Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

A New Approach to Mutating Malware 80

Posted by Zonk from the bigger-hammers dept.
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
This discussion has been archived. No new comments can be posted.

A New Approach to Mutating Malware More

A New Approach to Mutating Malware

Comments Filter:

  • Re:a high rate of homogeneous connection requests (Score:4, Insightful)

    by HTH NE1 ( 675604 ) on Friday February 09, 2007 @06:59PM (#17956236)
    OK, now I've read the article. Doesn't help much:

    Pen Liu, the lead researcher on the project and director of the university's Cyber Security Lab, estimates that under the new system, only a few dozen packets could be sent before an attack is halted. In comparison, the Slammer worm sent about 4,000 packets a second.
    Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

    Oh, they're probably talking about end-user computers emitting too many similar packets quickly. There goes the idea of me running my own server; I will no longer be an equal on the net and will always have to pay someone else to host my content. This will also curb actions like sharing files, posting binaries to Usenet, streaming video out of my SlingBox, or other high-outgoing-bandwidth tasks.

    But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.
    I doubt this will be the same "fractions of a second" that it takes to block. I suspect it's more like human intervention on the order of days or weeks.

  • Safemaker, Safebreaker (Score:2, Insightful)

    by sehlat ( 180760 ) on Friday February 09, 2007 @07:08PM (#17956420)
    OK. This will work for a while. However, sooner or later, two things will happen:

    1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
    it falls below the threshold

    and

    2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
    in their own labs and build worms that work around it, just the way they've gotten a lot of crud
    by Bayesian Filters and anti-virus software.

    Summary: no magic bullet
  • This isn't hard to understand; a worm sends thousands of packets per second, each to a different IP address and most legitimate applications don't.

  • Re:Safemaker, Safebreaker (Score:2, Insightful)

    by EvanED ( 569694 ) <{evaned} {at} {gmail.com}> on Friday February 09, 2007 @07:17PM (#17956540)
    Is there ever a magic bullet though?

    What fix has there ever been that would totally stop a class of attacks in their tracks? The only one I can come up with is typesafe languages.

  • Re:Safemaker, Safebreaker (Score:3, Insightful)

    by hedwards ( 940851 ) on Friday February 09, 2007 @07:51PM (#17957030)
    Yes, but forcing them to slow down makes an outbreak easier to contain.

    One of the bigger problems has been the speed of infection. Forcing a worm or virus to slow down significantly increases the amount of time that researchers have to identify it and release and update.

  • Re:a high rate of homogeneous connection requests (Score:4, Insightful)

    by abigor ( 540274 ) on Friday February 09, 2007 @09:04PM (#17957766)
    You know, somehow it strikes me that they thought of these dead-simple, everyday use cases.

    Also, you need to learn the difference between "connecting" and "sending". If you're interested, you should pick up one of the classic Stevens books on tcp/ip. That should clear things up for you.

  • Re:a high rate of homogeneous connection requests (Score:4, Insightful)

    by vux984 ( 928602 ) on Saturday February 10, 2007 @05:12AM (#17961018)
    Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

    Unless you download each packet from a different server I can't see how that would possibly be relevant.

    Oh, they're probably talking about end-user computers emitting too many similar packets quickly.

    No they're talking about a computer emitting too many CONNECTION REQUESTS to too many different computers. If you read the article you'd probably have a better idea of what was going on. ;)

    Two types of applications that could in theory trigger a quarantine that would be a mass-mailout, where you are directly delivering mail to thousands of recipient mail exchangers (instead of relaying through your ISP), or running a web-crawling robot of some sort that was traversing thousands of websites.

    Typical use, from playing games, to browsing, to sending email, to streaming video... even p2p software wouldn't even register as a potential threat nevermind trigger quarantine. Nor would running a busy web server, as in that case all the connection requests are inbound, not outbound.

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close