Forgot your password?
typodupeerror
Security Australia Software IT

Scanner Identifies Malware Strains, Could Be Future of AV 70

Posted by timothy
from the like-with-like dept.
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."
This discussion has been archived. No new comments can be posted.

Scanner Identifies Malware Strains, Could Be Future of AV

Comments Filter:
  • So even good snippets of code, combined, will form malware.
    • I think Java proved that. It seems to have had a bad run recently.
    • by physicsphairy (720718) on Saturday May 25, 2013 @04:18AM (#43820035) Homepage

      You misconstrue the nature of the battle. It is not against malware, anymore than a modern war is againsts guns and bullets. It is against the malware authors. Yes, some variant of "malware" can always be imagined to succeed against any software-level security. But the vast majority of that hypothetical malware is completely irrelevant because no one is ever going to write it. What is missing from consideration is the time and money invested into making the malware work, to how long it is effective, and what the financial payoff will be. The more you increase the burden and reduce the payoff, the more you have shifted the balance toward the good guys. More flexible malware identification mechanisms are big wins not because they are undefeatable but because they make the bad guys work harder. And, as a matter of fact, if you can generalize malicious code based on a few samples, you can effectively have the bad guys working against each other. (Virus 1, using exploit, is successful, second guy notes virus 1's success, analyzes it, produces virus 2 using same exploit, virus 3 also uses same exploit; based on comparison of three viruses, database is able to identify common exploit and innoculate against all subsequent programs which would otherwise rely on said exploit.)

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Except the analogy is crap. If you have found an exploit, that means that the software it is attacking is faulty. The proper solution to that is to fix the broken software, not to add more complexity in the form of AV software that itself is likely to contain additional vulnerabilities. That is particularly true given that there is this apparently little-known result from theoretical computer science called the halting problem that implies that equivalence of programs cannot be decided in the general case -

        • Re: (Score:2, Funny)

          by Anonymous Coward

          I don't know why this post would receive a -1. I agree with the poster here.

          A: What this researcher is doing is nothing new. He's, once again, taking something old and presenting it as new. AV software has long had methods of detecting similar threats based on a few samples of previously known threats and the algorithms and methods they used are no different than what this person proposes.

          B: The best solution to a vulnerability is to patch the vulnerability in the software.

          C: People can try to find all sor

        • by Lotana (842533)

          If you have found an exploit, that means that the software it is attacking is faulty.

          In reality is it impossible to have perfect non-trivial application. Software's first and foremost purpose is to carry out the task it was designed for. Second priority is to have it made as quickly and as cheaply as possible. To achieve that, quality must be sacrificed.

          It is prohibitively expensive to keep patching software every singly time something is discovered. Not to mention that a lot of software is legacy that is no longer under active maintenance.Even if you had all the money and time, it is still

          • by Fnord666 (889225)

            Second priority is to have it made as quickly and as cheaply as possible. To achieve that, quality must be sacrificed.

            Good, fast, cheap. Pick any two.

  • It would be interesting to see a Phylogenetic tree of malware built using this software.
  • by trifish (826353)

    Heuristics doesn't work? Huh? It's actually exactly the kind of analysis that this security researcher seems to be presenting.

    (I only read TF ./ summary though, so correct me if I'm wrong.)

    • Re:Eh? (Score:5, Informative)

      by hvm2hvm (1208954) on Saturday May 25, 2013 @03:19AM (#43819867) Homepage
      Not really, heuristic analysis means looking for specific patterns in code or other data. Things like the program setting himself to start at bootup while deleting itself from the initial run location and so on.

      What this guys does is divide the code in small pieces and comparing those. The thing is I know for a fact that AVs today already do that so unless he has some really smart way of analyzing those "structures" his research is too late.

      Disclaimer: I used to work at an AV company and actually I used to work on the part of the product that does exactly what this guys does.
    • by PNutts (199112)

      (I only read TF ./ summary though, so correct me if I'm wrong.)

      This is /. You were correct to read only the summary and comment.

  • the real test (Score:2, Insightful)

    by Anonymous Coward

    is to determine how many false positives this thing detects

    • by kasperd (592156)

      false positives

      That is so true. It takes less than one minute to write a scanner, which never produces a false negative. But of course in that case it would produce false positives all the time.

  • Meanwhile, the bad guys will keep tweaking their malware until none of the big players detect it, and then will release it. Just like always.
    • by Joce640k (829181)

      This. As soon as any AV product starts to actually work, the writers will change the virus until it doesn't.

      AV products are 99% snake oil.

      • by Lotana (842533)

        I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

        • by jamesh (87723)

          I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

          No you're not getting it. Currently, any decent malware released right now will not be detected by AV products. AV vendors will get hold of a copy of the malware, tweak their dictionaries, and a subsequent update will detect the malware. Running AV products is a good idea because they will detect malware not too long after the malware is released, but TFA changes nothing about this.

        • by Joce640k (829181)

          I see. If you believe that AV products are useless, what would be your suggestion of a solution to preventing and detecting malware?

          AV products work fine against last month's virus?

          This weeks virus? The only solution is to drop a bomb on Microsoft and start over.

          eg. I used to think mp3 files couldn't contain a virus - they're just data files, right? Bugs in the player aside, they can't execute code.

          Wrong. Microsoft added a VBScript extension to them.

          Also ... make "safe" mode, well, safe! ie. Make it not execute any old program that happens to have added a registry entry for itself. Safe mode should only execute fully signed code.

          Also .

    • by eulernet (1132389)

      No need to tweak anything.
      Just change the compiler and the optimization's level, and the malware will be undetectable.

  • by Antiocheian (859870) on Saturday May 25, 2013 @03:58AM (#43819973) Journal

    Tested the Gmer rootkit detector, AV doesn't report it as malicious but heuristics does. And also,

    The following cluster is related to your sample. The similarities between your submission and samples in our database are shown below. If one of the listed variants in the cluster is malicious, then it is likely that your submission is malicious also.

    Cluster [W32] [Trojan]

    Similarity Filename Hash AV Results
    0.734592 aedbfccbfbbddcbebbcbcadf ed839568ee1c2906ea0b42612d04f6bd BC.W32.Xpaj
    0.718620 deafabbcffdbdcefecffeea 151d4e03f8ffc6adc50facc2e561dab7 BC.W32.Xpaj
    0.714916 bcdadffaecdeaefbdbcaccdfed f74f33bcdcff1e97048f2576abb03467 Win.Trojan.Agent-39884

    How "likely" ?

  • by Karmashock (2415832) on Saturday May 25, 2013 @05:57AM (#43820269)

    The future is and always has been and always will be white lists.

    Nearly all anti virus software works on the premise of the blacklist. That is there is a list of hundreds of thousands of malware and virus code snippets and if the AV sees some it flags it.

    The white list works in the opposite direction. All VALID code gets approved. If it isn't on the list then it gets flagged.

    Some people will say "but what about my indy software that isn't on the global white lists!? Well, for one thing we'll assume that the process of getting your code on the white list is no big deal. Under that system it is in everyone's interest to get as much approved code on the white lists as possible so as to make the black listing system which is terrible that much less attractive. That said, you can always approve the code yourself. Tell your home AV system that you vouch for that program and move on.

    Uninformed users would be encouraged not to EVER do that since they don't know enough to really have a valid opinion. But power users, programmers, and IT experts obviously should be able to tell without a scan.

    White lists. Its how the iPhone is effectively protected. Want people to download your product? iTunes has to approve of it. Doubtless itunes gets scammed occasionally but its nothing compared to what would happen if the average user was installing just "anything" on the machine.

    White lists are how AV should work. Top to bottom. Forget blacklists. They're bad.

    • iPhone is just a smart phone. This is about real computers that are supposed to be free to do much more than a handheld device. Try to do the same on personal computer and it's not personal anymore, its just a smart terminal connected to a central iTunes mainframe.

      Furthermore, an exploit on a standard whitelisted application such as a web browser or an office suite would expose the system to unrestricted access. A better solution is to monitor running code and prevent it from doing something it wasn't suppo

      • 1. The iphone thing was just an example of a default white list system. It is a computer. I can literally run windows XP on an android and the iphone is easily as powerful. So its as much a computer as anything.

        2. I was not suggesting it be done the same way as the itunes system. I hate itunes too. The point was to control application access through a white list system.

        3. Browsers and office suites can do the same thing with the white listing. Certain websites with certain bits of java code would be allowed

        • 1. Yes, an iPhone can be hacked to become a computer, but the default configuration to which your original posting was referring to, is not a personal computer but much closer to a smart terminal since it can't function properly (and by functioning properly I naturally have to include running code) without receiving the approval of a central computer. The point of my counterargument is that while Apple's whitelisting system is working fine on the iPhone, the uses of the iPhone are not as broad as the uses o

          • I wish to point out that whitelisting may work for some users who use a limited number of applications

            BasilBrush and other iOS advocates would point out that the commercially relevant majority of users do in fact "use a limited number of applications". Because nobody [slashdot.org] needs an app to do any of these tasks [pineight.com]. "Ha ha ha, boom boom."

            • BasilBrush (and the ibubble in general) is not commercially relevant to computer security either, so we don't really have to care about him, do we ?

          • 1. I'm not going to argue with you about operating systems.

            2. As to there already being whitelisting programs, I don't disagree. But that doesn't actually change my point. Furthermore, most of the major AV companies are moving away from blacklisting because they agree with me and my point. Everyone from Symantec to AVG is moving to blacklisting. Some failures in the technology are nothing to the failures in blacklisting which has failed far more often and far more spectacularly. The only advantage to blackl

    • by Lotana (842533)

      Uninformed users would be encouraged not to EVER do that since they don't know enough to really have a valid opinion.

      The user will do anything and everything to get what they want. They will accept any kind of warnings you through at them, no matter how scary language you use. If you completely take away their ability to control this (ie. Walled garden like Apple), you end up with much more restricted experience.

      There is a cute term for this situation: Dancing Pigs [wikipedia.org]. It is a very well known problem.

      • by t4ng* (1092951)

        The user will do anything and everything to get what they want. They will accept any kind of warnings you through at them, no matter how scary language you use. If you completely take away their ability to control this (ie. Walled garden like Apple), you end up with much more restricted experience.

        There is a cute term for this situation: Dancing Pigs [wikipedia.org].

        Simple solution: Rewrite all security warnings to reward the user with lolcats if they pick the secure option.

      • Easy solution. Warn them with a cartoon.

        How do you think we tell people that something is poison?

        http://tabzified.files.wordpress.com/2010/10/poison_sign.gif?w=520&h=539 [wordpress.com]

        Just throw a cartoon at them. If you make the list of whitelisted applications expansive enough then its unlikely that people will see it very often.

        We could even crowdsource the white lists. Work out something so if enough people with the right level of trust click YES to something it gets added to the global lists.

    • by Anonymous Coward

      Well, for one thing we'll assume that the process of getting your code on the white list is no big deal.

      Ah, an excellent solution! The biggest problem in the proposed system, just assumed away.

    • I think sandboxing is also a key tool. Not sure if a file contains malware? Run it on a sandboxed VM and monitor what it does. Look for files it drops, registry changes made, IP addresses it tries to connect to, etc. Hence the rise of companies like FireEye, who provide this sort of service. Other anti-malware vendors are also adding this functionality - I know of at least three big players heading down this path.
      • I think going full VM is over kill. Just wrap it in a plastic bag. Give it the impression of interacting with a lot of things but don't actually let it effect anything that can compromise the system.

  • Companies that make antivirus software pay seed money for some to make malware, viruses etc.
  • I've been looking for someone to mention the Cyber Genome research project that DARPA sponsored a while ago...but nobody has. The goal was to do exactly this.

    Yes, some people have pointed out a theoretical situation where malware is built entirely of non-malicious code which is shared by non-malicious binaries. But the reality is that this is not what 99% (or more) of malware looks like. Most malware is based on other malware, and you can readily track the genealogy of the code. Additionally, malware de

  • Quick run it on a Windows install disk!
  • "Security researcher Silvio Cesare .. created Simseer, a free online service that performs automated analysis on submitted malware samples"

    `Simseer Search is a service to cluster malware families. PE32 Executable [slashdot.org]:'

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...