A New Approach to Mutating Malware 80
mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."
What happens when... (Score:2, Interesting)
It might send out a storm of packets to each of the possibly hundreds of other servers.
Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?
Deterministic flaws and P2P networks. (Score:3, Interesting)
That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.
Re:a high rate of homogeneous connection requests (Score:4, Interesting)
I suspect that every mailing list server would be a false positive, too.
Maybe I missed something: Whats new here? (Score:2, Interesting)