Forgot your password?
typodupeerror
Security

A New Approach to Mutating Malware 80

Posted by Zonk
from the bigger-hammers dept.
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
This discussion has been archived. No new comments can be posted.

A New Approach to Mutating Malware

Comments Filter:
  • by HTH NE1 (675604) on Friday February 09, 2007 @05:48PM (#17956076)

    The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.
    Great, so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net? Did this idea come from Korea?
    • by dgatwood (11270) on Friday February 09, 2007 @05:51PM (#17956116) Journal

      I suspect that every mailing list server would be a false positive, too.

      • Re: (Score:1, Informative)

        by Anonymous Coward
        Don't forget, this comes from the University that only allows 1.5 GB of TCPIP upload/download a week per student.

        Go over that, and your connection is terminated for the year!

        Check out the Bandwidth policy at www.rescom.psu.edu (not sure if accessible off campus)
    • by Nasarius (593729)
      If your game is rapidly generating hundreds of connection requests, something is very wrong.
      • This doesnt work against malware running on dialup computers then.
        • by Maian (887886)
          Correct me if I'm wrong, but you can still generate hundreds of connection requests on dialup - most will just timeout.
    • by HTH NE1 (675604) on Friday February 09, 2007 @05:59PM (#17956236)
      OK, now I've read the article. Doesn't help much:

      Pen Liu, the lead researcher on the project and director of the university's Cyber Security Lab, estimates that under the new system, only a few dozen packets could be sent before an attack is halted. In comparison, the Slammer worm sent about 4,000 packets a second.
      Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

      Oh, they're probably talking about end-user computers emitting too many similar packets quickly. There goes the idea of me running my own server; I will no longer be an equal on the net and will always have to pay someone else to host my content. This will also curb actions like sharing files, posting binaries to Usenet, streaming video out of my SlingBox, or other high-outgoing-bandwidth tasks.

      But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.
      I doubt this will be the same "fractions of a second" that it takes to block. I suspect it's more like human intervention on the order of days or weeks.
      • by Wesley Felter (138342) <wesley@felter.org> on Friday February 09, 2007 @06:15PM (#17956502) Homepage
        This isn't hard to understand; a worm sends thousands of packets per second, each to a different IP address and most legitimate applications don't.
        • by zcat_NZ (267672)
          Say goodbye to bittorrent and emule though...
          • In my experience Azureus (and presumably other BT clients) will only open about 10 new connections per second, which should be much less than the threshold for a worm detector.
            • In my experience Azureus (and presumably other BT clients) will only open about 10 new connections per second, which should be much less than the threshold for a worm detector.

              ...and then the newer stealth worms will moderate to only about 10 new connections per second, and sneak in under the radar.

              • by zCyl (14362)

                ...and then the newer stealth worms will moderate to only about 10 new connections per second
                ...Good.
            • by LarsG (31008)
              You do know that XPSP2 limits the number of concurrent half-open connections to 10? A worm would have to patch tcpip.sys to go above that.
      • by abigor (540274) on Friday February 09, 2007 @08:04PM (#17957766)
        You know, somehow it strikes me that they thought of these dead-simple, everyday use cases.

        Also, you need to learn the difference between "connecting" and "sending". If you're interested, you should pick up one of the classic Stevens books on tcp/ip. That should clear things up for you.
      • by vux984 (928602) on Saturday February 10, 2007 @04:12AM (#17961018)
        Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

        Unless you download each packet from a different server I can't see how that would possibly be relevant.

        Oh, they're probably talking about end-user computers emitting too many similar packets quickly.

        No they're talking about a computer emitting too many CONNECTION REQUESTS to too many different computers. If you read the article you'd probably have a better idea of what was going on. ;)

        Two types of applications that could in theory trigger a quarantine that would be a mass-mailout, where you are directly delivering mail to thousands of recipient mail exchangers (instead of relaying through your ISP), or running a web-crawling robot of some sort that was traversing thousands of websites.

        Typical use, from playing games, to browsing, to sending email, to streaming video... even p2p software wouldn't even register as a potential threat nevermind trigger quarantine. Nor would running a busy web server, as in that case all the connection requests are inbound, not outbound.
    • by boone (3018)

      so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net?

      No, you don't get a whole day, just a few seconds. It had already determined you were going to lose anyway.

      There are products out there that already do this and trend using seasonality and anomalous behavior already, I don't know why anyone would call this new. oh, wait, this is /. q1labs.com as a great product for this, found a compromised host doing call home to a p2p control network without any signatures and that was rather new behavior at the time.

    • ...then you are a "malware carrier".
  • What happens when I buy a new game and it connects to the other players in a tight mesh.
    It might send out a storm of packets to each of the possibly hundreds of other servers.

    Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?
  • by Short Circuit (52384) * <mikemol@gmail.com> on Friday February 09, 2007 @05:51PM (#17956112) Homepage Journal
    This will (mostly) work on worms which attack flaws which behave in a nondeterministic fashion; A worm isn't guaranteed an infection by only one connection attempt. I don't think it would work for flaws that require only one connection to infect, though.

    That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.
  • ... or is porn just an actively sought out form of malware?
  • by User 956 (568564) on Friday February 09, 2007 @05:56PM (#17956198) Homepage
    'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.'

    So they're focusing on a symptom. But it sounds like this could be used block other "homogeneous" traffic, like Bittorrent, no?
  • How does it work? (Score:5, Informative)

    by Aryeh Goretsky (129230) on Friday February 09, 2007 @06:06PM (#17956380) Homepage
    Hello,

    There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here [psu.edu] and Professor Peng Liu's home page here [psu.edu] along with the university's press release here [psu.edu], but I did not see any actual articles on PWC.

    A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.

    Regards,

    Aryeh Goretsky
    • Re: (Score:2, Informative)

      by EvanED (569694)
      There is a presentation [psu.edu] about it, but it doesn't go into any more detail about the detection occurs than the article.
    • Re:How does it work? (Score:4, Informative)

      by nuckfuts (690967) on Saturday February 10, 2007 @12:42AM (#17959894)
      It's trivial to differentiate between outbound and inbound tcp connections. (The first packet has the SYN flag set to begin a three-way handshake). A busy server woould have a lot of connections coming TO it. A bot would have a lot of connections coming FROM it. In the case of other protocols the SRC and DST information in the packets should suffice to determine direction.
  • Huh? (Score:2, Funny)

    by EvanED (569694)
    I wish the article didn't pretty much suck...

    This [psu.edu] is the webpage for the Cyber Security Lab. I don't see anything about this on there, but a Google search for Proactive Worm Containment brings up this presentation [psu.edu].
    • by jd (1658)
      When I saw the title "A New Approach to Mutating Malware", I was looking forward to an excellent piece on how to develop polymorphic destructive code, or maybe a way to infect viruses with Polonium-210. But all I got was some cheesy article on how to use a network intrusion detector to shut down malware. Boooring.
  • by sehlat (180760)
    OK. This will work for a while. However, sooner or later, two things will happen:

    1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
    it falls below the threshold

    and

    2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
    in their own labs and build worms that work around it, just the way they've gotten a lot of crud
    by Bayesian Filters and anti-virus software.

    Summary: no magic bullet
    • Re: (Score:2, Insightful)

      by EvanED (569694)
      Is there ever a magic bullet though?

      What fix has there ever been that would totally stop a class of attacks in their tracks? The only one I can come up with is typesafe languages.
    • Slow scanning worms already exist.
    • Re: (Score:3, Insightful)

      by hedwards (940851)
      Yes, but forcing them to slow down makes an outbreak easier to contain.

      One of the bigger problems has been the speed of infection. Forcing a worm or virus to slow down significantly increases the amount of time that researchers have to identify it and release and update.

    • by jotok (728554)
      Alas, no. Very, very few members of TMB understand the kind of mathematical traffic analysis that can be used to detect them. As a security professional, I encourage their ignorance (and yours).
      • by sehlat (180760)
        It doesn't take a lot of them, just the needs of the few, or the one. As with, say, Poincare's Conjecture, where genius can go, lesser minds can follow. Admittedly TMB are a small, secretive bunch (for very good reason), but there are large incentives to being able to tap into other people's computers and networks, and while it's not like anybody's going to be publishing papers on the topic in "Journal of the ACM," word will get around.

        The only thing one can say about ANYTHING in this world is "for a time."
        • by jotok (728554)
          This is surely correct. At the same time, there are radical differences in the way people with an engineering mentality (programmers, for instance) and people with an synthetic (as opposed to analytical) mentality think about problems. Check out wikipedia articles on top-down and bottom-up analysis, or study the differences in the philosophies of physics and biology (the structure-function paradox). I think it's less an issue of "genius" versus "lesser" minds so much as a gap in understanding, or the abi
  • by Anonymous Coward on Friday February 09, 2007 @06:12PM (#17956488)
    I don't see what anyones sexuality or promiscuity should matter. Live and let live.
  • by Rich (9681) on Friday February 09, 2007 @06:16PM (#17956526) Homepage
    I read the article, and I'm still wondering what the 'new' part is. The text doesn't mention anything that hasn't been around for ages, is this a bad article or bad research?
    • by Rich (9681)
      I'll just add that if the system really works as described then making a certain percentage of crap connections (10%?) would completely defeat it.
  • by Arrogant-Bastard (141720) on Friday February 09, 2007 @06:18PM (#17956556)
    This idea was discussed in considerable depth on various
    anti-spam lists several years ago. Nearly all hosts on the
    Internet talk to one mail server: the one designated for
    mail submission from the network they're on. (s/one/few/
    for networks large enough to have multiple SMTP gateways.)

    Such systems, if observed suddenly making connections on
    port 25 to hundreds (or more) other mail servers, are almost
    certainly spewing spam. This is particularly true if those
    connections meet certain criteria (e.g. traffic sent before
    waiting for SMTP greeting from remote side, or failure to
    send QUIT before closing connection). Slapping a port 25
    block on such systems at least partially quarantines the
    problem, buying time for more thorough investigation.

    The same could be said of systems observed making hundreds
    of SSH connections (to one destination or many), etc. The
    basic concept is to figure out what "normal" looks like --
    which, granted, may vary with what uses a system normally
    has -- and then do something when things don't look normal.
    "something" could be "log it" or "issue an alert" or "rate-limit
    connections" or "rate-limit traffic" or "block" or some
    combination; the trick is to select an appropriate response
    that does something useful while not making the mechanism
    so twitchy that it trips when it shouldn't.
    • Re: (Score:3, Informative)

      by jofny (540291)
      That doesn't work for most machines you'll find on the internet. Network data simply doesn't contain enough information to concistently build a flexible, accurate profile of normal usage. You're either going to miss a significant amount of stuff youd like to catch, or catch so much legit traffic that it's unusable. You might find the right middle ground between them, but it'll be infrequent and coincidental.
      • While I'll grant that your point is true for *some* systems, it's not
        true for most. If you watch network traffic with tools such as ntop
        or etherape for a while (especially the latter thanks to the way that
        it facilitates visualization), and then focus on particular systems,
        what you'll likely find it that traffic patterns are surprisingly predictable.

        Consider, for example, a client system (OS doesn't matter) sitting on
        a corporate network. It probably uses DHCP at boot and periodically
        thereafter -- so we sho
        • by jofny (540291)
          Having spent time using the data from thousands of systems in multiple large networks (some of them multicontinent) trying to work out threshold rules for classifying anomalous traffic (to guide both human and machine analysis for data reduction and highlighting purposes), I can say that my experience (Yours might vary) is that what you say is true in aggregate on average, but is not reliable enough on a machine by machine basis across all machines for every distinct machine. It DOES work sometimes. But no
        • by jofny (540291)
          Forgot to add something important: Part of the measurement problem is the tokenization of network "sentences". When you're measuring your traffic - how big are your buckets? What consitutes the start and end of a bucket? How many buckets do you have? Which relationships between which types of traffic are important? Do you measure distribution of DNS traffic against HTTP? All TCP? Why? etc. etc.

          These questions just go on and on when you really start getting down to implementing "the patterns of machine ne
    • A large amount of malware configures itself so that it starts up each time you reboot. If something just popped up and said program x wants to start each time you boot your computer, do you want to allow this, yes/no, a ton of crap could be stopped right there. I know that is similar to a firewall asking if it is ok for an application to access the internet, but I have haven't ever seen anything that monitors programs that start on boot up.

      On my list of windows annoyances, is that there are too many ways fo
    • This idea was discussed in considerable depth on various
      anti-spam lists several years ago. Nearly all hosts on the
      Internet talk to one mail server: the one designated for
      mail submission from the network they're on. (s/one/few/
      for networks large enough to have multiple SMTP gateways.)


      Or you could just block all connections on port 25 to all servers other than the designated SMTP server for all computers on the network (unless, maybe, the owner of that computer asked nicely.)
  • The ability to block things by numer/frequency/type/foo of connection attempts is pretty old...it's just not particularly useful in cases as open-ended as this (trying to block worm activity based on no other information than connection behavior). It seems someone here is, as usual, reporting on the rediscovery of the wheel. (Not to mention the fact that the fast moving DoS worm is out of fashion right now. The heat is too much for people looking for kicks and people looking to make money from it have bet
  • Helloo.... (Score:3, Informative)

    by idontgno (624372) on Friday February 09, 2007 @06:24PM (#17956634) Journal

    connectionless packet services? [wikipedia.org]

    Or have we forgotten about SQL Slammer [nai.com], which used a UDP vector?

    Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.

    • by tepples (727027)

      Imagine your lag rage when your antivirus whacks your MMO session.

      Unless you, the administrator of the PC, have digitally signed the MMO's EXE to your antivirus program.

  • A really simple solution to most virus problems is a good firewall. This project seems to be not much more than a glorified firewall with heuristics.

    A firewall won't protect you much from the initial infection, but it will stop you from spreading the malware or becoming a spam-bot. A smart firewall could also accurately warn the user of suspicious activity, as evil connections are a much more reliable symptom to check than signatures.
  • I'm not sure if this is a totally idea or not, but any help with this is a positive thing. Watching a machine and trying to find signs of malware behavior isn't new. NAV and other programs already have heuristics built in.

    What is needed is more of a "block all, allow only what is needed" policy rather than "permit all, find bad things, block them" which is a never-ending cycle. For example, unless an ISP's customer specifically requests it (and signs that he/she is fully responsible for any damage), a nu
    • ...what ports the program will be using for incoming/outgoing connections. Program uses a port different from what is listed in its manifest, the connection either is blocked, or the user is prompted to manually add an ACL entry allowing it...

      Incoming, yes. Outgoing, no.

      The reason why is that most software uses a range of ports for outgoing connections. For example, take an HTTP session. A web server typically listens on port 80 for HTTP requests. But, your web client (Mozilla, IE, Opera, etc.) can

      • by mlts (1038732)
        I stand corrected, and you are 100% right. A program that is connecting to another host can have pretty much what it wants as an outgoing port on its local box (for example, Firefox is outgoing on port 4480), what matters is what port the outgoing program is connecting to on the remote box. I should have clarified that.
  • Malware authors will just throttle the rate at which their software sends spam (or exploit payloads or whatever dirty work it happens to be doing).

    Deploying this kind of detection will mitigate the spam problem somewhat by slowing down the propagation of spam -- but this isn't a silver bullet to stop malware.
  • Hundreds of connections to many clients on the same set of ports? Sounds like someone is running a bittorrent client. They would have to only do this on a certain set of ports or something. Would block too much legitimate traffic otherwise.

    -molo
  • Simple fix (Score:3, Funny)

    by Quiet_Desperation (858215) on Friday February 09, 2007 @10:09PM (#17958826)
    Hunt down the authors and cut their balls off. Publically. People underestimate the visual deterrent power of a Bowie knife taken to some testicles.

    Seriously, we need to start SOLVING problems in this world, and you don't solve problems without leaving at least a few asses in a well kicked state.

    Sorry, but welcome to the human race.
  • by bryan1945 (301828) on Friday February 09, 2007 @10:46PM (#17959086) Journal
    We are... PENN STATE!
  • by drolli (522659)
    Excuse me, that is a "generic paper for gaining Attention" case.

    Ingredients:

    1) Old Method (heuristic approach, is around since the 1980's and never worked)

    2) Well known Countermeasure (Block outgoing ports)

    3) Implication that false positives are not so bad as false negatives (cite from the link: "...cancel the quarantine in the event of a false alarm.", without a specification how to do that.

    4) A Newspaper reporter who obviously does not know anything about security

    A Remark: Implementing this Method enable
  • Cool! It's not every day that you get to witness the creation of a new DoS attack vector.

    This technology will be toast as soon as somebody defaces Yahoo or some other popular home page---by adding a dozen or so IFRAMES to random http://hostport/ [hostport] URLs---thus causing anyone "protected" by this system to drop off the Internet.

  • ping (Score:1, Funny)

    by Anonymous Coward
    so what if i DoS 127.0.0.1?
  • Just evaluate the TCP packet signatures and identify MS platforms, and deny all traffic from it. Malware would stop dead in its tracks.
  • Seems like just a few changes from the Graph-based Intrusion Detection System [ucdavis.edu] developed by UC Davis 8 years ago.

No man is an island if he's on at least one mailing list.

Working...