A New Approach to Mutating Malware 80
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
a high rate of homogeneous connection requests (Score:5, Funny)
Re:a high rate of homogeneous connection requests (Score:4, Interesting)
I suspect that every mailing list server would be a false positive, too.
Re: (Score:1, Informative)
Go over that, and your connection is terminated for the year!
Check out the Bandwidth policy at www.rescom.psu.edu (not sure if accessible off campus)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re:a high rate of homogeneous connection requests (Score:4, Insightful)
Oh, they're probably talking about end-user computers emitting too many similar packets quickly. There goes the idea of me running my own server; I will no longer be an equal on the net and will always have to pay someone else to host my content. This will also curb actions like sharing files, posting binaries to Usenet, streaming video out of my SlingBox, or other high-outgoing-bandwidth tasks. I doubt this will be the same "fractions of a second" that it takes to block. I suspect it's more like human intervention on the order of days or weeks.
Re:a high rate of homogeneous connection requests (Score:4, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
In my experience Azureus (and presumably other BT clients) will only open about 10 new connections per second, which should be much less than the threshold for a worm detector.
...and then the newer stealth worms will moderate to only about 10 new connections per second, and sneak in under the radar.
Re: (Score:2)
Re: (Score:2)
Re:a high rate of homogeneous connection requests (Score:4, Insightful)
Also, you need to learn the difference between "connecting" and "sending". If you're interested, you should pick up one of the classic Stevens books on tcp/ip. That should clear things up for you.
Re:a high rate of homogeneous connection requests (Score:4, Insightful)
Unless you download each packet from a different server I can't see how that would possibly be relevant.
Oh, they're probably talking about end-user computers emitting too many similar packets quickly.
No they're talking about a computer emitting too many CONNECTION REQUESTS to too many different computers. If you read the article you'd probably have a better idea of what was going on.
Two types of applications that could in theory trigger a quarantine that would be a mass-mailout, where you are directly delivering mail to thousands of recipient mail exchangers (instead of relaying through your ISP), or running a web-crawling robot of some sort that was traversing thousands of websites.
Typical use, from playing games, to browsing, to sending email, to streaming video... even p2p software wouldn't even register as a potential threat nevermind trigger quarantine. Nor would running a busy web server, as in that case all the connection requests are inbound, not outbound.
Re: (Score:1)
so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net?
No, you don't get a whole day, just a few seconds. It had already determined you were going to lose anyway.
/. q1labs.com as a great product for this, found a compromised host doing call home to a p2p control network without any signatures and that was rather new behavior at the time.
There are products out there that already do this and trend using seasonality and anomalous behavior already, I don't know why anyone would call this new. oh, wait, this is
...or if connected with a proxy or VPN (Score:2)
Re: (Score:2)
Everything old is new again!
Like mutating the connection requests just enough to evade blocking? Because that would be a "new" trick they were not already doing... Patentable perhaps, but not something that would require more than a few seconds thought.
This technique could be considered something to slow worm propagation, but no more.
What happens when... (Score:2, Interesting)
It might send out a storm of packets to each of the possibly hundreds of other servers.
Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?
From TFA ... (Score:2)
It appears to be magic.
I can see isolating a box when its connection pattern changes. But I don't see any way to identify whether it has been infected without a person looking at it or comparing it to
Re:From TFA ... (Score:4, Funny)
Re: (Score:2)
Deterministic flaws and P2P networks. (Score:3, Interesting)
That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.
What about wanted high rate requests? (Score:2, Funny)
cause and effect (Score:3)
So they're focusing on a symptom. But it sounds like this could be used block other "homogeneous" traffic, like Bittorrent, no?
Re: (Score:1, Offtopic)
How does it work? (Score:5, Informative)
There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here [psu.edu] and Professor Peng Liu's home page here [psu.edu] along with the university's press release here [psu.edu], but I did not see any actual articles on PWC.
A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.
Regards,
Aryeh Goretsky
Re: (Score:2, Informative)
Re:How does it work? (Score:4, Informative)
Huh? (Score:2, Funny)
This [psu.edu] is the webpage for the Cyber Security Lab. I don't see anything about this on there, but a Google search for Proactive Worm Containment brings up this presentation [psu.edu].
Yeah. (Score:2)
Safemaker, Safebreaker (Score:2, Insightful)
1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
it falls below the threshold
and
2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
in their own labs and build worms that work around it, just the way they've gotten a lot of crud
by Bayesian Filters and anti-virus software.
Summary: no magic bullet
Re: (Score:2, Insightful)
What fix has there ever been that would totally stop a class of attacks in their tracks? The only one I can come up with is typesafe languages.
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:3, Insightful)
One of the bigger problems has been the speed of infection. Forcing a worm or virus to slow down significantly increases the amount of time that researchers have to identify it and release and update.
Re: (Score:2)
Re: (Score:1)
The only thing one can say about ANYTHING in this world is "for a time."
Re: (Score:2)
Re: (Score:2)
I'll stick to one of the many Windows personal firewalls
There's your first mistake ;-)
high rate of homogeneous connection requests (Score:5, Funny)
Re:high rate of homogeneous connection requests (Score:5, Funny)
And where's the new bit? (Score:3, Informative)
Re: (Score:2)
Not a new idea....but still a good one (Score:5, Informative)
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)
Such systems, if observed suddenly making connections on
port 25 to hundreds (or more) other mail servers, are almost
certainly spewing spam. This is particularly true if those
connections meet certain criteria (e.g. traffic sent before
waiting for SMTP greeting from remote side, or failure to
send QUIT before closing connection). Slapping a port 25
block on such systems at least partially quarantines the
problem, buying time for more thorough investigation.
The same could be said of systems observed making hundreds
of SSH connections (to one destination or many), etc. The
basic concept is to figure out what "normal" looks like --
which, granted, may vary with what uses a system normally
has -- and then do something when things don't look normal.
"something" could be "log it" or "issue an alert" or "rate-limit
connections" or "rate-limit traffic" or "block" or some
combination; the trick is to select an appropriate response
that does something useful while not making the mechanism
so twitchy that it trips when it shouldn't.
Re: (Score:3, Informative)
Re: (Score:2)
true for most. If you watch network traffic with tools such as ntop
or etherape for a while (especially the latter thanks to the way that
it facilitates visualization), and then focus on particular systems,
what you'll likely find it that traffic patterns are surprisingly predictable.
Consider, for example, a client system (OS doesn't matter) sitting on
a corporate network. It probably uses DHCP at boot and periodically
thereafter -- so we sho
Re: (Score:1)
Re: (Score:1)
These questions just go on and on when you really start getting down to implementing "the patterns of machine ne
Re: Something else that would stop a lot of crap (Score:2)
On my list of windows annoyances, is that there are too many ways fo
Re: (Score:2)
So wouldn't it be easier... (Score:2)
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)
Or you could just block all connections on port 25 to all servers other than the designated SMTP server for all computers on the network (unless, maybe, the owner of that computer asked nicely.)
Maybe I missed something: Whats new here? (Score:2, Interesting)
Helloo.... (Score:3, Informative)
connectionless packet services? [wikipedia.org]
Or have we forgotten about SQL Slammer [nai.com], which used a UDP vector?
Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.
Re: (Score:1)
Unless you, the administrator of the PC, have digitally signed the MMO's EXE to your antivirus program.
Quick best solution (Score:1)
A firewall won't protect you much from the initial infection, but it will stop you from spreading the malware or becoming a spam-bot. A smart firewall could also accurately warn the user of suspicious activity, as evil connections are a much more reliable symptom to check than signatures.
A good idea, though not a 100% new one. (Score:1)
What is needed is more of a "block all, allow only what is needed" policy rather than "permit all, find bad things, block them" which is a never-ending cycle. For example, unless an ISP's customer specifically requests it (and signs that he/she is fully responsible for any damage), a nu
Re: (Score:2)
Incoming, yes. Outgoing, no.
The reason why is that most software uses a range of ports for outgoing connections. For example, take an HTTP session. A web server typically listens on port 80 for HTTP requests. But, your web client (Mozilla, IE, Opera, etc.) can
Re: (Score:1)
Trivial to defeat this approach (Score:2)
Deploying this kind of detection will mitigate the spam problem somewhat by slowing down the propagation of spam -- but this isn't a silver bullet to stop malware.
Bittorrent? (Score:2)
-molo
Simple fix (Score:3, Funny)
Seriously, we need to start SOLVING problems in this world, and you don't solve problems without leaving at least a few asses in a well kicked state.
Sorry, but welcome to the human race.
Shameless plug (Score:3)
New? (Score:1)
Ingredients:
1) Old Method (heuristic approach, is around since the 1980's and never worked)
2) Well known Countermeasure (Block outgoing ports)
3) Implication that false positives are not so bad as false negatives (cite from the link: "...cancel the quarantine in the event of a false alarm.", without a specification how to do that.
4) A Newspaper reporter who obviously does not know anything about security
A Remark: Implementing this Method enable
Brillant! (Score:1)
Cool! It's not every day that you get to witness the creation of a new DoS attack vector.
This technology will be toast as soon as somebody defaces Yahoo or some other popular home page---by adding a dozen or so IFRAMES to random http://hostport/ [hostport] URLs---thus causing anyone "protected" by this system to drop off the Internet.
ping (Score:1, Funny)
Simpler (Score:2)
GrIDS (Score:1)