Auto-Detecting Malware? It's Possible

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

Malware vulnerability is profitable for Microsoft.

[Futurepower(R)]

The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD [openbsd.org] volunteers have been doing that for many years.

In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com]. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.

Re:Privacy

[sopssa]

I'm actually more surprised all the time how the antivirus vendors go more the way that scareware does. Good example is Symantec and their Norton product (I feel sorry for the guy..)

I haven't had an antivirus product on my machine for years because I know how to use to the internet. But there was a case when I though I've made a mistake - so I got myself an antivirus scanner just to make sure.

Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck. Every week it popups during night, scans all of my harddrives and tells me I have to buy their product to protect myself - just like every scareware product. And it only detected some *tracking cookies*.

With all their publicity stunts, bloatware and other shit it's getting on everyones nerves. Everyone here on slashdot know what they think of symantec. This is more or less the same issue.

Atleast theres still good vendors like ESET with Nod32 and Kaspersky around. I wont touch Symantec even with a stick again.

Where the Windows White List?

[schwit1]

I would love a build-in security component that white lists what is permitted to run.

And include whether the component can run as limited or root permissions.

Re:Privacy

[elFisico]

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

not necessarily. privacy could be protected by pseudonymizing the data. the information is in the connections between the nodes, not in the names of the nodes.

why pseudonym and not anonym? because you should tell the infected that they are infected. and yes, who should be trusted to manage the nyms? that's another point for long discussions...

Re:I have a better idea

[Ungrounded Lightning]

If you think Linux is inherently more secure than Windows, you're absolutely nuts.

Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.

This is a "feature" of the way Windows and its application suite are designed.

Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.

So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.

Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.

And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.

Great idea, 'Lets ignore what it does'

[Ivan Stepaniuk]

So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.

Mac: It's where the money is.

[Gary W. Longsine]

Hell, Steve Ballmer keeps repeating over and over how much more expensive the Mac is. If that's true, then people with Macs have more money. Where's the shitstorm of malware trying to steal identities from all those Mac users with hefty bank accounts?

Most sites do not actually need cookies

[sjbe]

Cookies are also hard to even browse without, most sites don't load if the cookie is rejected.

Don't know where you are browsing but I've been blocking the majority of cookies for years with little problem. Yes some sites need them, usually the ones you are trying to log into or buy something from. That only describes a small minority of sites - most don't actually need to set a cookie and if you block them you'll never notice the difference. If it is a site you trust and do business with regularly, cookies are fine. Otherwise either block them forever or only allow them for that session. Your web experience will be no worse for the lack of cookies.

Re:If OSX, Linux, & BSD can do it, Microsoft c

[Penguinisto]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Depends on how stable the codebase is, how much backwards-compatibility is needed, how much of a kludge the component code bits in question were in the first place, how modular the overall design is/was, etc.

Sure - Microsoft can do it, but judging from complaints by former Microsofties, and the leaked code from way back in Windows 2000 as a design guide of sorts? Well, on the same note I can, with the same probabilities, dig out Mount Everest and relocate it by using nothing more than a pick axe with a busted handle.

 

Those operating systems have fewer vulnerabilities because they were designed to be secure.

More importantly, they were designed to be modular in nature. This means that you can rip out and re-write parts of, say, the kernel, without worrying as much about borking the whole thing by doing so*, or inducing even worse problems elsewhere in it.

*assuming you don't do anything outright stupid, of course...

Re:If OSX, Linux, & BSD can do it, Microsoft c

[Ronald Dumsfeld]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.

Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.

What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.

I still wonder if the No Such Agency [nsa.gov] still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix fans really hated it, but the entire development of the OS was done using good, tested Software Engineering principles. It was fun when everyone was screaming about the world ending because of the Y2K problem. Alas, I can't find the great response one of the engineers - basically saying that Y2K was not an issue due to the internal date format, and Y10K would only be a problem for displaying the dates.

Re:Privacy

[Orbijx]

Why hell yes, they do.
In my brief six month stint in working as a phone agent for one of the Devils of the Internet, they rolled out their branded copy of McAfee. End Users, having been scared into clicking NO to anything asking if they trust something, would manage to block themselves off from their high speed connection except in Safe Mode, where most of the time, McAfee would sod off long enough to let them get online to get the McAfee Removal Tool (affectionately named MCPR2.exe [mcafee.com]).

One run of this util later, their connections suddenly worked again, and they stopped screaming that their "internets are down".

It was fun times.