Scanner Identifies Malware Strains, Could Be Future of AV 70
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."
the real test (Score:2, Insightful)
is to determine how many false positives this thing detects
Re:you cannot identify bad intention (Score:5, Insightful)
You misconstrue the nature of the battle. It is not against malware, anymore than a modern war is againsts guns and bullets. It is against the malware authors. Yes, some variant of "malware" can always be imagined to succeed against any software-level security. But the vast majority of that hypothetical malware is completely irrelevant because no one is ever going to write it. What is missing from consideration is the time and money invested into making the malware work, to how long it is effective, and what the financial payoff will be. The more you increase the burden and reduce the payoff, the more you have shifted the balance toward the good guys. More flexible malware identification mechanisms are big wins not because they are undefeatable but because they make the bad guys work harder. And, as a matter of fact, if you can generalize malicious code based on a few samples, you can effectively have the bad guys working against each other. (Virus 1, using exploit, is successful, second guy notes virus 1's success, analyzes it, produces virus 2 using same exploit, virus 3 also uses same exploit; based on comparison of three viruses, database is able to identify common exploit and innoculate against all subsequent programs which would otherwise rely on said exploit.)