Slashdot Mirror

← Back to Stories (view on slashdot.org)

New R2D2 Technique Protects Files Against Wiper Malware, Secure Delete Apps (bleepingcomputer.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can safeguard data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods. The technique was developed to protect enterprise systems, which are often running inside VMs.

Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.

17 of 47 comments (clear)

  1. The only problem with this technique... by K.+S.+Kyosuke · · Score: 4, Funny

    You need three CPUs to run it properly!

    --
    Ezekiel 23:20
  2. God no by 110010001000 · · Score: 1

    This sounds like virus scanning, but for file operations. Terrible idea.

    1. Re:God no by AHuxley · · Score: 1

      Its the AV like software deep in the OS that can detect all unexpected file operations deep in the OS that find new malware.
      Spin up the CPU for total encryption malware? An app can detect that change while not having to know anything about the malware.
      Trying to copy any file deep into the OS so malware can stay active all the time. An app can detect that change.
      Try installing totally new malware all over the OS and an app can detect that change without having to know about the new malware.

      --
      Domestic spying is now "Benign Information Gathering"
  3. Purdue University scientists waste time and money by Anonymous Coward · · Score: 2, Insightful

    I have an even better method for protecting files against deletion. One that is proven and robust. It's called a "backup".

  4. Getting sued by Disney 3.. 2.. 1.. by Rick+Schumann · · Score: 2

    Or at least issued a DMCA Takedown Notice, for daring to use 'R2D2' without paying royalties, or at least they express written permission.

    1. Re:Getting sued by Disney 3.. 2.. 1.. by SeaFox · · Score: 1

      "You don't need to see our license agreement."

    2. Re:Getting sued by Disney 3.. 2.. 1.. by Rick+Schumann · · Score: 1

      Your Jedi mind tricks won't work on them because they have no brain! xD

  5. Cat and mouse game. by Gravis+Zero · · Score: 2

    If this is widely deployed the malware writers will just change tactics. Instead of destroying data completely, they will simply begin alter files to the point where they are no longer useful. The more intelligent and insidious malware writers will gradually introduce more and more errors into databases that make it into backups. Eventually it will be discovered but if an unknown percentage of your database and it's backups contain incorrect information then you are going to have a bad time.

    --
    Anons need not reply. Questions end with a question mark.
  6. Re:fscking ban msmash by postbigbang · · Score: 1

    Hey, it was tested in a Windows 7 VM, so it ought to work everywhere!

    Right?

    Hello City of Atlanta? Oh, the city's on hold? Oh. Gosh.

    --
    ---- Teach Peace. It's Cheaper Than War.
  7. Bad name choice by Daetrin · · Score: 2

    They should have called it OB1.

    These are not the files you're looking for. *waves hand*

    (I leave it up to someone else to come up with a good backronym.)

    --
    This Space Intentionally Left Blank
  8. Safeguarding Data by nuckfuts · · Score: 1

    ... can safeguard data sitting inside a virtual machine

    You know what else can safeguard data sitting inside a virtual machine?

    Backups. Snapshots. Checkpoints.

  9. Unfortunately by DontBeAMoran · · Score: 4, Funny

    Unfortunately, this new technique is still vulnerable to Cryptographic Core Computing Processing Overload.

    --
    #DeleteFacebook
  10. It's just snapshot automation by Anonymous Coward · · Score: 1

    ... snapshots ...

    They built a component to automatically take a snapshot when it detects I/O patterns that resemble a wipe, to try to reduce the window of time between last snapshot and wrecked data. That's it. It's a supplement to scheduled snapshots, backups and so forth.

  11. Calling it R2D2 by jamesjw · · Score: 2

    Is it called R2D2 because the normal case of secure delete the system admins say "What the bleep-bloop have you bleepy-blarp done? You stupid bloopy-blip!!" ?

    --
    -- If at first you don't succeed, lie!
  12. Apps? by Tsolias · · Score: 1

    >R2D2 supports 13 known "secure delete" methods that apps and malware are known to use

    thank god I only use programs.

  13. It is not expensive to take snapshots. by Anonymous Coward · · Score: 1

    You can take them all day, and do incremetal backups that way too.

    E.g. on Linux, you could create a snapshot before and after every sudo. Or on certain program launches/exits in general. And on certain file system accesses. (Linux jas built-in APIs for that too nowadays.) Plus hourly ones.

    I wonder why file systems don't have built-in version control anyway.

  14. Re:Purdue University scientists waste time and mon by arglebargle_xiv · · Score: 1

    Also, most (all?) backup software already addresses the problem that R2D2 does, in a much less complicated way. First, there's generational backups, if your data gets cryptolockered or whatever you just go back to the pre-encrypted form. Secondly, some backups will detect major changes to a file, e.g. due to overwrite or encryption, and save an alternative copy of the unchanged data in case the major change was caused by malware.

    So it's really an idea that's (1) not new by a long shot and (2) not very useful compared to the alternatives.