run it isn't actually given control over anything. It THINKS it has control and it can access a facsimile for whatever it wants but actual drivers, system settings, and file system assets remain unchanged.

Re:And when whitelisted code gets hacked ?

[Antiocheian]

1. Yes, an iPhone can be hacked to become a computer, but the default configuration to which your original posting was referring to, is not a personal computer but much closer to a smart terminal since it can't function properly (and by functioning properly I naturally have to include running code) without receiving the approval of a central computer. The point of my counterargument is that while Apple's whitelisting system is working fine on the iPhone, the uses of the iPhone are not as broad as the uses of a personal computer.

2. There is already a security application that acts in the way you propose: Comodo. Now, Comodo is an interesting issue in your argument because it has repeatedly failed in respected antivirus tests such as AV Test, AV Comparatives and even VB100 (which is as close to the defacto standard as it can be). It failed so bad, that it had to be removed by those tests to avoid further embarrassment.

3. Java is not the issue in browsers, since it's not part of the browsers but a plugin instead (which can be forced to work inside a sandbox as Mozilla did for Flash). Javascript is the problem since it's a real programming language that can be used to strech a browser's code to its limits and turn any flaws to possible code execution. I don't think you can whitelist websites from Javascript as well.

Finally, while sandboxing protects the rest of the system it doesn't prevent a hacked application from accessing your data and posting them through the internet.

I'm not invalidating your argument, but I wish to point out that whitelisting may work for some users who use a limited number of applications and even then it won't offer them the complete protection they would hope for. Modern high quality antivirus suites offer superior solutions without restricting the user's choice of applications.

Re:And when whitelisted code gets hacked ?

[Karmashock]

1. I'm not going to argue with you about operating systems.

2. As to there already being whitelisting programs, I don't disagree. But that doesn't actually change my point. Furthermore, most of the major AV companies are moving away from blacklisting because they agree with me and my point. Everyone from Symantec to AVG is moving to blacklisting. Some failures in the technology are nothing to the failures in blacklisting which has failed far more often and far more spectacularly. The only advantage to blacklisting is that things are passively allowed instead of passively denied. The reality is that at this point its harder to work out what is invalid then what is valid. Which is why white listing makes a great deal more sense.

3. As to java and java script, none of that really matters since in all cases its really f'ing simple to white list both java and javascript code. There are a few plugins in fact for firefox that will whitelist javascript. And regardless we can sandbox those programs no problem if that's really going to be an ongoing issue. Really, javascript is just too expansive and needs to be a more limited language. Or the browsers themselves just have to have a more limited interpretation of it. Heck, the browsers could natively sandbox it by default.

As to limited numbers of applications. The vast number of virus victims only use a very small number of applications. Often fewer then 5 TOTAL. That is the average user. Make the average user almost impossible to target and right there it will be RADICALLY harder for viruses to proliferate.

And even if we say that everyone needs to use odd programs that the AV companies have never seen before, they can still be white listed locally if you really must. The point is that is the average user doesn't know what that program is they should be encouraged to not grant that authority. And if library of applications is wide enough they shouldn't even be in that position unless they're using something really old or really odd.

Re:And when whitelisted code gets hacked ?

I don't think you can whitelist websites from Javascript as well.

NoScript

Re:And when whitelisted code gets hacked ?

[Karmashock]

Exactly. I use noscript all the time. Most sites I don't white list at all because there's no need to give them access to javascript. Most sites only use javascript for ads or flash. Some will use it for database integration. But since I mostly go to sites to read information in basic HTML there's no reason I need to white list things. Heck, typically when I download stuff javascript is also not required.

I whitelist slashdot, places I buy stuff, my bank, youtube, and other similar services. If you're not one of those things then I don't need to white list you whether you're valid or not.

And for sites that I'm not totally sure of... I do a temporary approval which gets expunged later. And even when I do white list a site, there are typically other domains that are called by that site with their own javascript. I basically never white list those sites which menas their code doesn't run.

Does that make monitizing webtraffic more difficult? Yes. But the javascript ad click system is a security hole and the ad venders have frequently abused my tolerance by sending me pop-ups or obnoxious animated gifs that have neon flashy lights or loading flash movies that use up a lot of bandwidth and always have sound... Sorry. Its annoying. If you want me to load your stuff you need to not offend me. Which means not choosing colors that make my eyes bleed. Not loading bandwidth hogging movies. Not having sound default on. And generally respecting the fact that you load at my sufferance. Irritate me and you get blocked. Period.

Heh

While I applaud research into detecting malicious software - this type of technique has been going on for a long time. Take as an example the shikata_ga_nai payload in Metasploit which is polymorphic. The initial stub inside the PE file was identified to be the same and signatures written on top of that. Same thing on how packers worked for awhile. I would say this type of technique has been in use for years and nothing new in combatting hackers. The truth of the matter is - nothing is going to stop malware from going undetected on your system other than behavior analysis, monitoring, and multiple layers of defense from a post compromise standpoint. AV was last said to be 3 percent effective - how is that "does a decent job". AV is dead - malicious software detection is dead. Long live the age of the hackers :P

A Conspiracy Theory

[houbou]

Companies that make antivirus software pay seed money for some to make malware, viruses etc.

Not Interesting

It looks like this guy found ssdeep or maybe simhash and decided to make a slick web front end. I don't see anything revolutionary about this other than the presentation. This technique is nothing new.

Limited applications are enough for the majority

[tepples]

I wish to point out that whitelisting may work for some users who use a limited number of applications

BasilBrush and other iOS advocates would point out that the commercially relevant majority of users do in fact "use a limited number of applications". Because nobody needs an app to do any of these tasks. "Ha ha ha, boom boom."

Searching for Plagarism in Malware

[fast+turtle]

That would be closer to what the actual summary gave me and it's a process that hasn't been used as yet. Instead of using heuristics and looking at behaviour patterns, he's looking at things the same way the god damn english professors are using the plagarism tool. The Coding Style. Everyone has a style they use when writing, speaking even walking that's almost impossible to change due to habit and physical reasons and it all leads to identification. Sure it's not perfect but for AV, it's probably going to be as effective if not more so then heuristical anallysis used today.

Why do they call it annallysis? Because of the asshole. Badda Boom Baddi Bing. Thank you Thank you, Hey I've got enough tomatos, throw some eggs.

Re:Limited applications are enough for the majorit

[Antiocheian]

BasilBrush (and the ibubble in general) is not commercially relevant to computer security either, so we don't really have to care about him, do we ?

Cyber Genome?

[Shoten]

I've been looking for someone to mention the Cyber Genome research project that DARPA sponsored a while ago...but nobody has. The goal was to do exactly this.

Yes, some people have pointed out a theoretical situation where malware is built entirely of non-malicious code which is shared by non-malicious binaries. But the reality is that this is not what 99% (or more) of malware looks like. Most malware is based on other malware, and you can readily track the genealogy of the code. Additionally, malware developers throw literally thousands of variants out at a time, so that they can overwhelm the ability of AV companies to develop discrete signatures. Both of these characteristics are vulnerable to the approach put forth by this detection tool.

So...will it stop all conceivable malware? Of course not; nothing does. Even whitelisting is vulnerable to certain attacks. But nothing stops everything, and nothing ever did. This approach looks like a major improvement over the current (and failing) standard approach.

gives a family tree? How about Windows?

[fikx]

Quick run it on a Windows install disk!

And on other news

Renowned security researcher Cowboy Neal has found a way to detect if over 90% of code remained similiar after a 0.1% change in the codebase.

+5 (Funny) for the article.

Sandboxing

[wibblewibble]

I think sandboxing is also a key tool. Not sure if a file contains malware? Run it on a sandboxed VM and monitor what it does. Look for files it drops, registry changes made, IP addresses it tries to connect to, etc. Hence the rise of companies like FireEye, who provide this sort of service. Other anti-malware vendors are also adding this functionality - I know of at least three big players heading down this path.

Re:Sandboxing

[Karmashock]

I think going full VM is over kill. Just wrap it in a plastic bag. Give it the impression of interacting with a lot of things but don't actually let it effect anything that can compromise the system.

That's Windows only ..

[dgharmon]

"Security researcher Silvio Cesare .. created Simseer, a free online service that performs automated analysis on submitted malware samples"

`Simseer Search is a service to cluster malware families. PE32 Executable:'