Researchers Use Machines To Analyze Malware 55
Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."
The future is now (Score:5, Insightful)
Re:The future is now (Score:5, Insightful)
Because the owner of the IP is not always the originator of the malware, but a victimized third party? Ya think? Haven't you ever looked at your phishing spam URLs?
Only a seriously stupid criminal would illegally collect information at a machine that he owns himself.
That said, the prisons are not full of geniuses.
--
BMO
Re:The future is now (Score:3, Funny)
"Pandavirus/2006Tokyo is in Domain Malware, Kingdom Microsoft, Phylum Spyus Maximus, Class Claria, Order Adicus Wearicus, Family Panda."
Re:The future is now (Score:2)
Mechanical? Why mechanical? I thought we had left the Babbage era approach behind when they invented the transistor.
Whats wrong with electricity?
Re:The future is now (Score:2)
"Attention! Program X requires blah bla blah. To do that blah blah blah. Do you really want to blah blah blah?"
*90% of users click yes* There, malware exempted. Those people who get malware[1] in the first place won't be helped by this at all.
[1] The open-this-attachment-to-get-owned type, not the Windows-is-a-piece-of-shit-automatically-owned type.
The past is out future. (Score:3, Interesting)
Back in the days when Macs had viruses (yes they do exist or existed), I was using a program called Gatekeeper [utexas.edu]. Instead of knowing about certain virus it monitored system activity and alerted you when virus type activity was happening. You the user would either deny or grant the action.
So given my experience with GateKeeper, the ideas of this malware detection seem obvious. Why did it take this long to apply these ideas to windows malware? Is the problem commerical anti-virus software? They prefer you to k
Re:The future is now (Score:2)
For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware.
The RIAA and MPAA would agree with that conclusion.
Advantages? (Score:4, Insightful)
Re:Advantages? (Score:4, Insightful)
One-sentence summary (Score:2)
So, basically, we'll have another anti-virus-like program monitoring our systems.
Yay for the multi-core CPUs!
Re:One-sentence summary (Score:4, Insightful)
That's the most attractive option for the big malware prevention/removal companies, and is the most likely scenario in the near future.
The opportunity this type of forensic analysis creates though, is that it exposes and classifies the methods the malware uses to insinuate itself into the host operating system. That means OS vendors can analyse the failure points of their products and harden them against the malware. At the moment, the two key problems with malware removal are
If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.It's also an example of why an OS vendor who also sells malware tools has such a dangerous conflict of interests.
Re:One-sentence summary (Score:3, Insightful)
The point is, however, that malware mostly (ab)uses perfectly legal system instructions.
Therefore, whatever it is that will be running in people's backgrounds, it will have to have a heuristic algorithm and monitor every single system activity.
To abuse the good old car analogy, it's as if more and more safety measures were introduced in cars instead of teaching people to drive safely.
Wait, where was I going with that one?
Anyway, I do not want (at the times when I'm using Windows) another program which w
Re:One-sentence summary (Score:2)
Yes, that IS the point. And what that means is that by analysing which of those system instructions are being abused and how, you can redesign the system to resist the attacks better. In Windows, for example, the \HKLM\...\Run: registry entries, WINDOWS\Prefetch, etc are the most common points for malware to hook into to ensure they are loaded at starup. Make it easier to protect and clean those areas and you'll elimin
Re:One-sentence summary (Score:2)
Not exactly.
As in medicine, a bit of prevention is worth more than a... megabyte of repair.
If OS vendors make their products more difficult to infect, now there we may see some improvement... for users, it seems, are not getting educated any better.
Re:One-sentence summary (Score:4, Interesting)
Since multicore systems are starting to take off, perhaps there should be a method for applications to flag themselves as 'supporting', and then have a seperate lower power core dedicated to 'supporting' applications such as AV, system monitors etc?
Re:One-sentence summary (Score:1)
Re:One-sentence summary (Score:2)
Re:One-sentence summary (Score:2)
Re:Advantages? (Score:1)
The thing is that the perception of human researchers is always skewed by assumptions and the human tendency to generalize any problem, based on incomplete data. (Useful in survival-of-the fittest scenarios, but potentially counterproductive when doing research.)
Machines deal with facts, period.
They may expose things we previously ignored or crammed into categories that don't really fit the bill.
(Of course, if the data fed to the machine is presented in a form which has already bee
Re:Advantages? (Score:2)
Afterall most malware are exploits meant to make money off peoples computers. either through ad revenues, bulk mail sending, or formation of a 'botnet' which can be used for a whole slew of possiblities. a few pieces of malware try to steal data so that you can become a 'victim' of internet crime, which is why cer
Re:Advantages? (Score:2)
It's usually a state of not having enough resources to feed, clothe and house yourself (and your family if you have one). Now if you know a way for a person to think themselves out of that, you'll be the most revered man on the planet when you share it with the rest of us.
Re:Advantages? (Score:2)
Poverty is a state o
Re:Advantages? (Score:3, Interesting)
Any mechanized approach to classifying malware is a good thing. I've heard anecdotally that the process of getting a program declared as a virus or malware is (or has been) as follows at major security firms:
Better classification means better naming (Score:5, Funny)
Re:Better classification means better naming (Score:1)
Re:Better classification means better naming (Score:1)
Bugged? (Score:2, Funny)
Hmm... (Score:3, Funny)
as opposed to punch cards?
90% isn't good enough (Score:4, Insightful)
Wow (Score:2, Insightful)
Re:Wow (Score:1)
what is that new malware subset? (Score:3, Funny)
automated systems determined that the new worm, W32.setup/install.exe is the most prevalent ever, due to the success of its social-engineering attack vector.
"us" ???? (Score:4, Funny)
Re:my 5 *cent* (Score:2)
Of course, I'm wondering if this is a pre-pay system or if they'll just deduct it monthly from my bank account, but either way it doesn't matter to me since I trust these guys (hey, they are in the anti-spyware biz, it's unlike the company will fleece me just for step 3). This will go nicely with my new MS security subscrip [slashdot.org]
I now present... the Polymorph (Score:5, Insightful)
Curious...Curious... (Score:1)
You can already buy a product that does this (Score:4, Informative)
Computer security is not easy.... (Score:2)
Steampunk Anti-Virus (Score:1, Funny)
Do you mean it is steam or internal combustion powered? Based on a huge Babbage differential engine, programmed with cards in Lady Ada language? It must be since it is mechanical! The MODUS, a stack of most advanced cards for automated malware analysis is the subject of an international conspiracy. And the London smog gets denser every day.