Auto-Detecting Malware? It's Possible 178
itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"
Privacy (Score:5, Insightful)
If antivirus protectors could collect data from machines and users
This idea stopped being a good one here.
trojans (Score:5, Insightful)
Malware generally moves the same way any other software moves. The user downloads and installs it.
an amazingly bad idea (Score:5, Insightful)
"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
Malware writers and credit card phishers would have an immensely easier time.
It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?
Re:Privacy (Score:5, Insightful)
I see no reason why individuals volunteering information about their machines or habits should be any kind of privacy breech. Just leave it off by default and, should you choose, don't click the box.
Impractical (Score:4, Insightful)
This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).
Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.
That's too much (Score:4, Insightful)
It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.
Re:Or just switch to linux! (Score:1, Insightful)
'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?
(Or is linux just not popular enough among the computer-illiterate to be a good target for attacks?)
How about a ROLL Back to Install Tool? (Score:3, Insightful)
How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?
Re:Or just switch to linux! (Score:2, Insightful)
You actually think that nobody would start making malware/adware for Linux? Not all adware/malware is installed without knowledge of the user... downloading a smiley pack that has malware in it seems to still be fairly common. I see no reason why someone wouldn't do the same for Linux. It would just have ".rpm" instead of ".exe"
Sure, it wouldn't probably be in one of the good repositories, but since when has availability-from-reputable-sources that stopped people from downloading/installing software?
Re:Privacy (Score:1, Insightful)
As is, antivirus simply eats up all your CPU and memory
It doesn't though, does it? Stop talking shit.
Re:Privacy (Score:1, Insightful)
Indeed. Why worry about malware collecting your private information when you can have the guys supposedly protecting you collect it for them? Businesses (and government) have a TERRIBLE reputation for safeguarding info. I would expect a year after such things became common place that we'll start reading about stories of how anti-virus company X lost critical information from a few million people due to an employee leaving a laptop conveniently unguarded, unlocked, with no encryption on the files in a deserted parking lot at 2am one rainy night inside a waterproof garbage bag.
While I have your attention, I sell tinfoil hats!
Re:Or just switch to linux! (Score:1, Insightful)
Problem solved!!
Solved? Are you telling me that users can't install software in Linux?
Re:Privacy (Score:2, Insightful)
First, the service better be free. No way in hell I'm going to pay an AV vendor to do their job for them. Second, what if malware lifts credit cards and passwords are from my computer? Will enough info be relayed to the good guys before my identity is stolen? Third, malware authors will become savvy, cat-and-mouse game, etc.
Re:Or just switch to linux! (Score:1, Insightful)
'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?
Of course not. But Linux is written by users who don't want to be exploited (be they individuals or corporate users). The developers of Linux have a direct motivation to adapt Linux to deal with any new security threats. If trojans become a problem for Linux users, SELinux type solutions or default VM sandboxes or something else will become the norm and applications will be adapted to work well with it.
The core security problem with Windows isn't that it has large market share or inferior technologies. It is that it has so much market share and lock-in that the developers of Windows don't lose significant money even when malware is a large problem for many users. As a result the developer (MS) is not directly motivated to solve the problem. They benefit more financially by expanding into a new market leveraging their existing monopolies or even by introducing features that work to the detriment of their users (like DRM).
The interesting thing about Linux is that the license is designed to avoid any one player from being able to control it, so even if Linux had the same market share next year as Windows does today, developers would still be motivated to solve any new security problems.
Already being tested by Symantec (Score:3, Insightful)
What Dr. Jakobsson has described is a reputation system.
At Virus Bulletin 2009 [virusbtn.com], Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail [virusbtn.com]
One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.
Regards,
Aryeh Goretsky
Re:Privacy (Score:1, Insightful)
Dear gods some people love typos. Enjoy:
Your welcome.
So Wrong (Score:3, Insightful)
"The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."
But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.
Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.
I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.
Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.
Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.
About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.
And like all active-response systems ... (Score:5, Insightful)
... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.
Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".
Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?
Re:Privacy (Score:3, Insightful)
Some thoughts:
A) This isn't a new idea and I'm pretty sure that some AV packages already automatically submit questionable files for analysis, all it takes on top of that is for a vendor to track trends. I've had anti-virus software ask me to opt-in to such schemes before.
B) Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.
C) Once a virus is running on a host surely it can circumvent reporting agents, or even intercept them and report clean results, delaying or preventing this type of detection?
Re:How about a ROLL Back to Install Tool? (Score:3, Insightful)
The first part IIRC already exists somewhat (especially in Vista, which is why UAC was so damned annoying and usually gets shut off at first opportunity). If you were thinking of some other mechanism, I apologize (unless that mechanism involves some sort of local or remote database of 'approved' software to check against, which is a very bad idea).
The second part would be cool, but the Windows Registry, being a constantly evolving thing (and of piss-poor design) has data written to it by the OS constantly during runtime. All the malware has to do (and usually does once infection hits) is to mimic the perms of the system itself and happily write to whatever parts of the registry it wants, discreet user-locks be damned. The only thing a user-lock would accomplish is to prevent you, the user, from removing the malware-written registry bits.
Re:Privacy (Score:5, Insightful)
I wonder... (Score:2, Insightful)
Ok now I am almost positive I'm going to incite some flames with this comment, but I'm actually curious about the opinion here.
If this same idea were to be proposed by an open-source anti-malware solution, would you still be so hesitant about it?
How about if the proprietary companies were able to provide concrete evidence of the anonymity of your collected information?
Again, I'm NOT trying to incite a flame war with this, but it just seems so often that people rally a (mostly deserved) hatred and distrust of any and all companies that are proprietary, while having a (possibly detrimental) implicit trust of open-source solutions.
Besides, this could actually be a good idea. After all, we can't cure the common cold, but we can somewhat effectively stop it in it's tracks because we know how it's transmitted from person and can thus take appropriate measures against it. What's more is that the same goes for most all acquired illnesses. I'm not saying mandate the submission of such data, but having it as an option for users could provide anti-malware researchers with a powerful tool in studying them akin to biologic researchers and strain discs.
Pointing the finger the wrong way (Score:3, Insightful)
Since the same people typically have ADSL modems which are NOT infected with any sort of malware I think the argument is complete rubbish and we're suffering from a platform where "developers are dumb".
Microsoft are waking up to it very slowly, but there are a vast number of third party applications developed by those still asleep at the wheel of the speeding malware trainwreck in progress. Just about any effort Microsoft make at improving security is rendered pointless by those that insist their stuff has to run as Admin or the functionally equivalent "power user". It takes great whopping security holes that should never exist before anything as trivial as clicking on a link could do anything horrible to the computer.
Being smug apologists for broken systems doesn't get us anywhere. With a few good choices you can have a Microsoft based system as immune to being broken by users clicking on things just as if they were on a Mac, Sun, linux, BSD