Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE Launches Anti-malware Services To Improve Security

Posted by Soulskill on from the trickle-down-security dept.

New submitter Aryeh Goretsky writes: The IEEE Standards Assocation has launched an Anti-Malware Support Service to help the computer security industry respond more quickly to malware. The first two services available are a Clean file Metadata Exchange (PDF), to help prevent false positives in anti-malware software, and a Taggant System (PDF) to help prevent software packers from being abused. Official announcement is available at the offical website."

23 of 51 comments (clear)

  1. Taggant by TubeSteak · · Score: 3, Interesting

    I can't get the linked PDF to load
    This probably isn't the same thing, but it explains what they're trying to do and why
    https://media.blackhat.com/bh-us-11/Kennedy/BH_US_11_KennedyMuttik_IEEE_Slides.pdf

    --
    [Fuck Beta]
    o0t!
    1. Re:Taggant by arglebargle_xiv · · Score: 2

      I can't get the linked PDF to load

      Basically they want the people who write malware packers to tag the packed malware as malware so it can be easily identified. Sort of like asking burglars to wear a shirt with I AM A BURGLAR printed on it in large letters, and perhaps notify the police when they're planning to break into a house.

      It's a cunning plan, but somehow I can't see it catching out many bad guys.

    2. Re:Taggant by MrL0G1C · · Score: 2

      "Portable Document Format (PDF) is a file format used to present documents in a manner independent of application software, hardware, and operating system"

      http://en.wikipedia.org/wiki/P...

      You don't have to use Adobe to view or edit PDFs.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    3. Re:Taggant by NotInHere · · Score: 1

      Try pdf.js -- it is the implementation of a pdf reader in one of the most secure code execution runtimes -- a js engine. It is slow and lacks much pdf features, but for these slides pdf.js is enough.

    4. Re:Taggant by mythosaz · · Score: 1

      They already wear masks, striped shirts, and carry their stolen goods in burlap bags. I'm pretty sure that "I AM A BURGLAR" is unnecessary.

    5. Re:Taggant by dave562 · · Score: 1

      I got just the opposite from the PDF.

      I thought what they are proposing is that "good" companies will sign their executables with certificates that can be revoked in the future if it turns out that the certificate is being used to sign malware.

    6. Re:Taggant by Aryeh+Goretsky · · Score: 1

      Hello,

      No problems viewing either PDF file via Sumatra PDF Reader. Perhaps you could try that.

      Regards,

      Aryeh Goretsky

      --
      Dexter is a good dog.
    7. Re:Taggant by Aryeh+Goretsky · · Score: 1
      Hello,

      It probably won't help much, if at all, but the number of legitimate applications which are self-modifying is comparatively very rare compared to those which done.

      Regards,

      Aryeh Goretsky

      In reply to "Anonymous Coward" at Wednesday July 02, 2014 @12:34AM:

      how will this help against self rewriting applications

      --
      Dexter is a good dog.
    8. Re:Taggant by Aryeh+Goretsky · · Score: 1

      Hello,

      I believe the idea is to allow legitimate developers of packers, cryptors, etc. a means of identifying their software. I would not expect those folks on the malware side of things to take any action as a result of this activity under the IEEE's auspices as it does not apply to them.

      Regards,

      Aryeh Goretsky

      --
      Dexter is a good dog.
  2. Officially* by skirmish666 · · Score: 1

    Official announcement is officially available at the official website* - FTFY

    --
    Sigger than your average
    1. Re:Officially* by Aryeh+Goretsky · · Score: 1

      Hello,

      Oops. Thanks for catching this!

      Regards,

      Aryeh Goretsky

      --
      Dexter is a good dog.
  3. cyberoam firewall web filter by verikurtarma · · Score: 1

    #cyberoam cyberoam güvenlik te üstün koruma hizmei ile dünyada ve türkiyede lider firmalarndandr. kaynak:http://www.cyberoam.web.tr

  4. Re:Is it cross-platform? by Cenan · · Score: 1

    No need to be cross platform. Any platform that is not Windows is impervious to malware, /. says so.

    --
    ... whatever ...
  5. Re:Is it cross-platform? by hawkinspeter · · Score: 1

    I don't think other platforms are impervious, but other platforms have sensible package management that doesn't encourage users to download random unsigned packages from random websites.

    I really do think that Windows trains users in the worst possible behaviours - download and install from any website and if you see a dialog, don't bother reading it, just keep clicking "next" or "ok" until it's done.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  6. IEEE by war4peace · · Score: 4, Funny

    My head is defective. I always see "IEEE" and transform it into "Internet Explorer Enterprise Edition". Makes me cringe every time.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  7. Re:Is it cross-platform? by NotInHere · · Score: 1

    I've thought that with windows store Microsoft people wanted to solve this problem, but unfortunately they have only enabled this mechanism for metro apps. I hope that rumors are right about windows store apps being abled to also run on desktop windows.

  8. slashvertized service is commercial by adriccom · · Score: 1

    CMX Consumer and/or Taggant SSV (price US $8,000.00)

            Access to CMX for 1 year
            Access to Taggant System IEEE Public Root Key, and blacklist for one year

    http://standards.ieee.org/deve...

    Most TI vendors at least offer some free feeds to suggest they have valuable content before asking you to pay up. Adoption of this new service isn't going to very good if no one can try it out/use it for free. *shrug*

    --
    <script>alert("I never liked JavaScript, really; it just seemed a bad idea.");</script>
    1. Re:slashvertized service is commercial by Aryeh+Goretsky · · Score: 1

      Hello,

      Software vendors are not charged for submitting to the CMX, and the Taggant System is free for packer authors, as well.

      It is the developers of anti-malware software who are paying for access to the CMX and Taggant System metadata, since they get the most value out of using that information. They are essentially underwriting the costs for everyone else in order to help provide a mechanism that helps clean up the ecosystem.

      While there are probably some anti-malware software developers for whom this would be a big investment, there are probably a lot for whom it is not, and since this is being done under the auspices of the IEEE, I wouldn't be surprised if there wasn't some provision for academia, too.

      Regards,

      Aryeh Goretsky

      --
      Dexter is a good dog.
  9. Why anti-malware software don't work .. by lippydude · · Score: 2

    The Six Dumbest Ideas in Computer Security

    1. Re:Why anti-malware software don't work .. by CaptainDork · · Score: 1

      This is the very best summary I've ever read on the current state of security.

      Thanks for the link.

      --
      It little behooves the best of us to comment on the rest of us.
  10. I different approach on network operating systems by raymorris · · Score: 1

    Network operating systems such as Linux take a different approach from the Windows line of disk operating systems. You CAN get some Windows-style anti-malware stuff for Linux or Mac, but it's main use is to scan emails on the server in order to protect the Windows clients. To protect the Linux/BSD/Mac systems, we take the opposite approach. Not anti-malware, loading up another 75,000 virus signatures to try in vain to identify the bad stuff, but a pro-goodware approach, identifying the 20 or so programs that are supposed to be running. An excellent example of this is Tripwire http://sourceforge.net/project... . One primary function of Tripwire is that is does a scan of your system before anything bad happens, hopefully when you first set up the system, and it catalogs which files are supposed to be there. Then when it does it's nightly run it doesn't try to figure out if any of the files are malware, it looks for anything that has changed from the day before. My computer should be the same today as it was yesterday, except for some emails and logs, so any new files are suspect. Any new programs running is definitely suspect. The first few days that you run Tripwire or another IDS it'll catch some things that legitimately change from day to day. You set it not to alert you to that stuff that's normal. I'd leave it where it still tells you about new programs that show up - though installing software is "normal", I don't install new stuff every day so I don't mind being alerted to the fact.

    An IDS like Tripwire is just one example of the different approach. Another example, which Windows is starting to emulate now, is that normally on Linux nothing is allowed to come in from the network except what you specifically allow. Some think that works better than intensively scrutinizing everything that comes in and trying to identify the bad stuff.

  11. Taggant vs. any other digital signature scheme by BillX · · Score: 1

    While I'm admittedly not an expert in cryptography or trusted computing schemes in general, I don't see how this differs on a technical level from numerous other code-signing schemes with a central certificate authority (CA) (and its chain of delegations) blessing "good" code and revoking such blessings. Well known examples include Securicode / Windows Driver Signing, the anti-consumer bits of UEFI, etc. Can anyone shed some further light on how this is different?

    As with other such systems, it assumes the existence of a benevolent authority that cannot be hacked, the cooperation of all packer vendors, the cooperation of all packer *users* (who are not malware authors)... and all packer users who *are* malware authors never hearing of it.

    The only main difference I can see (and its potential downfall for its purpose) is that end-users don't pay for certificates. While that's great for end-users (driver signature enforcement in x64 Windows versions is pretty close to extortion IMO), this seems to break down for any packers that are not a licensed commercial product where an explicit, one-on-one packer-vendor to packer-user relationship exists. This excludes any freeware and open-source packers*, where any schmuck can just download and run it (and even modify it) without key exchanges or other communication with its author.

    Conversely, if any old schmuck can obtain a fresh signature at any time ("it's free!"), what's to stop any old schmuck from doing exactly that? The stipulations that the system is free to both end-users and packer vendors, bankrolled entirely by A/V vendors out of the goodness of their hearts, suggests any background-checking that occurs as a condition of generating a signature can't be very exhaustive.

    * While the IEEE materials refer to the proof-of-concept running on "a modified version of UPX", a well-known F/OSS packer, this almost certainly has to do with the ability to quickly bodge this feature in due to easy source code access, and very little to do with whether the actual author of UPX is complicit in or aware of the system, or whether this scenario can possibly work in the real-world for open-source packers with anonymous downloads.

    --
    Caveat Emptor is not a business model.
  12. spam less than you by raymorris · · Score: 1

    N/m