A New Approach to Mutating Malware 80
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
How does it work? (Score:5, Informative)
There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here [psu.edu] and Professor Peng Liu's home page here [psu.edu] along with the university's press release here [psu.edu], but I did not see any actual articles on PWC.
A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.
Regards,
Aryeh Goretsky
And where's the new bit? (Score:3, Informative)
Not a new idea....but still a good one (Score:5, Informative)
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)
Such systems, if observed suddenly making connections on
port 25 to hundreds (or more) other mail servers, are almost
certainly spewing spam. This is particularly true if those
connections meet certain criteria (e.g. traffic sent before
waiting for SMTP greeting from remote side, or failure to
send QUIT before closing connection). Slapping a port 25
block on such systems at least partially quarantines the
problem, buying time for more thorough investigation.
The same could be said of systems observed making hundreds
of SSH connections (to one destination or many), etc. The
basic concept is to figure out what "normal" looks like --
which, granted, may vary with what uses a system normally
has -- and then do something when things don't look normal.
"something" could be "log it" or "issue an alert" or "rate-limit
connections" or "rate-limit traffic" or "block" or some
combination; the trick is to select an appropriate response
that does something useful while not making the mechanism
so twitchy that it trips when it shouldn't.
Helloo.... (Score:3, Informative)
connectionless packet services? [wikipedia.org]
Or have we forgotten about SQL Slammer [nai.com], which used a UDP vector?
Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.
Re:How does it work? (Score:2, Informative)
Re:Not a new idea....but still a good one (Score:3, Informative)
Re:How does it work? (Score:4, Informative)
Re:a high rate of homogeneous connection requests (Score:1, Informative)
Go over that, and your connection is terminated for the year!
Check out the Bandwidth policy at www.rescom.psu.edu (not sure if accessible off campus)