Forgot your password?
typodupeerror
Security Worms IT

Auto-Detecting Malware? It's Possible 178

Posted by timothy
from the would-love-to-see-the-install-prompt-for-this dept.
itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"
This discussion has been archived. No new comments can be posted.

Auto-Detecting Malware? It's Possible

Comments Filter:
  • Privacy (Score:5, Insightful)

    by sopssa (1498795) * <sopssa@email.com> on Wednesday September 30, 2009 @03:19PM (#29597621) Journal

    If antivirus protectors could collect data from machines and users

    This idea stopped being a good one here.

    • Re:Privacy (Score:5, Insightful)

      by gnick (1211984) on Wednesday September 30, 2009 @03:26PM (#29597693) Homepage

      I see no reason why individuals volunteering information about their machines or habits should be any kind of privacy breech. Just leave it off by default and, should you choose, don't click the box.

      • Re: (Score:3, Insightful)

        by DigitAl56K (805623) *

        Some thoughts:

        A) This isn't a new idea and I'm pretty sure that some AV packages already automatically submit questionable files for analysis, all it takes on top of that is for a vendor to track trends. I've had anti-virus software ask me to opt-in to such schemes before.
        B) Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.
        C) Once a virus is running on a host surely i

        • Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.

          Hmmm... This is somewhat similar to an issue mentioned in the article: polymorphic viruses. It raises an interesting question. Do existing AV products try to detect such behavior in newly executed code? I am really not sure how tricky the algorithms would be to detect code that is trying to encrypt itself or modify

          • However, most regular software (funnily enough excepting security software trying to avoid detection by malware!) does not need to do this, so such code should probably be blocked and reported by default.

            Lots of software does, though. Usually it's due to executable packers/code-obfuscators/anti-reversing runtime protection.

          • by gillbates (106458)

            About a decade ago, my college installed an "advanced" AV program which blocked the behavior you described. They had to uninstall it almost immediately.

            Problem was, the college taught computer science classes, and one of the very first things a compiler does is write a zero-length executable file. Then, it proceeds to modify the code in said executable file. And then the AV suite blocks the compiler, thinking it's a virus.

            AV heuristics is an idea at least a decade old. It never really caught on - e

      • Re:Privacy (Score:5, Insightful)

        by Mr. Freeman (933986) on Wednesday September 30, 2009 @05:06PM (#29598891)
        THe people likely to be volunteering their data are probably people informed about what's going on. Which are the people not likely to be infected, because they don't click on every "FREE PORN" ad they see.
        • by TimTucker (982832)
          If operating under that assumption, you could learn just as much from those systems since you could extrapolate that the things found on those people's machines were things that probably weren't malware. So you'd essentially have 2 classes of users: - Those who opt in (easier to gather data on what's likely to not be malware) - Those who don't opt in (software not used by the opt-in users may be more likely to be malware)
        • Oh yes, the smug "users are dumb" argument.
          Since the same people typically have ADSL modems which are NOT infected with any sort of malware I think the argument is complete rubbish and we're suffering from a platform where "developers are dumb".
          Microsoft are waking up to it very slowly, but there are a vast number of third party applications developed by those still asleep at the wheel of the speeding malware trainwreck in progress. Just about any effort Microsoft make at improving security is rendered poi
    • Step 1: All your data are belong to us.
      Step 2: Profile users.
      Step 3: ???? (as in "won't tell", not "don't know".)
      Step 4: Profit!

      I know, it's a tired, old meme but I just couldn't help myself...
    • Re:Privacy (Score:4, Funny)

      by pseudorand (603231) on Wednesday September 30, 2009 @03:32PM (#29597763)

      > If antivirus protectors could collect data from machines and users... ...it would be malware.

      As is, antivirus simply eats up all your CPU and memory, so it's more like a DOS.

      • Re: (Score:3, Interesting)

        by sopssa (1498795) *

        I'm actually more surprised all the time how the antivirus vendors go more the way that scareware does. Good example is Symantec and their Norton product (I feel sorry for the guy..)

        I haven't had an antivirus product on my machine for years because I know how to use to the internet. But there was a case when I though I've made a mistake - so I got myself an antivirus scanner just to make sure.

        Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck.

        • Re: (Score:3, Informative)

          by Orbijx (1208864) *

          Usually, the Norton Removal Tool [symantec.com] does the job in blowing Norton's software off the system.

          I've had to be able to get enough people there in my line of work that I know the way there. Grab it, and let it wipe that damn thing out.

          • by Xaedalus (1192463)
            Does McAfee have one?
            • Please answer this! I just had to try and uninstall a copy today, and it's a royal pain.
            • Re: (Score:3, Interesting)

              by Orbijx (1208864) *

              Why hell yes, they do.
              In my brief six month stint in working as a phone agent for one of the Devils of the Internet, they rolled out their branded copy of McAfee. End Users, having been scared into clicking NO to anything asking if they trust something, would manage to block themselves off from their high speed connection except in Safe Mode, where most of the time, McAfee would sod off long enough to let them get online to get the McAfee Removal Tool (affectionately named MCPR2.exe [mcafee.com]).

              One run of this util la

          • by jimicus (737525)

            You know the biggest joke?

            Symantec have an enterprise version which they recommend to any organisation with more than 5 PCs.

            It is small, unobtrusive, easy to manage and doesn't gobble up CPU and RAM like it's going out of fashion. So they clearly have some perfectly competent developers on staff.

            Just a bit of a shame that none of these developers go anywhere near the Norton product.

        • Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck. Every week it popups during night, scans all of my harddrives and tells me I have to buy their product to protect myself - just like every scareware product. And it only detected some *tracking cookies*.

          Yeah, that sounds exactly how it worked on my system up until the latest version. I was going to dump Symantec for something else (finally), but then heard they had made major improvements to

    • by Errtu76 (776778)

      Antivirus protectors. So this is malware then. It protects against an anti-virus application. Malware to fight malware. I like it!

    • Re:Privacy (Score:5, Informative)

      by Z34107 (925136) on Wednesday September 30, 2009 @03:50PM (#29597959)

      Well, yes and no; it depends on what kind of data.

      Windows Defender, which is on pretty much every XP and Vista box, already does this. Out of the box, it will submit information on startup programs, malware detected and removed, and which services and startup programs you have disabled, to the aptly named Microsoft SpyNet [microsoft.com].

      It's not quite as scary as it sounds; if you're using Windows Defender to decide whether or not to kill that fishy-looking SynTpEnh.exe process from starting, you can see that 99% of SpyNet members leave it enabled because it makes your laptop's touchpad work. </contrivedexample>

      So, maybe be a bad idea, but not a new one - it's already being done.

    • Re: (Score:2, Interesting)

      by elFisico (877213)

      If antivirus protectors could collect data from machines and users

      This idea stopped being a good one here.

      not necessarily. privacy could be protected by pseudonymizing the data. the information is in the connections between the nodes, not in the names of the nodes.

      why pseudonym and not anonym? because you should tell the infected that they are infected. and yes, who should be trusted to manage the nyms? that's another point for long discussions...

    • by Carnildo (712617)

      If antivirus protectors could collect data from machines and users

      This idea stopped being a good one here.

      Think about a corporate environment where this level of information is readily available: if your automated system can spot a virus working its way through the PHBs, the system could block it before it gets to Accounting and starts interfering with people who actually do work.

    • I wonder... (Score:2, Insightful)

      Ok now I am almost positive I'm going to incite some flames with this comment, but I'm actually curious about the opinion here.

      If this same idea were to be proposed by an open-source anti-malware solution, would you still be so hesitant about it?

      How about if the proprietary companies were able to provide concrete evidence of the anonymity of your collected information?

      Again, I'm NOT trying to incite a flame war with this, but it just seems so often that people rally a (mostly deserved) hatred and distrust o

    • I wonder why they need all that information? Why don't they put software in all internet backbones worldwide that detects all virus traffic, and stop the virus there? You don't need user information or geographical information from people, the internet lines themselves are geographically known and shouldn't that be enough?
  • trojans (Score:5, Insightful)

    by Hatta (162192) * on Wednesday September 30, 2009 @03:19PM (#29597625) Journal

    Malware generally moves the same way any other software moves. The user downloads and installs it.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      They thought of that:

      Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake â" the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of

    • by tlhIngan (30335)

      Malware generally moves the same way any other software moves. The user downloads and installs it.

      Not only that, the user often willingly downloads it! It often doesn't come like the spyware of old, buried deep inside the ToS. Instead, the user willingly downloads the trojan and runs it.

      People complain that anti-virus programs continually complain that cracks are infected, but from what I've seen, the AV program is right. People release clean cracks, then more nefarious ones take that crack, and wrap it wit

  • by leehwtsohg (618675) on Wednesday September 30, 2009 @03:23PM (#29597665)

    "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
    Malware writers and credit card phishers would have an immensely easier time.

    It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?

    • Cookies are also hard to even browse without, most sites don't load if the cookie is rejected. After I read the EFF article about web privacy, http://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks [eff.org] I tried setting FF to ask me for cookies, it was such a hassle I had to just set it to delete them after I close out.
      • Cookies are also hard to even browse without, most sites don't load if the cookie is rejected.

        Don't know where you are browsing but I've been blocking the majority of cookies for years with little problem. Yes some sites need them, usually the ones you are trying to log into or buy something from. That only describes a small minority of sites - most don't actually need to set a cookie and if you block them you'll never notice the difference. If it is a site you trust and do business with regularly, cookies are fine. Otherwise either block them forever or only allow them for that session. Your we

        • > Don't know where you are browsing but I've been blocking the majority of
          > cookies for years with little problem.

          Same here.

    • by martas (1439879)
      the only difference is, the people collecting the data are the freaking security experts you decided to trust with your data's integrity and privacy. it's not that similar to uploading personal data to facebook, or using google docs to store your banking info. of course, security experts aren't infallible, but i'd readily trust them with ALL my data if they convince me that doing so will make their protection substantially better.
    • Come on! I RTFA and it only talked about different characteristics of different forms of "malware". It even ENDS with that crap.

      Can this be done?
      Of course, I shared the above with the assumption that this type of installation information can be harvested from millions of client machines, infected or not. I believe this is possible, and will share some thoughts here soon.

      Fuck you very much. This isn't "possible". This is "something I thought up between beers".

      AND that crap was spread over THREE PAGES.

      Here's

  • well... (Score:2, Funny)

    by eexaa (1252378)

    " And the moment malware gives up what allows us to detect it, it also stops being a threat."

    Sounds like we will get a computer filled with malware that is configured to wait until exact date/second and kill everything.

  • Impractical (Score:4, Insightful)

    by Null Nihils (965047) on Wednesday September 30, 2009 @03:31PM (#29597743) Journal

    This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).

    Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.

  • That's too much (Score:4, Insightful)

    by greymond (539980) on Wednesday September 30, 2009 @03:37PM (#29597815) Homepage Journal

    It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.

  • The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD [openbsd.org] volunteers have been doing that for many years.

    In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

    When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com]. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

    Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.
    • by drsmithy (35869)

      The best way to stop malware is to audit code so that it doesn't have vulnerabilities.

      Most malware doesn't exploit software vulnerabilities, though, it exploits wetware ones.

  • People need to refocus malware views and start focusing on some of the largest scourges of the issue.
    • Visa
    • Mastercard
    • American Express

    People write malware because it is profitable to so. Regardless of how a machine has been owned, it typically boils down to one of two uses, a botnet or hijacking financial data. The easiest way to do this is get people to submit their own credit card details voluntarily through a webform. While the hosted pages are typically fake, the billing is almost always real, and th

    • Re: (Score:3, Funny)

      by MrEricSir (398214)

      Consumer protection laws? Hmmm, I don't think the bank lobbyists in DC are going to be in favor of that.

    • by jonbryce (703250)

      Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

      • by onyxruby (118189)
        They are excellent targets, and getting these companies to cooperate with international anti-fraud efforts would be a huge win. Without doubt they are the favored methods of 419 scammers and many other scammers for their ability to send money internationally. That being said, sending money through one of these services isn't nearly as convenient or automated as sending money through a credit card. Whilst you may see larger transactions through those services, they can't begin to compare to the sheer volume
    • by jonbryce (703250)

      Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

    • Enable companies to watch and report on the merchants accounts

      There are much simpler ways than "watching merchant accounts": banks and credit card companies simply need to use standard security procedures. For example, banks and credit card companies could have all large transactions confirmed by text message. Or they can use hardware tokens or smart cards.

      The biggest problem is that they can't be bothered as the fraud is profitable for them.

      Exactly. If banks and credit card companies wanted to eliminate

  • by jameskojiro (705701) on Wednesday September 30, 2009 @03:40PM (#29597847) Journal

    How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?

    • Re: (Score:3, Insightful)

      by Penguinisto (415985)

      The first part IIRC already exists somewhat (especially in Vista, which is why UAC was so damned annoying and usually gets shut off at first opportunity). If you were thinking of some other mechanism, I apologize (unless that mechanism involves some sort of local or remote database of 'approved' software to check against, which is a very bad idea).

      The second part would be cool, but the Windows Registry, being a constantly evolving thing (and of piss-poor design) has data written to it by the OS constantly d

  • I've used snort to do this passively in a couple of different shops. I don't know why client software is even necessary when I have traffic destinations in a pretty web gui via BASE.

  • Did anyone else read the headline and look for the picture to go with the lolcats caption?

  • I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee [mcafee.com] product line for example.The US government or at least the DoD [disa.mil] is really jumping on this band wagon.

    Any thoughts about this approach?
  • by Aryeh Goretsky (129230) on Wednesday September 30, 2009 @04:04PM (#29598105) Homepage
    Hello,

    What Dr. Jakobsson has described is a reputation system.

    At Virus Bulletin 2009 [virusbtn.com], Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail [virusbtn.com] ," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.

    One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.

    Regards,

    Aryeh Goretsky
    • For a year or more, all Symantec security products have included some form of heuristics/behavior/reputation-based detection. The technologies include Norton Insight [wikipedia.org], SONAR [wikipedia.org], and TruScan [symantec.com].

      The signature-based detection that has been used for so many years isn't very useful anymore. By the time something is confirmed to be in the wild, captured, analyzed, and defintions created for and tested, that particular strain has pretty much ran its course already.

  • by schwit1 (797399) on Wednesday September 30, 2009 @04:10PM (#29598167)
    I would love a build-in security component that white lists what is permitted to run.

    And include whether the component can run as limited or root permissions.

    • by tepples (727027)
      But who would maintain the whitelists? Either end users maintain it and they whitelist a trojan just to see the dancing bunnies [codinghorror.com], or a big company maintains it and all free software is banned like on the game consoles.
    • by dbIII (701233)
      Isn't that what Win7 applocker is supposed to do - an SElinux style whitelist?
  • ...I hear a leading question like that, I automatically fill in, "There's an app for that," in my mind. Damn your marketing to Hell, Apple.

  • So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.
  • So Wrong (Score:3, Insightful)

    by ratboy666 (104074) <fred_weigel AT hotmail DOT com> on Wednesday September 30, 2009 @04:31PM (#29598475) Homepage Journal

    "The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."

    But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.

    Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.

    I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.

    Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.

    Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.

    About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.

  • by Ungrounded Lightning (62228) on Wednesday September 30, 2009 @04:35PM (#29598517) Journal

    ... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.

    Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".

    Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?

  • by C0vardeAn0nim0 (232451) on Wednesday September 30, 2009 @06:42PM (#29599833) Journal

    try this on a solaris box:

    # find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /executables_digest

    then every week, do:

    # find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /tmp/weekly_digest
    # diff /executables_digest /tmp/weekly_digest

    pretty much what software like tripwire works.

    what those crooks on TFA want is collect a bunch of information about everybody's computers, then sell to the highest bidder.

    fuck them. not on my solaris boxes. not on my linux boxes.

  • " ...If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations ... The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'" ..."

    No, the Bottom LIne is this: for this to work, we'd hav

  • Cool, this system would also clean out all annoying facebook quizzes, those spread like a virus too!
  • "let's argue that there are secure ways antivirus protectors could learn about all installations of software -- good and bad -- that any of their end-users perform. Let's also assume that they could easily collect other data from these machines and users [itworld.com]: geographic location, social networking information, type of operating system, installed programs and configurations"

    What's going to protect us from defects in these security systems? Wouldn't giving these malware monitoring systems access to computer ne

"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos

Working...