Auto-Detecting Malware? It's Possible

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

Privacy

[sopssa]

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

Re:Privacy

[gnick]

I see no reason why individuals volunteering information about their machines or habits should be any kind of privacy breech. Just leave it off by default and, should you choose, don't click the box.

Re:

[DigitAl56K]

Some thoughts:

A) This isn't a new idea and I'm pretty sure that some AV packages already automatically submit questionable files for analysis, all it takes on top of that is for a vendor to track trends. I've had anti-virus software ask me to opt-in to such schemes before.
B) Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.
C) Once a virus is running on a host surely i

Re:

[Mostly a lurker]

Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.

Hmmm... This is somewhat similar to an issue mentioned in the article: polymorphic viruses. It raises an interesting question. Do existing AV products try to detect such behavior in newly executed code? I am really not sure how tricky the algorithms would be to detect code that is trying to encrypt itself or modify

Re:

[DigitAl56K]

However, most regular software (funnily enough excepting security software trying to avoid detection by malware!) does not need to do this, so such code should probably be blocked and reported by default.

Lots of software does, though. Usually it's due to executable packers/code-obfuscators/anti-reversing runtime protection.

Re:

[gillbates]

About a decade ago, my college installed an "advanced" AV program which blocked the behavior you described. They had to uninstall it almost immediately.

Problem was, the college taught computer science classes, and one of the very first things a compiler does is write a zero-length executable file. Then, it proceeds to modify the code in said executable file. And then the AV suite blocks the compiler, thinking it's a virus.

AV heuristics is an idea at least a decade old. It never really caught on - e

Re:Privacy

[Mr. Freeman]

THe people likely to be volunteering their data are probably people informed about what's going on. Which are the people not likely to be infected, because they don't click on every "FREE PORN" ad they see.

Re:

[TimTucker]

If operating under that assumption, you could learn just as much from those systems since you could extrapolate that the things found on those people's machines were things that probably weren't malware. So you'd essentially have 2 classes of users: - Those who opt in (easier to gather data on what's likely to not be malware) - Those who don't opt in (software not used by the opt-in users may be more likely to be malware)

Pointing the finger the wrong way

[dbIII]

Oh yes, the smug "users are dumb" argument.
Since the same people typically have ADSL modems which are NOT infected with any sort of malware I think the argument is complete rubbish and we're suffering from a platform where "developers are dumb".
Microsoft are waking up to it very slowly, but there are a vast number of third party applications developed by those still asleep at the wheel of the speeding malware trainwreck in progress. Just about any effort Microsoft make at improving security is rendered poi

Salutations

[conureman]

My preference is a hearty "Greetings!". I got it from Bob Ames. However, sometimes I still say "Howdy!", as I learned from Roy Rogers.

Re:

[clang_jangle]

Step 1: All your data are belong to us.
Step 2: Profile users.
Step 3: ???? (as in "won't tell", not "don't know".)
Step 4: Profit!

I know, it's a tired, old meme but I just couldn't help myself...

Re:Privacy

[pseudorand]

> If antivirus protectors could collect data from machines and users... ...it would be malware.

As is, antivirus simply eats up all your CPU and memory, so it's more like a DOS.

Re:

[sopssa]

I'm actually more surprised all the time how the antivirus vendors go more the way that scareware does. Good example is Symantec and their Norton product (I feel sorry for the guy..)

I haven't had an antivirus product on my machine for years because I know how to use to the internet. But there was a case when I though I've made a mistake - so I got myself an antivirus scanner just to make sure.

Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck.

Re:

[Orbijx]

Usually, the Norton Removal Tool [symantec.com] does the job in blowing Norton's software off the system.

I've had to be able to get enough people there in my line of work that I know the way there. Grab it, and let it wipe that damn thing out.

Re:

[Xaedalus]

Does McAfee have one?

Re:

[blackraven14250]

Please answer this! I just had to try and uninstall a copy today, and it's a royal pain.

Re:

[Orbijx]

Why hell yes, they do.
In my brief six month stint in working as a phone agent for one of the Devils of the Internet, they rolled out their branded copy of McAfee. End Users, having been scared into clicking NO to anything asking if they trust something, would manage to block themselves off from their high speed connection except in Safe Mode, where most of the time, McAfee would sod off long enough to let them get online to get the McAfee Removal Tool (affectionately named MCPR2.exe [mcafee.com]).

One run of this util la

Re:

[jimicus]

You know the biggest joke?

Symantec have an enterprise version which they recommend to any organisation with more than 5 PCs.

It is small, unobtrusive, easy to manage and doesn't gobble up CPU and RAM like it's going out of fashion. So they clearly have some perfectly competent developers on staff.

Just a bit of a shame that none of these developers go anywhere near the Norton product.

Obviously you didn't try the 2009 version

[Crazy Taco]

Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck. Every week it popups during night, scans all of my harddrives and tells me I have to buy their product to protect myself - just like every scareware product. And it only detected some *tracking cookies*.

Yeah, that sounds exactly how it worked on my system up until the latest version. I was going to dump Symantec for something else (finally), but then heard they had made major improvements to

Re:

[Errtu76]

Antivirus protectors. So this is malware then. It protects against an anti-virus application. Malware to fight malware. I like it!

Re:Privacy

[Z34107]

Well, yes and no; it depends on what kind of data.

Windows Defender, which is on pretty much every XP and Vista box, already does this. Out of the box, it will submit information on startup programs, malware detected and removed, and which services and startup programs you have disabled, to the aptly named Microsoft SpyNet [microsoft.com].

It's not quite as scary as it sounds; if you're using Windows Defender to decide whether or not to kill that fishy-looking SynTpEnh.exe process from starting, you can see that 99% of SpyNet members leave it enabled because it makes your laptop's touchpad work. </contrivedexample>

So, maybe be a bad idea, but not a new one - it's already being done.

Re:

[elFisico]

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

not necessarily. privacy could be protected by pseudonymizing the data. the information is in the connections between the nodes, not in the names of the nodes.

why pseudonym and not anonym? because you should tell the infected that they are infected. and yes, who should be trusted to manage the nyms? that's another point for long discussions...

Re:

[Carnildo]

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

Think about a corporate environment where this level of information is readily available: if your automated system can spot a virus working its way through the PHBs, the system could block it before it gets to Accounting and starts interfering with people who actually do work.

I wonder...

[Dudeman_Jones]

Ok now I am almost positive I'm going to incite some flames with this comment, but I'm actually curious about the opinion here.

If this same idea were to be proposed by an open-source anti-malware solution, would you still be so hesitant about it?

How about if the proprietary companies were able to provide concrete evidence of the anonymity of your collected information?

Again, I'm NOT trying to incite a flame war with this, but it just seems so often that people rally a (mostly deserved) hatred and distrust o

Re:

[Lord Lode]

I wonder why they need all that information? Why don't they put software in all internet backbones worldwide that detects all virus traffic, and stop the virus there? You don't need user information or geographical information from people, the internet lines themselves are geographically known and shouldn't that be enough?

Re:

[Ethanol-fueled]

Exactly. This already came up here fairly recently.

First, the service better be free. No way in hell I'm going to pay an AV vendor to do their job for them. Second, what if malware lifts credit cards and passwords are from my computer? Will enough info be relayed to the good guys before my identity is stolen? Third, malware authors will become savvy, cat-and-mouse game, etc.

trojans

[Hatta]

Malware generally moves the same way any other software moves. The user downloads and installs it.

Re:

[Anonymous Coward]

They thought of that:

Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake â" the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of

Re:

[Hatta]

That doesn't say anything about how they are going to distinguish manually installed malware from manually installed apps.

Re:

[blackraven14250]

...or malware that comes bundled with manually installed apps.

Re:

[tlhIngan]

Malware generally moves the same way any other software moves. The user downloads and installs it.

Not only that, the user often willingly downloads it! It often doesn't come like the spyware of old, buried deep inside the ToS. Instead, the user willingly downloads the trojan and runs it.

People complain that anti-virus programs continually complain that cracks are infected, but from what I've seen, the AV program is right. People release clean cracks, then more nefarious ones take that crack, and wrap it wit

an amazingly bad idea

[leehwtsohg]

"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
Malware writers and credit card phishers would have an immensely easier time.

It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?

Re:

[Killer Orca]

Cookies are also hard to even browse without, most sites don't load if the cookie is rejected. After I read the EFF article about web privacy, http://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks [eff.org] I tried setting FF to ask me for cookies, it was such a hassle I had to just set it to delete them after I close out.

Most sites do not actually need cookies

[sjbe]

Cookies are also hard to even browse without, most sites don't load if the cookie is rejected.

Don't know where you are browsing but I've been blocking the majority of cookies for years with little problem. Yes some sites need them, usually the ones you are trying to log into or buy something from. That only describes a small minority of sites - most don't actually need to set a cookie and if you block them you'll never notice the difference. If it is a site you trust and do business with regularly, cookies are fine. Otherwise either block them forever or only allow them for that session. Your we

Re:

[John Hasler]

> Don't know where you are browsing but I've been blocking the majority of
> cookies for years with little problem.

Same here.

Re:

[martas]

the only difference is, the people collecting the data are the freaking security experts you decided to trust with your data's integrity and privacy. it's not that similar to uploading personal data to facebook, or using google docs to store your banking info. of course, security experts aren't infallible, but i'd readily trust them with ALL my data if they convince me that doing so will make their protection substantially better.

And amazingly badly written.

[khasim]

Come on! I RTFA and it only talked about different characteristics of different forms of "malware". It even ENDS with that crap.

Can this be done?
Of course, I shared the above with the assumption that this type of installation information can be harvested from millions of client machines, infected or not. I believe this is possible, and will share some thoughts here soon.

Fuck you very much. This isn't "possible". This is "something I thought up between beers".

AND that crap was spread over THREE PAGES.

Here's

well...

[eexaa]

" And the moment malware gives up what allows us to detect it, it also stops being a threat."

Sounds like we will get a computer filled with malware that is configured to wait until exact date/second and kill everything.

Impractical

[Null Nihils]

This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).

Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.

That's too much

[greymond]

It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.

Re:

[Capt.DrumkenBum]

You sound like someone with something to hide...

Is that a black helicopter behind you?

Re:

[greymond]

OMG How did you now!!1! ;)

Malware vulnerability is profitable for Microsoft.

[Futurepower(R)]

The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD [openbsd.org] volunteers have been doing that for many years.

In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com]. Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.

Re:

[drsmithy]

The best way to stop malware is to audit code so that it doesn't have vulnerabilities.

Most malware doesn't exploit software vulnerabilities, though, it exploits wetware ones.

If OSX, Linux, & BSD can do it, Microsoft can

[Futurepower(R)]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Re:

[bastardadmin]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Apple has a horrible record for patching OSX.
Linux and *BSD have plenty of advisories and vulnerabilities.
No, they were NOT designed to be secure. There are specialised variants, such as OpenBSD and SELinux that can make that, but the vast majority of *nix operating systems can not.
If you want security by design look at the mainframe or iSeries.

Re:

[Penguinisto]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Depends on how stable the codebase is, how much backwards-compatibility is needed, how much of a kludge the component code bits in question were in the first place, how modular the overall design is/was, etc.

Sure - Microsoft can do it, but judging from complaints by former Microsofties, and the leaked code from way back in Windows 2000 as a design guide of sorts? Well, on the same note I can, with the same probabilities, dig out Mount Everest and relocate it by using nothing more than a pick axe with a bust

Re:

[Spit]

Backwards compatibility is a non-free software issue. If you have source, you can make it work on your upgraded platform or migrate to an entirely new architecture.

Re:

[Ronald Dumsfeld]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.

Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.

What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.

I still wonder if the No Such Agency [nsa.gov] still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix

Re:

[drsmithy]

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

When OSX, Linux and BSD have the same user demographic, the comparison can be validly made.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Perhaps you can elaborate on the relevant "design" aspects you're referring to here.

Leaks and emails reveal Microsoft release policies

[Futurepower(R)]

The vulnerabilities are apparently the result of Microsoft release policies:

It was widely reported that Windows 2000 was released with 63,000 known defects [cnn.com].

It was widely reported that Windows XP was released with more than 100,000 known defects [lowendmac.com]. (I don't have time to find a better link.) Microsoft reported that Windows XP Service Pack 2 fixed several hundred bugs, several of them very serious.

Windows Vista was released against the wishes of some Microsoft managers, who said it was not ready for release. There was a court case [channelregister.co.uk] that revealed emails saying that. (Again, I don't have time to find a better link.)

Re:

[drsmithy]

The vulnerabilities are apparently the result of Microsoft release policies:

It's kind of cute you think their release policies are meaningfully different to anyone else's.

You do realise a "defect" in the context of those numbers could be as trivial as a typo in a helpfile, right ?

It is necessary to explain Windows' sloppiness.

[Futurepower(R)]

Windows Vista was released before it was ready. Even Microsoft middle managers complained about that. Customers rejected Vista; here is one of the hundreds of articles about that: Corporate America's rejection of Vista: Many companies delay or denounce Microsoft's flagship product [msn.com].

One magazine collected 210,000 signatures against adoption of Windows Vista and for keeping Windows XP: The campaign to save Windows XP [infoworld.com].

The fact is that we are not seeing the kind of weaknesses in Linux, OS X, or BSD that ar

Re:

[drsmithy]

Windows Vista was released before it was ready.

Congratulations. One example. Every vendor that I'm aware of has (at least) one.

Customers rejected Vista; here is one of the hundreds of articles about that: Corporate America's rejection of Vista: Many companies delay or denounce Microsoft's flagship product.

Except there was nothing particularly unusual in the actual reception for Vista (the media circus and FUD surrounding it is another matter). Essentially the same thing happened with Windows 2000 an

Refocus malware views

[onyxruby]

People need to refocus malware views and start focusing on some of the largest scourges of the issue.

• Visa
• Mastercard
• American Express

People write malware because it is profitable to so. Regardless of how a machine has been owned, it typically boils down to one of two uses, a botnet or hijacking financial data. The easiest way to do this is get people to submit their own credit card details voluntarily through a webform. While the hosted pages are typically fake, the billing is almost always real, and th

Re:

[MrEricSir]

Consumer protection laws? Hmmm, I don't think the bank lobbyists in DC are going to be in favor of that.

Re:

[jonbryce]

Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

Re:

[onyxruby]

They are excellent targets, and getting these companies to cooperate with international anti-fraud efforts would be a huge win. Without doubt they are the favored methods of 419 scammers and many other scammers for their ability to send money internationally. That being said, sending money through one of these services isn't nearly as convenient or automated as sending money through a credit card. Whilst you may see larger transactions through those services, they can't begin to compare to the sheer volume

Re:

[jonbryce]

Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

there are simpler ways

[jipn4]

Enable companies to watch and report on the merchants accounts

There are much simpler ways than "watching merchant accounts": banks and credit card companies simply need to use standard security procedures. For example, banks and credit card companies could have all large transactions confirmed by text message. Or they can use hardware tokens or smart cards.

The biggest problem is that they can't be bothered as the fraud is profitable for them.

Exactly. If banks and credit card companies wanted to eliminate

How about a ROLL Back to Install Tool?

[jameskojiro]

How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?

Re:

[Penguinisto]

The first part IIRC already exists somewhat (especially in Vista, which is why UAC was so damned annoying and usually gets shut off at first opportunity). If you were thinking of some other mechanism, I apologize (unless that mechanism involves some sort of local or remote database of 'approved' software to check against, which is a very bad idea).

The second part would be cool, but the Windows Registry, being a constantly evolving thing (and of piss-poor design) has data written to it by the OS constantly d

Snort? Anyone? Anyone? Snort?

[mpapet]

I've used snort to do this passively in a couple of different shops. I don't know why client software is even necessary when I have traffic destinations in a pretty web gui via BASE.

LOL cats

[ArhcAngel]

Did anyone else read the headline and look for the picture to go with the lolcats caption?

Re:

[bastardadmin]

No, but I should have.

Host-Based Detection

[Ponga]

I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee [mcafee.com] product line for example.The US government or at least the DoD [disa.mil] is really jumping on this band wagon.

Any thoughts about this approach?

Already being tested by Symantec

[Aryeh Goretsky]

Hello,

What Dr. Jakobsson has described is a reputation system.

At Virus Bulletin 2009 [virusbtn.com], Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail [virusbtn.com] ," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.

One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.

Regards,

Aryeh Goretsky

Not just tested, its in their modern products

[juventasone]

For a year or more, all Symantec security products have included some form of heuristics/behavior/reputation-based detection. The technologies include Norton Insight [wikipedia.org], SONAR [wikipedia.org], and TruScan [symantec.com].

The signature-based detection that has been used for so many years isn't very useful anymore. By the time something is confirmed to be in the wild, captured, analyzed, and defintions created for and tested, that particular strain has pretty much ran its course already.

Where the Windows White List?

[schwit1]

I would love a build-in security component that white lists what is permitted to run.

And include whether the component can run as limited or root permissions.

Re:

[tepples]

But who would maintain the whitelists? Either end users maintain it and they whitelist a trojan just to see the dancing bunnies [codinghorror.com], or a big company maintains it and all free software is banned like on the game consoles.

Re:

[dbIII]

Isn't that what Win7 applocker is supposed to do - an SElinux style whitelist?

Re:

[the_one(2)]

as does windows

Every time...

[Ihmhi]

...I hear a leading question like that, I automatically fill in, "There's an app for that," in my mind. Damn your marketing to Hell, Apple.

Great idea, 'Lets ignore what it does'

[Ivan Stepaniuk]

So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.

So Wrong

[ratboy666]

"The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."

But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.

Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.

I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.

Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.

Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.

About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.

And like all active-response systems ...

[Ungrounded Lightning]

... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.

Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".

Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?

what a bunch of crooks...

[C0vardeAn0nim0]

try this on a solaris box:

# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /executables_digest

then every week, do:

# find / -type f -perm -ugo-x -exec digest -va md5 {} \; > /tmp/weekly_digest
# diff /executables_digest /tmp/weekly_digest

pretty much what software like tripwire works.

what those crooks on TFA want is collect a bunch of information about everybody's computers, then sell to the highest bidder.

fuck them. not on my solaris boxes. not on my linux boxes.

What about the other "bottom line"?

[gordguide]

" ...If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations ... The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'" ..."

No, the Bottom LIne is this: for this to work, we'd hav

Facebook quizzes

[Lord Lode]

Cool, this system would also clean out all annoying facebook quizzes, those spread like a virus too!

protection from anti-malware malware

[viralMeme]

"let's argue that there are secure ways antivirus protectors could learn about all installations of software -- good and bad -- that any of their end-users perform. Let's also assume that they could easily collect other data from these machines and users [itworld.com]: geographic location, social networking information, type of operating system, installed programs and configurations"

What's going to protect us from defects in these security systems? Wouldn't giving these malware monitoring systems access to computer ne

Re:

[CannonballHead]

You actually think that nobody would start making malware/adware for Linux? Not all adware/malware is installed without knowledge of the user... downloading a smiley pack that has malware in it seems to still be fairly common. I see no reason why someone wouldn't do the same for Linux. It would just have ".rpm" instead of ".exe"

Sure, it wouldn't probably be in one of the good repositories, but since when has availability-from-reputable-sources that stopped people from downloading/installing software?

Re:

[jbezorg]

You know... the SANS Internet Storm Center was created in 2001 following the release of the Li0n worm. It exploited a BIND vulnerability on Linux systems and installed a rootkit on those boxes....

Hubris, it's not just for Mac owners.

Re:

[smoker2]

It also exploited microsoft systems, and a warning was issued less than 14 hours after it was first spotted. Mitigating the attack was fairly straightforward, and fixes were quickly available and easy to apply. There are windows worms, trojans and viruses still going around that are years old. But you drag up a situation that was resolved nearly a decade ago.

Re:

[jbezorg]

But you drag up a situation that was resolved nearly a decade ago.

Linux Kernel 2.6 Local Root Exploit [slashdot.org] - February 10 2008
New Linux Flaw Enables Null Pointer Exploits [threatpost.com] - July 17, 2009

Better?

My point was that the ISC was created in response to a virus that had an impact on Linux. More to the point, that "Linux" ( much like "Mac" ) does not mean "invulnerable". Any competent system admin will tell you that.

fixes were quickly available and easy to apply

This has less to do with existence of exploits and more to do with competency doesn't it? Tell you what, if you can tell my mother-in-law how to apply this decade old fi

Re:

[bastardadmin]

Windows is leaps and bounds more secure than any distro of linux, and will be for quite a while.

Citation, please?

 

The reason windows is so exploited, is because it is on 90%+ of the machines in the world which make it the prime target. If Linux had 90% of the desktop, I'm sure you wouldn't be saying "Switch to Linux"

Very true.

Re:

[thewils]

while the worst 'nix problem is typically something that can only be exploited while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".

Damn, I wondered what that guy was doing in our server room! Brb...

Shoot that f*cker on sight!

[Xaedalus]

while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".

Anyone who can successfully code a virus for Linux while doing everything you just specified above is a walking holy terror and needs to be shot on sight before he (or she) decides the world is boring and it needs to be more "interesting".

Re:

[Omestes]

A properly configured 'nix machine is much more difficult to exploit than a 'doze box.

Here is the problem. A properly configured Windows box is pretty damn hard to exploit. I haven't had a virus in my recent memory, and most other malware infections are wholly the users fault (i.e. no amount of OS level security will protect them). Granted, in my near 30 years of computers, I've had 2 Windows viruses, 0 Linux viruses, and 0 OS X/Mac Viruses, and 0 C64/Amiga/DOS/BSD ones as well. Well, really one Window

Re:

[thewils]

I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.

Re:

[CannonballHead]

But it requires root access to install updates (keep your system updated!) and software typically, does it not? Which means the normal user will be in the habit of typing in the root password, just like Windows users are accustomed to clicking "Yes, allow" and/or typing the Administrator password.

No, Linux users don't generally run as root on their machines, but I type the root password into Ubuntu installations very frequently.

There is little difference. One clicks "Yes" to allow something to happen, the

Re:

[thewils]

But it requires root access to install updates (keep your system updated!) and software typically, does it not?

Actually, no. I run Fedora Core 11 at home and it doesn't require a password to apply updates. I can't remember the last time I had to enter root password.

Re:

[zonky]

No, it just depends if there is also an exploit (perhaps a totally seperate one) at that point in time that allows privilege elevation.

Distro's do tend to patch pretty fast, but there is at the moment, a clear day or two gap over some apps like Firefox releasing, and the distro's having patch versions.

The real problem remains between the chair and the keyboard.... The operating system can't prevent a total retard clicking yes to everything, or typing in their password because something looks cool....

Re:

[drsmithy]

I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.

I'll just point out there that since the vast majority of machines aren't professionally-run multiuser servers, and very little malware really needs elevated privileges, that distinction is basically irrelevant in the real world.

Re:

[DavidTC]

It's irrelevant until you need to fix the problem.

Windows malware, all too often, totally breaks the system, somehow managing to escape from the user account.

I have no idea how this happens, but it does. The entire system gets broken. Antivirus gets broken quickly before definition updates come in. People have system-wide IE problems, and their hosts file is rewritten, and there's a damn ring-zero network driver running.

Linux, however, has actual account separation. Yes, malware could get in, and horribl

Re:

[drsmithy]

It's irrelevant until you need to fix the problem.

Not really. Once a system has been infected with malware, it should be nuked (unless you have some method of independently verifying everything on it).

Windows malware, all too often, totally breaks the system, somehow managing to escape from the user account.

Typically because the user allows it to ("Click Continue to see porn ? Sure I will."). Less frequently, by actually exploiting some privilege escalation bug.

Linux, however, has actual account s

Re:I have a better idea

[Ungrounded Lightning]

If you think Linux is inherently more secure than Windows, you're absolutely nuts.

Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.

This is a "feature" of the way Windows and its application suite are designed.

Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.

So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.

Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.

And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.

Mac: It's where the money is.

[Gary W. Longsine]

Hell, Steve Ballmer keeps repeating over and over how much more expensive the Mac is. If that's true, then people with Macs have more money. Where's the shitstorm of malware trying to steal identities from all those Mac users with hefty bank accounts?

Re:

[pclminion]

The installed base is smaller. Therefore the return-on-investment must be lower for a certain development effort (even taking into account your postulate that Mac users are "richer", which I don't buy without seeing some numbers). Remember, malware authors don't do their work for free. A larger user base means proportionally larger returns for the person who contracted the malware development.

Re:Mac: It's where the money is. No longer.

[milosoftware]

Mac users have no money because they spent it already.

Re:

[ciderVisor]

Sup Dawg ?! I heard you like bein' clean so I put a malware in yo malware so you could disinfect while you disinfect.