Slashdot Mirror

← Back to Stories (view on slashdot.org)

New R2D2 Technique Protects Files Against Wiper Malware, Secure Delete Apps (bleepingcomputer.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can safeguard data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods. The technique was developed to protect enterprise systems, which are often running inside VMs.

Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.

47 comments

  1. Not necessary. Trump commits treason on TV. by Anonymous Coward · · Score: 0

    Don't need to worry about Moscow Donald deleting his Russia collusion emails, since apparently he doesn't even realize that treason is illegal...

    1. Re:Not necessary. Trump commits treason on TV. by Anonymous Coward · · Score: 0

      Keep you pants on, champ, Trump will be prosecuted for one thing or another soon enough, or at the very least the GOP will finally have had enough of his shit and run him out of DC on a rail. The only problem we'll have then is that Pence is even worse in significant ways, we'll have to hope he comes down with a fatal disease. Meanwhile we may end up with an ex-CIA spook as POTUS, which ain't gonna be no Madame Secretary moment, I'll tell you that much. Face it, ever since November 2016, we've been doomed, we just aren't understanding exactly how doomed until just now.

    2. Re:Not necessary. Trump commits treason on TV. by Anonymous Coward · · Score: 0

      Pence is going to prison at the exact same time - He's elbow deep in Trump's dirty Putin rimjobs himself - and I hope it keeps rolling downhill from there. They all belong in prison for support of the Traitor, but Pence WILL go for sure.

      There's a decade of prosecutions coming out of this or more. Trump's all out of "his generals" now. His lawyer jumped ship. He's prison-fucked and his bitch beta sons also. Get a fucking rope.

    3. Re:Not necessary. Trump commits treason on TV. by Anonymous Coward · · Score: 0

      Hillary gets a pass for life because she has never done anything wrong?

  2. Perhaps just a stupid person filter? by Anonymous Coward · · Score: 0

    Seems simple. Keep the tardo/republicans away from anything important. You have seen what happens when these fail.

  3. fscking ban msmash by Anonymous Coward · · Score: 0

    stupid article
    stupid claims
    stupid site

    of course it came from the fucking idiotic msmash

    someone with a clue just fucking ban that fucking retarded aborted fetus

    1. Re: fscking ban msmash by Anonymous Coward · · Score: 0

      Seconded.

      Ban they shitstain.

    2. Re:fscking ban msmash by postbigbang · · Score: 1

      Hey, it was tested in a Windows 7 VM, so it ought to work everywhere!

      Right?

      Hello City of Atlanta? Oh, the city's on hold? Oh. Gosh.

      --
      ---- Teach Peace. It's Cheaper Than War.
  4. The only problem with this technique... by K.+S.+Kyosuke · · Score: 4, Funny

    You need three CPUs to run it properly!

    --
    Ezekiel 23:20
    1. Re:The only problem with this technique... by Anonymous Coward · · Score: 0

      I'll say you're wrong on two counts: 1) that's not the _only_ thing wrong with it; and 2) no you don't, you need two levels of abstraction. The hypervisor can run on a single core single CPU system and give time division multiplexing to itself, the guest, and the monitor.

      What bothers me is they've given away their secret too easily. Any script kiddie can take existing wiper malware that uses a destructive file write process, and have it simply overwrite each file with a random picture from wiki commons instead of random data and now it looks like normal IO to the monitor but is still quite destructive.

  5. God no by 110010001000 · · Score: 1

    This sounds like virus scanning, but for file operations. Terrible idea.

    1. Re:God no by Anonymous Coward · · Score: 0

      Actually? No. It's more like System Restore -- the whole idea is to allow the operation to continue, but do a "checkpoint" for rolling back in case of inadvertently dangerous operations.

      This still doesn't solve the problem in the general case, until everything is run in their independent sandboxes.

    2. Re:God no by AHuxley · · Score: 1

      Its the AV like software deep in the OS that can detect all unexpected file operations deep in the OS that find new malware.
      Spin up the CPU for total encryption malware? An app can detect that change while not having to know anything about the malware.
      Trying to copy any file deep into the OS so malware can stay active all the time. An app can detect that change.
      Try installing totally new malware all over the OS and an app can detect that change without having to know about the new malware.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:God no by Anonymous Coward · · Score: 0

      Haha, ever tried to implement these novel and genuine ideas? Just try them with any software installation, uninstallation and update sequences in real life and let the false positive alarms fly. Trying to reliably recognize a malware from a software installation or user action is not actually possible, as they all do the same things to the system. All the real AV vendors use beforehand collected white lists to filter the false alarms to a remotely tolerable levels. Of course the AV-industry marketing speaks of heuristics and behavioral analysis, but it is just smoke and mirrors.

  6. Purdue University scientists waste time and money by Anonymous Coward · · Score: 2, Insightful

    I have an even better method for protecting files against deletion. One that is proven and robust. It's called a "backup".

  7. Trump will die in prison either way by Anonymous Coward · · Score: 0

    Even if he blames Obama.

  8. But? by Anonymous Coward · · Score: 0

    Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications.

    Successful and able to prevent?
    Successful but unable to prevent?

  9. Just hand over the data... by Anonymous Coward · · Score: 0

    To the NSA. Problem solved.

    --sf

    1. Re:Just hand over the data... by Anonymous Coward · · Score: 0

      But the NSA does not give the files back it stole with Windows 10. From a user point of view the backup could have been done to /dev/null.

  10. Getting sued by Disney 3.. 2.. 1.. by Rick+Schumann · · Score: 2

    Or at least issued a DMCA Takedown Notice, for daring to use 'R2D2' without paying royalties, or at least they express written permission.

    1. Re:Getting sued by Disney 3.. 2.. 1.. by Anonymous Coward · · Score: 0

      It's not a competing or similar product to anything that Disney has. They can't do a thing about it.

    2. Re:Getting sued by Disney 3.. 2.. 1.. by Anonymous Coward · · Score: 0

      These aren't the coders you're looking for.

    3. Re:Getting sued by Disney 3.. 2.. 1.. by SeaFox · · Score: 1

      "You don't need to see our license agreement."

    4. Re:Getting sued by Disney 3.. 2.. 1.. by Rick+Schumann · · Score: 1

      Your Jedi mind tricks won't work on them because they have no brain! xD

  11. Cat and mouse game. by Gravis+Zero · · Score: 2

    If this is widely deployed the malware writers will just change tactics. Instead of destroying data completely, they will simply begin alter files to the point where they are no longer useful. The more intelligent and insidious malware writers will gradually introduce more and more errors into databases that make it into backups. Eventually it will be discovered but if an unknown percentage of your database and it's backups contain incorrect information then you are going to have a bad time.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Cat and mouse game. by Anonymous Coward · · Score: 0

      And what makes you so sure that they aren't already doing that? The honour system?

      People like you who just HAVE to come up with a way to throw a wrench into someone else's idea, no matter how tenuous that wrench is, are pathetic. You're just jealous that you didn't come up with it.

    2. Re: Cat and mouse game. by Anonymous Coward · · Score: 0

      This isnt really a very novel idea. The application of using it in vm may be though. Its incredible nobody write these viruses that we know can do most long term damage. But, given this discussion, experience show now they will.

  12. Shamoon V3 by Anonymous Coward · · Score: 0

    Deletes checkpoints.

    Checkmate.

  13. Bad name choice by Daetrin · · Score: 2

    They should have called it OB1.

    These are not the files you're looking for. *waves hand*

    (I leave it up to someone else to come up with a good backronym.)

    --
    This Space Intentionally Left Blank
    1. Re:Bad name choice by Anonymous Coward · · Score: 0

      You'd need to connect it to the obWAN though ;-)

  14. Safeguarding Data by nuckfuts · · Score: 1

    ... can safeguard data sitting inside a virtual machine

    You know what else can safeguard data sitting inside a virtual machine?

    Backups. Snapshots. Checkpoints.

  15. Unfortunately by DontBeAMoran · · Score: 4, Funny

    Unfortunately, this new technique is still vulnerable to Cryptographic Core Computing Processing Overload.

    --
    #DeleteFacebook
  16. Help Me Obi-Wan Kenobi, You're My Only Hope by Anonymous Coward · · Score: 0

    New R2D2 Technique Protects Files

    1) copy files onto data disk

    2) insert data disk into astro-mech droid

    3) insert astro-mech droid into escape pod

    4) jettison escape pod from ship

  17. It's just snapshot automation by Anonymous Coward · · Score: 1

    ... snapshots ...

    They built a component to automatically take a snapshot when it detects I/O patterns that resemble a wipe, to try to reduce the window of time between last snapshot and wrecked data. That's it. It's a supplement to scheduled snapshots, backups and so forth.

  18. Eh CAPTCHA: excrete by Anonymous Coward · · Score: 0

    How about extending this to work against ransomware?

  19. Re:Purdue University scientists waste time and mon by Anonymous Coward · · Score: 0

    Backup comes with data loss; any writes made after backup started are not recoverable. There are other products in the data protection platform that do protect against this and many other problems. A VMM that uses VMI to journal every single IO in a log. Roll forward or backward down to the block by block transaction. Less intrusive than R2D2, but consumes far more storage. That's not theory, EMC's RecoverPoint software does this and I first learned about that 2 years ago.

  20. Re:Purdue University scientists waste time and mon by Anonymous Coward · · Score: 0

    Backup comes with data loss; any writes made after backup started are not recoverable.

    Non-issue. I perform two backups per day. If something happens, we're only out half a day's work max.

  21. Calling it R2D2 by jamesjw · · Score: 2

    Is it called R2D2 because the normal case of secure delete the system admins say "What the bleep-bloop have you bleepy-blarp done? You stupid bloopy-blip!!" ?

    --
    -- If at first you don't succeed, lie!
  22. Just back the VM with ZFS (or anything similar) by Anonymous Coward · · Score: 0

    setup frequent snapshots (so you can roll back to before the moment the wiper wiped) and be done with it.

  23. Apps? by Tsolias · · Score: 1

    >R2D2 supports 13 known "secure delete" methods that apps and malware are known to use

    thank god I only use programs.

  24. It is not expensive to take snapshots. by Anonymous Coward · · Score: 1

    You can take them all day, and do incremetal backups that way too.

    E.g. on Linux, you could create a snapshot before and after every sudo. Or on certain program launches/exits in general. And on certain file system accesses. (Linux jas built-in APIs for that too nowadays.) Plus hourly ones.

    I wonder why file systems don't have built-in version control anyway.

  25. That actually sounds sensible ... by Anonymous Coward · · Score: 0

    ... when described that way.

    Although not newsworthy.

    Just a feature I would expect my distribution to have by default, or as a feature you can enable in your file system.

  26. Versions by Anonymous Coward · · Score: 0

    Remember when we were promised a database as a filesystem with built in version control.

  27. New Malware by Anonymous Coward · · Score: 0

    New Jar Jar Malware will address this issue.

  28. Re:Purdue University scientists waste time and mon by arglebargle_xiv · · Score: 1

    Also, most (all?) backup software already addresses the problem that R2D2 does, in a much less complicated way. First, there's generational backups, if your data gets cryptolockered or whatever you just go back to the pre-encrypted form. Secondly, some backups will detect major changes to a file, e.g. due to overwrite or encryption, and save an alternative copy of the unchanged data in case the major change was caused by malware.

    So it's really an idea that's (1) not new by a long shot and (2) not very useful compared to the alternatives.

  29. 3-2-1 data protection by Anonymous Coward · · Score: 0

    3 copies
    2 locations
    1 off-site

  30. What? by Anonymous Coward · · Score: 0

    New R2D2 Technique Protects Flies Against Windshield Wipers?