Assessing Internet Viruses Like Human Epidemics 171
underpar writes "This ComputerWorld.com article discusses the UCSD's $6.2 million attempt to study Internet viruses in a manner similar to the study of human epidemics. Stefan Savage, a computer science professor, is quoted in the article as saying, 'We'll be focused on what vectors are used, just like in assessing West Nile, to spread computer viruses and ultimately try to develop defenses to prevent them from spreading.'"
Hasn't this been done before? (Score:5, Insightful)
The problem with the metaphor... (Score:5, Funny)
I don't like likening malicious computer use to biology. If we call Sasser a "virus", then we would likewise have to call port-scanning a "forcible proctology exam".
You don't want to know what buffer-overflow exploits would be called...
Re:The problem with the metaphor... (Score:2)
I dunno what you were thinking, but it probably has something to do with dumping core...
Re:Hasn't this been done before? (Score:5, Interesting)
But i guess it was fun for someone to do...
Re:Hasn't this been done before? (Score:5, Interesting)
Re:Hasn't this been done before? (Score:2, Informative)
A simple example would be to change ports opened on infested machines to random numbers. They could also actually attach themselves to system libraries or applications (like they used to), rather than just saving themselves to the hard disk in several places as they do now.
However a more interesting example might be a virus which had lots of different modules, some performing similar functions and redundant (much like stretches of dormant D
Re:Hasn't this been done before? (Score:4, Insightful)
Just need a little bit of help from humans.
How many mutations of sasser have we seen?
Actually....I'd bet more viruses are mutations then original.
Re:Hasn't this been done before? (Score:5, Interesting)
Primary sources... (Score:5, Informative)
Flipside (Score:3, Interesting)
In real Life, the really nasty, viruses are the ones that have a comparitively low lehatlity. This allows the infected hosts to continue spreading for a long time. And/Or the (early) symptoms are pretty mild, so hosts will often ignore them.
Hmmm... sounds like most mail relay trojans. I know a few people who *continued* to use thus infected machines, because the inconvenience of cleaning it up is more work for them than havin
"Viruses" vs. "Parasites" (Score:5, Insightful)
A better analogy for computer viruses (and trojans and spyware and worms) is the "parasite", since this is a general form that is found at many, many levels: parasites in our blood, in our cells, in our societies, even in our genes. (The bulk of genetic material appears to consist of parasitic DNA).
Looking at computer malware as a disease misses the point. Actually, looking at human viruses as "diseases" also misses the point.
The thing about parasites is that they are inevitable but that there is an implicit balance between a parasite and its host population that generally ensures that the parasite adapts to becoming less harmful and eventually passive or even cooperative. (Which is why there are ten bacterial cells for every human cell in your body).
Parasites only get out of control when the host population has insufficient variation. It's not a troll to say that the Windows monoculture is the fundamental cause of the current plague of malware.
Variation is the basic solution to parasitic behaviour. Given that, parasites will move only slowly, will adapt to causing less harm (or they will kill their hosts and die as well), and will eventually form the basis for an immune system (fighting off other parasites).
It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.
This topic was explored in some detail by HeironymousCoward on Slashdot, about a year ago. [slashdot.org]
Re:"Viruses" vs. "Parasites" (Score:3, Insightful)
It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.
My first reaction is to violently disagree. It is quite possible to knock that number down, way way down. There are even some things we can do like recover back to a previous state. "I wish I hadn't done that. Wish granted."
However, the question is how uninfected is it worth taking the trouble to be. I'm afraid the answer is that it's a lot more trouble than it's worth.
The problem
Re:"Viruses" vs. "Parasites" (Score:2)
But what if the virus messes with that recovery system?
Re:"Viruses" vs. "Parasites" (Score:2)
Worse, What happens when the virus uses the recovery system.
You can have an effective recovery system, but it must be totally outside the control of the running system. Anything inside the running system is just another place that can have holes, very insidious holes.
The recovery system doesn't even need to be that good, but it does need to be independent.
Re:Hasn't this been done before? (Score:2, Interesting)
Vaccination strategies center on trying to lower R_0. I
Too easy (Score:5, Funny)
Ummm, don't use windows?
Sorry, had to say it.
Re:Too easy (Score:2)
So they're going to be spraying the net for butterflies?
Distinction... (Score:3, Interesting)
Humans can't.
Re:Distinction... (Score:4, Insightful)
Re:Distinction... (Score:2, Funny)
Re:Distinction... (Score:2)
Re:Distinction... (Score:2)
Take some healthy cells from the person. Nuke them with radiation until they're nearly dead (the theory being the illness dies faster than the person), then re-introduce the healthy cells you stored earlier. Essentially 'wipe and reinstall' of the immune system.
Why West Nile? (Score:5, Insightful)
Re:Why West Nile? (Score:5, Funny)
Thus explaining why people who use Linux and people who never get laid tend to be the same people.
Re:Why West Nile? (Score:1)
Re:Why West Nile? (Score:3, Funny)
Re:Why West Nile? (Score:1)
Did you mean ON one hand, or WITH one hand?
Re:Why West Nile? (Score:2, Interesting)
As a gay man I take offense.
Straight women, specifically minority women, have the highest infection rates of AIDS right now. Don't even think that because you're straight and don't take it in the ass that you're immune.
Re:Why West Nile? (Score:3, Insightful)
Re:Why West Nile? (Score:3, Insightful)
Excuse me, but grow the fuck up and get over you
Re:Why West Nile? (Score:3, Insightful)
No, I don't think it's your sexual affinity, I think that it's the fact that you are a total bigot. Parent post didn't even hint at gay, rather (s)he mentioned location and lifestyle, yet you're up in arms. Spend less time looking for ways to take offence to what people have to say.
You assume parent poster isn't gay, you assume that parent is male and that (s)he doesn't participate in anal sex. And you got all of that from a rather insightful post from the parent. Hope you m
Re:Why West Nile? (Score:2)
Why? You're either overly sensitive or reading something into the parent comment that was not there. There was nothing about WHO is at greater risk or WHY.
AIDS is, indeed on the rise in minority women, especially in sub-saharan Africa. The prevalent theory is that the culture in the region encourages multiple sexual partners within a small circle (see Why AIDS is worse in Africa [discover.com] for more on this.
And you've now offended me.
Re:Why West Nile? (Score:2)
What you're taking offense at exists only within your own mind. Try to engage in a bit of reading comprehension next time before jumping to unwarranted conclusions.
Max
Interesting Academic Exercise (Score:5, Interesting)
- Avoid IE for surfing
- Avoid OL/OE for eMail
- Firewall (in and out) all OSes with large numbers of exploitable bugs
- Automate patching
- Warn on Anomolous behavior
- Have a virus scanner that is up to date
I don't even rely on the last one and I've been virus free for the past 9 years!
Re:Interesting Academic Exercise (Score:3, Insightful)
I don't even rely on the last one and I've been virus free for the past 9 years!"
Ummm......... how would you know?
Re:Interesting Academic Exercise (Score:2)
No charge online virus scanner (Score:3, Informative)
how would you know [that you've been virus free without installing antivirus software]?
Periodically launching IE (after having firewalled it to connect only to microsoft.com and trendmicro.com) and going to Trend Micro's HouseCall [trendmicro.com] site will tell you whether you have a virus on your machine, and you don't even need to pay for virus definition updates. Run a HouseCall scan overnight once a week (put something in Scheduled Tasks to remind you), and you'll be able to tell Windows XP SP2's security wizard th
Re:Interesting Academic Exercise (Score:3, Funny)
Or so you think
Re:Interesting Academic Exercise (Score:1, Informative)
Re:Interesting Academic Exercise (Score:3, Funny)
Re:Interesting Academic Exercise (Score:1)
Re:Interesting Academic Exercise (Score:2, Informative)
Most of your list is good, but I take exception to this item:
For one, Outlook and Outlook Express are two separate, distinct applications. For another, Outlook itself has been pretty secure since service packs for Outlook 2000 (that's three versions ago, for those who are counting), which remove malicious attachments so you can't execute them. Outlook XP and Outlook 2003 do that out of the box.
However, I surf with IE, read mail with Outlook, don't automatically patch (Windows Up
Re:Interesting Academic Exercise (Score:2)
For one, Outlook and Outlook Express are two separate, distinct applications. For another, Outlook itself has been pretty secure since service packs for Outlook 2000 (that's three versions ago, for those who are counting), which remove malicious attachments so you can't execute them.
Which is great, until someone sends you a file that you actually want of a type Outlook thinks is unsafe, and won't let the receiver open it even though they know it is safe.
I'm a developer, sometimes I want to exchange ex
Re:Interesting Academic Exercise (Score:2, Interesting)
Re:Interesting Academic Exercise (Score:3, Informative)
I disagree with that one. I've found that there is nothing more annoying than having an application decide to launch itself while I'm working. All of a sudden, my word processor isn't listening for my typing (or it is doing so at an alarmingly slower rate), while I'm in the middle of a thought. Add in the fact that many updates on Windows require a restart, and you've got nothing but trouble on your hands. If you can set a schedule for a time you're never around (e.g. lunch break for o
Re:Interesting Academic Exercise (Score:5, Informative)
Um.... the actual basic defenses being preached go back much farther than you suspect. The Internet did not coincide with the development of the computer, or viruses.
Basic defenses are:
'Avoiding IE for surfing' should be "Don't use Microsoft Internet Explorer, full stop." Likewise, "Avoid OL/OE for eMail" should be "Don't use Microsoft Outlook or Outlook Express, full stop." Both of those fall under the category of "risky/stupid behavior". Just because your boss tells you that you have to use 'em doesn't make it any less risky.
Firewalls do two things -- one, they hide your network, so as to keep the black hats away from the data on your network, and two, they hide broken systems that are running insecure programs. This pretty much counts as controlling access to your machine.
I'm not a big fan of automated patching. Patching, yes, but if you automate it, you offer Yet Another Way for the black hats to sneak in to your system. A program that contacts another program to download programs that are replacing programs on that machine fails to (1) control access to your machine and (2) you're trusting "live data".
"Warn on Anomolous behavior" sounds good (intrusion detection systems are sometimes based on this concept), but it doesn't really help too much in *preventing* viruses.
An up-to-date virus scanner is the belt you use in addition to suspenders; it's there to catch your goofs, where you're falling down on the job. As a mitigation strategy, it is good for your network... but it's already too late to get your system back into a pristine state. (Thus a good backup strategy is essential.)
In "the old days", you could bring a system back to a known-good state by powering it down, inserting known-clean read-only media, and booting it up again. (In hindsight, those floppy-based systems had a lot going for them. If you were careful, you could avoid exposing your system to viruses, even if you ran a known-infected program.)
It's a bit harder on modern operating systems. For one, there isn't a good way to run a program in isolation. If you're lucky enough to get a statically-linked program, a chroot jail is a simple place to start, but chroot jails aren't terribly secure, and there's not a lot of statically-linked programs out there these days. Setting up a chroot jail can be prohibitively expensive (in terms of time or disk space).
User-mode Linux and virtual hardware (e.g. Virtual PC) are even more expensive in terms of disk space and set up costs.
Both chroot jails and user-space operating systems tend to keep a program from usefully interacting with other programs. If the output of one program is the input to another, and they're running in different jails/VMs, I need to start worrying about networking in order to facilitate communication. More complexity!
You can always partition your system so that /, /lib, and /usr are read-only, while /var, /tmp, and /home are noexec, but that's not often done, and more often than not, systems are shipping (or defaulting to) single-partition installs. (Madness, I say, madness!)
What would be nice is a system like chroot, but would make the entire system (to that process and sub-processes) read-only, aside from a list of directories, and no-exec, aside from a _different_ list of directories, and at no time would you have the same aspect of a filesystem both read-write and execut
A "meatspace" analogy... (Score:3, Interesting)
- avoid drugs and alcohol
- avoid saturated fats
- wear a condom if you screw around
- practise good hygeine (hint for some of the
- get that funny mole checked out if it gets bigger or suddenly loses or grows hair
- get your flu shot
BTW...if you don't rely ona virus scanner, how do y
Fixes (Score:5, Insightful)
We all know how smallpox spreads. We do not know how to cure it.
We know how viruses spread, but we only know how to remove it from a computer, not how to fix the problems of viruses.
This study will show us where to put better virus filters, which is useful, but it will not tell us how to stop the creation of viruses and malware, which is what we really need.
Re:Fixes (Score:2, Interesting)
Re:Fixes (Score:2)
Re:Fixes (Score:3, Interesting)
There was an example about all the big cats species around the world (except for 1) that all had a virus that appeared to be completely harmless to them. Also there was an example of what I vaguely remember as a cholera outbreak that the more it was attacked with drugs the more virulent and damaging it became.
The poin
Re:Fixes (Score:3, Funny)
In computer terms, however, we pwnt teh shit out of smallpox.
Re:Fixes (Score:2)
Um
Re:Fixes (Score:2)
"Smallpox (thanks to vaccinations) no longer exists in the wild. I'm sure someone will be able to come up with an apt computing metaphor ..."
How about the Stoned virus [google.com.au] perhaps? I doubt there are any PC's out there still infected by that one.
Re:Fixes (Score:2)
Re:Fixes (Score:2)
STD's (Score:5, Funny)
Re:STD's (Score:1)
Virusen? That's just terrible.
Re:STD's (Score:5, Funny)
I dont know if its such a good analogy. (Score:5, Funny)
Apples to Oranges (Score:5, Funny)
Re:Apples to Oranges (Score:3, Interesting)
Re:Apples to Oranges (Score:1)
Obligatory Onion article... (Score:1)
http://members.aol.com/marinrobt/Gates_CE_Disaste
The difference is... (Score:3, Insightful)
Also, natural selection means that species will likely eventually gain a resistance to whatever virus is affecting them (granted, the virus will also adapt). Not so with computer users, unless ISPs decide to start shutting down access to infected boxen.
HouseCall (Score:1)
and their definitions are two years out of date because they don't want to pay for the subscription!
No excuse. The HouseCall tool by Trend Micro is available free of charge to all users of IE 6 for Windows, and it always uses Trend Micro's latest virus definitions. Sure you don't get the "realtime" protection of say Norton, but if you don't open executable e-mail attachments, don't use Outlook, and don't use IE except on HouseCall and Windows Update, then "realtime" protection probably isn't worth the s
The best solution... (Score:4, Insightful)
Re:The best solution... (Score:1)
I have been receiving the same virus (Beagle variant) from the same IP and reporting same for months (including at least two phone calls to the abuse department), and it just keeps on coming.
Perhaps they see "virus" infection as some sort of social stigma and therefore hands-off in the name of political correctness.
Hello? Viruses????? Doorknob? (Score:3, Insightful)
Next story, please.
Hello??? (Score:3, Funny)
It better be a sucess not an attempt!
Where have our values gone?
Linux tagline (Score:2, Interesting)
Every article seems to have his tagline attached.Looks like people cant seem to wait for Linux Viruses!
Perhaps they wanna entice people into writing L.virus
Re:Linux tagline (Score:5, Insightful)
Most Linux distros relies on the same types of protection of illegitimate use as windows. Just like in windows we have users and groups with read, write and execute permissions. It is therefore likely to have similar problem if sombody decides to write malware like viruses.
So far this has been fairly uncommon, perhaps because there are more constructive ways for hackers to make a difference in the open source world than in the land of Microsoft.
Furthermore, Linux have the advantage of having more skilled users than windows. The average Linux user would be much harder to fool into open e-mail attachments etc than the average Windows user. But as the use of Linux becomes more widespread we can assume that it will get into the hands of users just as badly educated as the average windows user usually is. They will run their systems as root and do stupid things just like they do in windows today. As a result we will see more problems on the Linux platform.
The fact is, that if you avoid MS-Outlook, don't open attachments from unknown people, make sure that you always have the latest security patches from Microsoft installed, the chance of getting hin in windows is quite small. So far I have never had a windows virus, neither have my wife and we have used windows since the release of NT4.
Clearly both Linux and Windows needs enhancements to protect it from clueless users. Microsoft will probably try to do this by shutting the user out of his computer and only allow trusted software to run through the use of their TCPA system.
In Linux we have the SELinux stuff NSA put into the latest 2.6x kernel series that provides mandatory security. It makes it possible to on an application basis control what files an application may read. write, execute or even see regardless of what user that runs the application including root. In similar way it is possible to control what capabilities an application have with regards to e.g. networking or memory.
In this kind of system anything that isn't explicitly allowed is forbidden so if you have a good security policy a virus would be allowed to do very little harm and have limited ability to spread.
E.g you could configure your system to refuse to execute anything downloaded by mozilla or you favorite e-mail client until you explicitly allow it from a password protected user role. This would of course not prevent mozilla from doing some harm if the virus was running within the mozilla process perhaps as a result of a buffer overflow security breach. But even here SELinux could help. If mozilla only could see html files and only was allowed to alter them if you had the role of webmaser the damage would be limited.
So, Linux already have the tools to be secure. The problem is that they are not widely used, and in the cases they are, security policys are often to lenient. One reason for this might be that the tools for creating policys are too hard to use.
I'm happy to see that SELinux is enabled by default in the new Fedora Core 3 test release.
Re:Linux tagline (Score:2)
The computer-organism paradigm doesn't work (Score:5, Interesting)
Desktop computers, on the the other hand, are not static systems at all. So there's no really good way for a system to differentiate what's not really supposed to be there from something that was deliberately put there by the user. As I said, this isn't a problem for a living organism because that's a closed system, and anything new that gets put into it, without suitable precautions taken beforehand, will be attacked by the body's defenses as a foreign invader. Such a mechanism implemented on a desktop computer would render the computer practically useless for anything that we take for granted that programmable computers do today.
Re:The computer-organism paradigm doesn't work (Score:5, Interesting)
Thats not a good way to categorize things, given the number of malware and trojans "deliberately" installed by the user. Rather, we should identify the malware based on its behavior: Does it alter other executables not installed with it? Does it connect to one site repeatedly? Many sites rapidly? Does it attempt to access the addressbook? Mail itself out? Make multiple copies of itself in the windows directory? Edit registry settings it doesn't create? Remove or replace other files that weren't installed with it? And so on...
Once we look at it that way, its fairly simple to identify malware as its operating, and once its identified, the cleanup process can begin.
Careful (Score:1)
Rather, we should identify the malware based on its behavior: Does it alter other executables not installed with it?
Careful. Microsoft could use this as an excuse to prohibit competing compiler toolchains [mingw.org] from running on Windows.
Does it connect to one site repeatedly? Many sites rapidly?
Firewalls already detect this by hooking into the network stack, but correlating these with your other heuristics might provide a better idea.
Edit registry settings it doesn't create?
And watch it misclassify
Re:The computer-organism paradigm doesn't work (Score:2)
Read about some of the trusted computing technologies. That is almost exactly what they provide, down to the bit level in memory.
Re:The computer-organism paradigm doesn't work (Score:2)
At least for any reasonable OS. It seems that Windows only uses this method after an optional "secure" profile is applied, but still.
generalization (Score:1)
Conjecture on their conclusions (Score:3, Interesting)
1) Monoculture is bad in containing viral spread (good for other operating systems)
2) Since viruses cannot be totally eliminated, a virus resistant host is important (good for most other OSes)
3) Effective antivirus/vaccination efforts should be made (most open source OSes are intrinsically resistant to attack)
4) Public education to help prevent risky behaviors (open OS users are generally much more computer adept)
See a pattern here?
I'm involved, any questions? (Score:4, Informative)
If people have questions, feel free to ask.
OK, let's go with this (Score:5, Interesting)
If you extend this to interoperating computer systems, then ideally you want a variety of platforms (indeed, operating systems but also processor architectures and device types).
Internet Virus Hoaxes (Score:3, Informative)
computer viruses that are actually hoaxes. While savvy Internet users can usually immediately spot the hoaxes,
many of our members can be both intimidated and frightened (not to mention the time and effort wasted when the
messages are passed back and forth, to spread these 'alerts/hoaxes'). Running virus checking software can also be
a very time-consuming endeavor (especially on a large Local Area Network), when you find that you have
stopped everyone from working for several hours to check for a hoax, it can be really embarrassing.
My advice is to do a little checking on your own before you excitedly message all of your friends and associates,
and possibly embarrass yourself by wasting a lot of their time. Here are some of the better sites that track both
email and other computer viruses and virus hoaxes. I rely heavily on the U.S. Department of Energy Computer
Incident Advisory Capability's (CIAC) Internet Virus Hoaxes page, but the others all have good and usually
current information.
Between them, they describe more than a dozen hoaxes, from Good Times, to PENPAL GREETINGS, to Join
the Crew. Background, including the actual "warning" message is provided. These sites provide a valuable service
to the Internet community, especially for new users.
Two words (Score:5, Funny)
If only this applied to computers
Sounds familiar... (Score:2, Funny)
Write a virus that tracks it's spread... (Score:1, Interesting)
Re:Write a virus that tracks it's spread... (Score:2)
Social is Fractal (Score:1)
Looking at malware and similar internet problems through the perspective of biological controls may be helpful in other aspects too - spammers, for example live in a remarkably similar ecologogical niche to human parasites such as head lice. Seeing how our current attempts to control those pa
Stupid (Score:2)
This is not biology. The severe, frequent virus outbreaks that have happened in recent times were entirely, realistically, preventable. You don't have to conduct a 6.2 million dollar study into "vectors" and whatnot.
How many more incidents does it take until some major corporations start sueing Microsoft for the damages caused by their gross negligence?
Hate to say it... (Score:3, Insightful)
Then of courseon could forsee a sort of arms race whereby virus authors write in the ability to stop another program from using the same exploit to gain entry to the machine and patch it. So basicly it would be an early bird gets the worm sort of scenario where whomever infects the machine first wins.
Still I think its better than leaving it up to a bunch of lazy computer users who make the rest of the world suffer because they are either too inept or too lazy to patch their machines.
Difference between computers and organisms: (Score:5, Interesting)
Maybe if viruses were to fry hardware, we could see some improvements.
Re:Difference between computers and organisms: (Score:2, Insightful)
Re:Difference between computers and organisms: (Score:2)
When more of these tasks cause real damage to the owner of the computer (like stealing his or her money, or legal consequences because a computer owner would be held responsible for for relaying spam), there would be more research and anti-measures.
Right now they seem to be at
Re:Difference between computers and organisms: (Score:2)
Actually there has been cases where hardware has been fried from software, as computers get more 'advanced' it isn't hard to imagine a virus disabling protections and running the CPUs at max on your G5 until they boil themselves. But that's beside the point.
Step into a corner of the box, and realize that while your computer ma
Everything-is-like-biology fallacy (Score:3)
if we're going to use analogy- then (Score:3, Funny)
Here are the vectors of computer viruses (Score:2)
Laziness = not patching your systems when you know you should.
Stupidity = being willfully ignorant - anyone who wants to be safe can easily find out how. But it seems that most people not only don't bother, they're proud to stay ignorant. That = stupidity.
Topological Differences (Score:2)
Heck for only 3 million dollars I will tell you.. (Score:2)
(And I bet I have just listed more than the 6.2 million dollar study).
I am really glad the government has decided this is worth 6.2 million dollars. Couldn't they have purchased a report from any *one* of the specialized companies that does this for a living. Cripes...
Re:Dr. Microsoft (Score:1, Offtopic)