New R2D2 Technique Protects Files Against Wiper Malware, Secure Delete Apps (bleepingcomputer.com) 43
An anonymous reader writes: Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can safeguard data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods. The technique was developed to protect enterprise systems, which are often running inside VMs.
Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.
Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.
Re: (Score:2)
Hey, it was tested in a Windows 7 VM, so it ought to work everywhere!
Right?
Hello City of Atlanta? Oh, the city's on hold? Oh. Gosh.
The only problem with this technique... (Score:5, Funny)
God no (Score:2)
Re: (Score:2)
Spin up the CPU for total encryption malware? An app can detect that change while not having to know anything about the malware.
Trying to copy any file deep into the OS so malware can stay active all the time. An app can detect that change.
Try installing totally new malware all over the OS and an app can detect that change without having to know about the new malware.
Purdue University scientists waste time and money (Score:2, Insightful)
I have an even better method for protecting files against deletion. One that is proven and robust. It's called a "backup".
It is not expensive to take snapshots. (Score:1)
You can take them all day, and do incremetal backups that way too.
E.g. on Linux, you could create a snapshot before and after every sudo. Or on certain program launches/exits in general. And on certain file system accesses. (Linux jas built-in APIs for that too nowadays.) Plus hourly ones.
I wonder why file systems don't have built-in version control anyway.
Getting sued by Disney 3.. 2.. 1.. (Score:3)
Re: (Score:2)
"You don't need to see our license agreement."
Re: (Score:2)
Cat and mouse game. (Score:3)
If this is widely deployed the malware writers will just change tactics. Instead of destroying data completely, they will simply begin alter files to the point where they are no longer useful. The more intelligent and insidious malware writers will gradually introduce more and more errors into databases that make it into backups. Eventually it will be discovered but if an unknown percentage of your database and it's backups contain incorrect information then you are going to have a bad time.
Bad name choice (Score:3)
These are not the files you're looking for. *waves hand*
(I leave it up to someone else to come up with a good backronym.)
Safeguarding Data (Score:2)
... can safeguard data sitting inside a virtual machine
You know what else can safeguard data sitting inside a virtual machine?
Backups. Snapshots. Checkpoints.
It's just snapshot automation (Score:1)
They built a component to automatically take a snapshot when it detects I/O patterns that resemble a wipe, to try to reduce the window of time between last snapshot and wrecked data. That's it. It's a supplement to scheduled snapshots, backups and so forth.
Unfortunately (Score:5, Funny)
Unfortunately, this new technique is still vulnerable to Cryptographic Core Computing Processing Overload.
Calling it R2D2 (Score:3)
Is it called R2D2 because the normal case of secure delete the system admins say "What the bleep-bloop have you bleepy-blarp done? You stupid bloopy-blip!!" ?
Apps? (Score:1)
>R2D2 supports 13 known "secure delete" methods that apps and malware are known to use
thank god I only use programs.