Scanner Identifies Malware Strains, Could Be Future of AV 70
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."
One sample tested, false positive (Score:5, Interesting)
Tested the Gmer rootkit detector, AV doesn't report it as malicious but heuristics does. And also,
The following cluster is related to your sample. The similarities between your submission and samples in our database are shown below. If one of the listed variants in the cluster is malicious, then it is likely that your submission is malicious also.
Cluster [W32] [Trojan]
Similarity Filename Hash AV Results
0.734592 aedbfccbfbbddcbebbcbcadf ed839568ee1c2906ea0b42612d04f6bd BC.W32.Xpaj
0.718620 deafabbcffdbdcefecffeea 151d4e03f8ffc6adc50facc2e561dab7 BC.W32.Xpaj
0.714916 bcdadffaecdeaefbdbcaccdfed f74f33bcdcff1e97048f2576abb03467 Win.Trojan.Agent-39884
How "likely" ?
Re:you cannot identify bad intention (Score:2, Interesting)
Except the analogy is crap. If you have found an exploit, that means that the software it is attacking is faulty. The proper solution to that is to fix the broken software, not to add more complexity in the form of AV software that itself is likely to contain additional vulnerabilities. That is particularly true given that there is this apparently little-known result from theoretical computer science called the halting problem that implies that equivalence of programs cannot be decided in the general case - whereas known vulnerabilities in software can actually be fixed, and fixed in a way that is 100% reliable.
No it isn't. - Whitelists (Score:5, Interesting)
The future is and always has been and always will be white lists.
Nearly all anti virus software works on the premise of the blacklist. That is there is a list of hundreds of thousands of malware and virus code snippets and if the AV sees some it flags it.
The white list works in the opposite direction. All VALID code gets approved. If it isn't on the list then it gets flagged.
Some people will say "but what about my indy software that isn't on the global white lists!? Well, for one thing we'll assume that the process of getting your code on the white list is no big deal. Under that system it is in everyone's interest to get as much approved code on the white lists as possible so as to make the black listing system which is terrible that much less attractive. That said, you can always approve the code yourself. Tell your home AV system that you vouch for that program and move on.
Uninformed users would be encouraged not to EVER do that since they don't know enough to really have a valid opinion. But power users, programmers, and IT experts obviously should be able to tell without a scan.
White lists. Its how the iPhone is effectively protected. Want people to download your product? iTunes has to approve of it. Doubtless itunes gets scammed occasionally but its nothing compared to what would happen if the average user was installing just "anything" on the machine.
White lists are how AV should work. Top to bottom. Forget blacklists. They're bad.