Auto-Detecting Malware? It's Possible

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

Re:trojans

[Anonymous Coward]

They thought of that:

Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake â" the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of the day (as does most legitimate software).

Re:Privacy

[Z34107]

Well, yes and no; it depends on what kind of data.

Windows Defender, which is on pretty much every XP and Vista box, already does this. Out of the box, it will submit information on startup programs, malware detected and removed, and which services and startup programs you have disabled, to the aptly named Microsoft SpyNet [microsoft.com].

It's not quite as scary as it sounds; if you're using Windows Defender to decide whether or not to kill that fishy-looking SynTpEnh.exe process from starting, you can see that 99% of SpyNet members leave it enabled because it makes your laptop's touchpad work. </contrivedexample>

So, maybe be a bad idea, but not a new one - it's already being done.

Re:Privacy

[Orbijx]

Usually, the Norton Removal Tool [symantec.com] does the job in blowing Norton's software off the system.

I've had to be able to get enough people there in my line of work that I know the way there. Grab it, and let it wipe that damn thing out.

Re:I have a better idea

[thewils]

I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.

If OSX, Linux, & BSD can do it, Microsoft can

[Futurepower(R)]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Leaks and emails reveal Microsoft release policies

[Futurepower(R)]

The vulnerabilities are apparently the result of Microsoft release policies:

It was widely reported that Windows 2000 was released with 63,000 known defects [cnn.com].

It was widely reported that Windows XP was released with more than 100,000 known defects [lowendmac.com]. (I don't have time to find a better link.) Microsoft reported that Windows XP Service Pack 2 fixed several hundred bugs, several of them very serious.

Windows Vista was released against the wishes of some Microsoft managers, who said it was not ready for release. There was a court case [channelregister.co.uk] that revealed emails saying that. (Again, I don't have time to find a better link.)

Re:Where the Windows White List?

[the_one(2)]

as does windows

what a bunch of crooks...

[C0vardeAn0nim0]

try this on a solaris box:

# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /executables_digest

then every week, do:

# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /tmp/weekly_digest
# diff /executables_digest /tmp/weekly_digest

pretty much what software like tripwire works.

what those crooks on TFA want is collect a bunch of information about everybody's computers, then sell to the highest bidder.

fuck them. not on my solaris boxes. not on my linux boxes.

It is necessary to explain Windows' sloppiness.

[Futurepower(R)]

Windows Vista was released before it was ready. Even Microsoft middle managers complained about that. Customers rejected Vista; here is one of the hundreds of articles about that: Corporate America's rejection of Vista: Many companies delay or denounce Microsoft's flagship product [msn.com].

One magazine collected 210,000 signatures against adoption of Windows Vista and for keeping Windows XP: The campaign to save Windows XP [infoworld.com].

The fact is that we are not seeing the kind of weaknesses in Linux, OS X, or BSD that are commonly found in Windows. Windows XP was an expensive hassle for us until SP2.

Here is an interesting fact: The latest version of Firefox, and all the versions before it, have a bug which causes Firefox to crash when there are too many windows and tabs. That bug corrupts Windows; sometimes Windows crashes, also. It is always necessary to re-start the computer.

Linux remains stable when Firefox crashes, however.