Scanner Identifies Malware Strains, Could Be Future of AV 70
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."
Re:you cannot identify bad intention (Score:2, Funny)
I don't know why this post would receive a -1. I agree with the poster here.
A: What this researcher is doing is nothing new. He's, once again, taking something old and presenting it as new. AV software has long had methods of detecting similar threats based on a few samples of previously known threats and the algorithms and methods they used are no different than what this person proposes.
B: The best solution to a vulnerability is to patch the vulnerability in the software.
C: People can try to find all sorts of ways to disable the anti-virus. The AV may detect against one method after which someone may find another.
If the AV has to detect a broader range of problems it will either take longer or lead to more false positives (or both). Fixing the vulnerabilities and ensuring an operating system that's much less susceptible to intrusion (without compromising useability) and allowing the AV to only detect the problems that are more difficult to otherwise fix is a better solution than letting the AV do what the operating system should already be doing.
Operating systems have been getting better though. Operating system files are generally digitally signed and my operating system will not allow me to delete or modify operating system files within Windows which, if implemented correctly, can make it more difficult for a virus to embed itself into the operating system.
The biggest problem, really, is user error. and that's something that can be difficult to correct.