Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Worms Security

Assessing Internet Viruses Like Human Epidemics 171

Posted by CowboyNeal from the beating-the-spread dept.
underpar writes "This ComputerWorld.com article discusses the UCSD's $6.2 million attempt to study Internet viruses in a manner similar to the study of human epidemics. Stefan Savage, a computer science professor, is quoted in the article as saying, 'We'll be focused on what vectors are used, just like in assessing West Nile, to spread computer viruses and ultimately try to develop defenses to prevent them from spreading.'"
This discussion has been archived. No new comments can be posted.

Assessing Internet Viruses Like Human Epidemics More

Assessing Internet Viruses Like Human Epidemics

Comments Filter:

  • Hasn't this been done before? (Score:5, Insightful)

    by wikdwarlock ( 570969 ) on Thursday September 23, 2004 @10:55PM (#10336879) Homepage
    This hardly seems like a novel idea. Isn't the whole calling a computer virus a "virus" supposed to help us understand it in a biological/human way?

    • The problem with the metaphor... (Score:5, Funny)

      by halivar ( 535827 ) <bfelger&gmail,com> on Thursday September 23, 2004 @11:00PM (#10336907)
      This hardly seems like a novel idea. Isn't the whole calling a computer virus a "virus" supposed to help us understand it in a biological/human way?

      I don't like likening malicious computer use to biology. If we call Sasser a "virus", then we would likewise have to call port-scanning a "forcible proctology exam".

      You don't want to know what buffer-overflow exploits would be called...

    • Re:Hasn't this been done before? (Score:5, Interesting)

      by hashish ( 62254 ) on Thursday September 23, 2004 @11:03PM (#10336938)
      Yeah, and this does miss some points. Viruses in humans can mutate and attach themselves to other viruses. Until a computer virus does this they eventually die out when the PC gets patched.

      But i guess it was fun for someone to do...

    • Re:Hasn't this been done before? (Score:5, Interesting)

      by Mshift2x ( 686015 ) on Thursday September 23, 2004 @11:22PM (#10337039)
      Yes. This has been done before. We've done this in our calclulus class. We've used a program to map the 'lifecycle' of a virus. First numerous vulnerable PCs, the way in which they spread to eachother, new vulnerable computers being connected to the internet, patching of the computers. It was all pretty cool stuff.

    • Primary sources... (Score:5, Informative)

      by StefanSavage ( 454543 ) on Friday September 24, 2004 @12:02AM (#10337276)
      FWIW, readers should always understand that when they read a news story they are getting a reporter's interpretation of an interview that itself attempts to simplify a larger story. Inevitably, this means that technical details don't survive the translation. To wit, on the second page of the proposal we write: While it is tempting to repurpose the epidemiological models of infectious disease in humans [29], Internet pathogens are in fact quite different--they are authored by intelligent adversaries. Consequently, traditional stochastic analyses are highly fragile tools for predicting the dynamics or limitations of future outbreaks. For those actually interested in what our center is planning to do, I've made the proposal [ucsd.edu] and the summary [ucsd.edu] available. It also gives some insight into what an NSF grant proposal looks like for those who are curious. - Stefan

    • Flipside (Score:3, Interesting)

      by xixax ( 44677 )
      I am somewhat surprised that virus writers do not use virus ecology/biology more.

      In real Life, the really nasty, viruses are the ones that have a comparitively low lehatlity. This allows the infected hosts to continue spreading for a long time. And/Or the (early) symptoms are pretty mild, so hosts will often ignore them.

      Hmmm... sounds like most mail relay trojans. I know a few people who *continued* to use thus infected machines, because the inconvenience of cleaning it up is more work for them than havin

    • "Viruses" vs. "Parasites" (Score:5, Insightful)

      by ites ( 600337 ) on Friday September 24, 2004 @01:08AM (#10337586) Journal
      The problem with the terminology (and attempts to use it as a model) is that it implies that human diseases and computer viruses are somehow based on the same mechanisms and can be fought in similar ways. This is obviously untrue. Human and computer viruses may spread in similar patterns, that's not related to how they work, rather the way they are transmitted. A forest fire also spreads by contact.

      A better analogy for computer viruses (and trojans and spyware and worms) is the "parasite", since this is a general form that is found at many, many levels: parasites in our blood, in our cells, in our societies, even in our genes. (The bulk of genetic material appears to consist of parasitic DNA).

      Looking at computer malware as a disease misses the point. Actually, looking at human viruses as "diseases" also misses the point.

      The thing about parasites is that they are inevitable but that there is an implicit balance between a parasite and its host population that generally ensures that the parasite adapts to becoming less harmful and eventually passive or even cooperative. (Which is why there are ten bacterial cells for every human cell in your body).

      Parasites only get out of control when the host population has insufficient variation. It's not a troll to say that the Windows monoculture is the fundamental cause of the current plague of malware.

      Variation is the basic solution to parasitic behaviour. Given that, parasites will move only slowly, will adapt to causing less harm (or they will kill their hosts and die as well), and will eventually form the basis for an immune system (fighting off other parasites).

      It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.

      This topic was explored in some detail by HeironymousCoward on Slashdot, about a year ago. [slashdot.org]
      • Hmmm, very interesting.
        It's inevitable that 60-70% of all software running on all computers will, eventually, be parasitic.

        My first reaction is to violently disagree. It is quite possible to knock that number down, way way down. There are even some things we can do like recover back to a previous state. "I wish I hadn't done that. Wish granted."

        However, the question is how uninfected is it worth taking the trouble to be. I'm afraid the answer is that it's a lot more trouble than it's worth.

        The problem
        • There are even some things we can do like recover back to a previous state. "I wish I hadn't done that. Wish granted."

          But what if the virus messes with that recovery system?

          • But what if the virus messes with that recovery system?

            Worse, What happens when the virus uses the recovery system.

            You can have an effective recovery system, but it must be totally outside the control of the running system. Anything inside the running system is just another place that can have holes, very insidious holes.

            The recovery system doesn't even need to be that good, but it does need to be independent.

    • Re:Hasn't this been done before? (Score:2, Interesting)

      by Anonymous Coward
      It has. It is actually a pretty interesting problem. There are a number of things that make studying computer virus different than biological viruses. One area of interest is incorporating the network topology into the model. Computer networks tend to be 'scale-free', the internet certainly is. Most epidemiological models (SIS, SIR etc) assume completely mixed populations. When you put them on a different network topology you can get different results.

      Vaccination strategies center on trying to lower R_0. I

  • Too easy (Score:5, Funny)

    by MuckSavage ( 658302 ) on Thursday September 23, 2004 @10:55PM (#10336881)
    "...just like in assessing West Nile, to spread computer viruses and ultimately try to develop defenses to prevent them from spreading.'"

    Ummm, don't use windows?

    Sorry, had to say it.
    • "We'll be focused on what vectors are used, just like in assessing West Nile, to spread computer viruses and ultimately try to develop defenses to prevent them from spreading.'"

      So they're going to be spraying the net for butterflies?

  • Distinction... (Score:3, Interesting)

    by z3021017 ( 806883 ) on Thursday September 23, 2004 @10:57PM (#10336890)
    Computers can have their data wiped for a new, clean beginning.

    Humans can't.

  • Why West Nile? (Score:5, Insightful)

    by Curunir_wolf ( 588405 ) * on Thursday September 23, 2004 @10:57PM (#10336891) Homepage Journal
    Why not study it like they do the AIDS virus? That is, it's obvious that certain behavior will greatly increase the risk of infection, and some, based on location and lifestyle (OS) have very little chance of infection at all.

    • Re:Why West Nile? (Score:5, Funny)

      by Anonymous Coward on Thursday September 23, 2004 @11:05PM (#10336945)
      some, based on location and lifestyle (OS) have very little chance of infection at all.

      Thus explaining why people who use Linux and people who never get laid tend to be the same people.
    • Certain behaviors? Like reading /.? You can count the number of /.'ers who've contracted aids from sex on 1 hand, probably less...like half a hand...and that's probably still a high estimate.

    • Re:Why West Nile? (Score:2, Interesting)

      by xombo ( 628858 )
      +4 interesting?!?!!
      As a gay man I take offense.
      Straight women, specifically minority women, have the highest infection rates of AIDS right now. Don't even think that because you're straight and don't take it in the ass that you're immune.

      • Re:Why West Nile? (Score:3, Insightful)

        by Anonymous Coward
        That is not how this comment was meant, I think. Regardless of sexual preference, an example of a high-risk lifestyle would be having promiscous unprotected sex. A low risk lifestyle would be to be involved in a long-term monogomous relationship.

      • Re:Why West Nile? (Score:3, Insightful)

        by PitaBred ( 632671 )
        I know that this is terribly offtopic, but this is EXACTLY what pisses me off about "minorities." You assume that someone is insulting you because they use the term "lifestyle." Lifestyle can be having promiscuous sex, going to clubs, sitting at home and masturbating, and of a LARGE number of things. Yet you think someone means you, and you're being discriminated against, thus giving you the right to... something. Reparations, additional rights, whatever.
        Excuse me, but grow the fuck up and get over you

      • Re:Why West Nile? (Score:3, Insightful)

        by Mordaximus ( 566304 )
        As a gay man I take offense.

        No, I don't think it's your sexual affinity, I think that it's the fact that you are a total bigot. Parent post didn't even hint at gay, rather (s)he mentioned location and lifestyle, yet you're up in arms. Spend less time looking for ways to take offence to what people have to say.

        You assume parent poster isn't gay, you assume that parent is male and that (s)he doesn't participate in anal sex. And you got all of that from a rather insightful post from the parent. Hope you m

      • As a gay man I take offense.

        Why? You're either overly sensitive or reading something into the parent comment that was not there. There was nothing about WHO is at greater risk or WHY.

        AIDS is, indeed on the rise in minority women, especially in sub-saharan Africa. The prevalent theory is that the culture in the region encourages multiple sexual partners within a small circle (see Why AIDS is worse in Africa [discover.com] for more on this.

        And you've now offended me.

      • He didn't say a single thing about gays. He was talking about the sort of lifestyle that increases the rate of infection, e.g., unprotected sex with strangers.

        What you're taking offense at exists only within your own mind. Try to engage in a bit of reading comprehension next time before jumping to unwarranted conclusions.

        Max

  • Interesting Academic Exercise (Score:5, Interesting)

    by tony3w ( 559959 ) * on Thursday September 23, 2004 @10:57PM (#10336895) Homepage
    This is an interesing academic exercise, but the basic defenses that have been preached for years work just fine:

    - Avoid IE for surfing
    - Avoid OL/OE for eMail
    - Firewall (in and out) all OSes with large numbers of exploitable bugs
    - Automate patching
    - Warn on Anomolous behavior
    - Have a virus scanner that is up to date

    I don't even rely on the last one and I've been virus free for the past 9 years!

    • Re:Interesting Academic Exercise (Score:3, Insightful)

      by Anonymous Coward
      " - Have a virus scanner that is up to date

      I don't even rely on the last one and I've been virus free for the past 9 years!"

      Ummm......... how would you know?
      • 99% of viruses drop themselves in the Windows registry run keys. If these are clean, I really doubt you've got a virus. Oh, and linux not having a registry helps too :).

      • how would you know [that you've been virus free without installing antivirus software]?

        Periodically launching IE (after having firewalled it to connect only to microsoft.com and trendmicro.com) and going to Trend Micro's HouseCall [trendmicro.com] site will tell you whether you have a virus on your machine, and you don't even need to pay for virus definition updates. Run a HouseCall scan overnight once a week (put something in Scheduled Tasks to remind you), and you'll be able to tell Windows XP SP2's security wizard th

    • I don't even rely on the last one and I've been virus free for the past 9 years!

      Or so you think

      • Re:Interesting Academic Exercise (Score:1, Informative)

        by Anonymous Coward
        How is this insightful? I do an occasional online scan and I haven't had a virus turn up in years.
        • It's insightful cause the mods are idiots? It was an attempt at Funny. I've given up on trying to get modded appropriately. If I get a mod whether it be -1 Flame-bait or whatever I'm happy cause it means at least SOMEONE read my post.
    • Agreed, however, I can add a bullet point. -Avoid Microsoft I've been virus free forever!

    • Most of your list is good, but I take exception to this item:

      Avoid OL/OE for eMail

      For one, Outlook and Outlook Express are two separate, distinct applications. For another, Outlook itself has been pretty secure since service packs for Outlook 2000 (that's three versions ago, for those who are counting), which remove malicious attachments so you can't execute them. Outlook XP and Outlook 2003 do that out of the box.

      However, I surf with IE, read mail with Outlook, don't automatically patch (Windows Up

      • For one, Outlook and Outlook Express are two separate, distinct applications. For another, Outlook itself has been pretty secure since service packs for Outlook 2000 (that's three versions ago, for those who are counting), which remove malicious attachments so you can't execute them.

        Which is great, until someone sends you a file that you actually want of a type Outlook thinks is unsafe, and won't let the receiver open it even though they know it is safe.

        I'm a developer, sometimes I want to exchange ex

      • I actually used to use Outlook as my preferred mail client. Then they 'updated' it and prevented my mail-viewing template from working properly. I basically created a filter that (before any non-text email was rendered) removed a list of about 15 strings that had potential for being harmful (ActiveX, XSL, CSS, JS, images, etc.) The geniuses that updated OL in OfficeXP SP2 changed the behavior of OL to actually pre-render the HTML content before it hit my filter. So the images were downloading, CSS would
    • "- Automate patching"

      I disagree with that one. I've found that there is nothing more annoying than having an application decide to launch itself while I'm working. All of a sudden, my word processor isn't listening for my typing (or it is doing so at an alarmingly slower rate), while I'm in the middle of a thought. Add in the fact that many updates on Windows require a restart, and you've got nothing but trouble on your hands. If you can set a schedule for a time you're never around (e.g. lunch break for o

    • Re:Interesting Academic Exercise (Score:5, Informative)

      by SJS ( 1851 ) on Friday September 24, 2004 @12:39AM (#10337478) Homepage Journal

      This is an interesing academic exercise, but the basic defenses that have been preached for years work just fine:

      Um.... the actual basic defenses being preached go back much farther than you suspect. The Internet did not coincide with the development of the computer, or viruses.

      Basic defenses are:

      • Don't trust live data
      • Don't let random programs run on your machine if there's any data accessible -- i.e. control access to your machine
      • Don't engage in risky/stupid behavior -- practice safe computing
      • Long-term backups are important

      'Avoiding IE for surfing' should be "Don't use Microsoft Internet Explorer, full stop." Likewise, "Avoid OL/OE for eMail" should be "Don't use Microsoft Outlook or Outlook Express, full stop." Both of those fall under the category of "risky/stupid behavior". Just because your boss tells you that you have to use 'em doesn't make it any less risky.

      Firewalls do two things -- one, they hide your network, so as to keep the black hats away from the data on your network, and two, they hide broken systems that are running insecure programs. This pretty much counts as controlling access to your machine.

      I'm not a big fan of automated patching. Patching, yes, but if you automate it, you offer Yet Another Way for the black hats to sneak in to your system. A program that contacts another program to download programs that are replacing programs on that machine fails to (1) control access to your machine and (2) you're trusting "live data".

      "Warn on Anomolous behavior" sounds good (intrusion detection systems are sometimes based on this concept), but it doesn't really help too much in *preventing* viruses.

      An up-to-date virus scanner is the belt you use in addition to suspenders; it's there to catch your goofs, where you're falling down on the job. As a mitigation strategy, it is good for your network... but it's already too late to get your system back into a pristine state. (Thus a good backup strategy is essential.)

      In "the old days", you could bring a system back to a known-good state by powering it down, inserting known-clean read-only media, and booting it up again. (In hindsight, those floppy-based systems had a lot going for them. If you were careful, you could avoid exposing your system to viruses, even if you ran a known-infected program.)

      It's a bit harder on modern operating systems. For one, there isn't a good way to run a program in isolation. If you're lucky enough to get a statically-linked program, a chroot jail is a simple place to start, but chroot jails aren't terribly secure, and there's not a lot of statically-linked programs out there these days. Setting up a chroot jail can be prohibitively expensive (in terms of time or disk space).

      User-mode Linux and virtual hardware (e.g. Virtual PC) are even more expensive in terms of disk space and set up costs.

      Both chroot jails and user-space operating systems tend to keep a program from usefully interacting with other programs. If the output of one program is the input to another, and they're running in different jails/VMs, I need to start worrying about networking in order to facilitate communication. More complexity!

      You can always partition your system so that /, /lib, and /usr are read-only, while /var, /tmp, and /home are noexec, but that's not often done, and more often than not, systems are shipping (or defaulting to) single-partition installs. (Madness, I say, madness!)

      What would be nice is a system like chroot, but would make the entire system (to that process and sub-processes) read-only, aside from a list of directories, and no-exec, aside from a _different_ list of directories, and at no time would you have the same aspect of a filesystem both read-write and execut

    • ...for the parent post's suggestions, point-for-point:

      - avoid drugs and alcohol
      - avoid saturated fats
      - wear a condom if you screw around
      - practise good hygeine (hint for some of the /.ers out there---that means bathing/showering, shaving/haircut and brushing teeth) and exercise regularly (ie. stand up and move around--outside of the basement when you can)
      - get that funny mole checked out if it gets bigger or suddenly loses or grows hair
      - get your flu shot

      BTW...if you don't rely ona virus scanner, how do y

  • Fixes (Score:5, Insightful)

    by Zevets ( 728720 ) on Thursday September 23, 2004 @10:57PM (#10336896) Journal
    While this will study will explain how viruses spread, will it really tell us how to cure viruses.

    We all know how smallpox spreads. We do not know how to cure it.

    We know how viruses spread, but we only know how to remove it from a computer, not how to fix the problems of viruses.

    This study will show us where to put better virus filters, which is useful, but it will not tell us how to stop the creation of viruses and malware, which is what we really need.

    • Re:Fixes (Score:2, Interesting)

      by wikdwarlock ( 570969 )
      IANACSM (I am NOT a CS major) but I would think that "stop[ping] the creation of viruses and malware" is impossible for any application short of Hello World! Viruses and malware have found a niche online, just like virii and bacteria in RL. I would assume the best hope, as with the wetware versions, is peaceful, mostly unobtrusive cohabitation, not irradication.
      • You used viruses and virii in the same post. My head asplode.

      • Re:Fixes (Score:3, Interesting)

        by halowolf ( 692775 )
        This reminds me of a documentary I saw about various RL viruses and such that could be made to completely harmless, as long as we stopped attacking them with drugs and different treatments.

        There was an example about all the big cats species around the world (except for 1) that all had a virus that appeared to be completely harmless to them. Also there was an example of what I vaguely remember as a cholera outbreak that the more it was attacked with drugs the more virulent and damaging it became.

        The poin

    • Re:Fixes (Score:3, Funny)

      by hunterx11 ( 778171 )
      We all know how smallpox spreads. We do not know how to cure it.

      In computer terms, however, we pwnt teh shit out of smallpox.

    • > We all know how smallpox spreads. We do not know how to cure it.

      Um ... we did cure it, in a sense. Smallpox (thanks to vaccinations) no longer exists in the wild. I'm sure someone will be able to come up with an apt computing metaphor ...

      • "Smallpox (thanks to vaccinations) no longer exists in the wild. I'm sure someone will be able to come up with an apt computing metaphor ..."

        How about the Stoned virus [google.com.au] perhaps? I doubt there are any PC's out there still infected by that one.

        • Are there any PCs still out there even capable of catching the Stoned virus. From memory, it could only spread on 360k floppies.
        • I must admit, I was thinking of (but too lazy to come up with myself) someything involving Microsoft more directly, but that's actually pretty good.

  • STD's (Score:5, Funny)

    by Fred Foobar ( 756957 ) on Thursday September 23, 2004 @10:58PM (#10336901)
    Computer virusen are actually like STD's. Windows has sex like crazy without any protection, and of course Linux doesn't have sex at all, just like its users. :)
    • Computer virusen are actually like STD's.

      Virusen? That's just terrible.

  • I dont know if its such a good analogy. (Score:5, Funny)

    by nmoog ( 701216 ) on Thursday September 23, 2004 @11:01PM (#10336916) Homepage Journal
    It will amount to the equivilent of "the virus seems to be spreading because mankind has taken to licking diseased rats. Also, the new trend of sneezing directly into each others mouths also appears to account for some of the outbreak..."

  • Apples to Oranges (Score:5, Funny)

    by Katz_is_a_moron ( 197780 ) on Thursday September 23, 2004 @11:02PM (#10336922)
    If humans were susceptible to as many viruses as Windows, we would all be dead.

  • The difference is... (Score:3, Insightful)

    by Tyrdium ( 670229 ) on Thursday September 23, 2004 @11:02PM (#10336931) Homepage
    ... most organisms don't want to get viruses. From what I've seen from doing tech work, the average user doesn't care about viruses. Hell, half of the time, they don't even know what they are, and their definitions are two years out of date because they don't want to pay for the subscription! And I won't even mention the lack of Windows updates and the horrid use of IE... [/rant]

    Also, natural selection means that species will likely eventually gain a resistance to whatever virus is affecting them (granted, the virus will also adapt). Not so with computer users, unless ISPs decide to start shutting down access to infected boxen.

    • and their definitions are two years out of date because they don't want to pay for the subscription!

      No excuse. The HouseCall tool by Trend Micro is available free of charge to all users of IE 6 for Windows, and it always uses Trend Micro's latest virus definitions. Sure you don't get the "realtime" protection of say Norton, but if you don't open executable e-mail attachments, don't use Outlook, and don't use IE except on HouseCall and Windows Update, then "realtime" protection probably isn't worth the s

  • The best solution... (Score:4, Insightful)

    by bizpile ( 758055 ) * on Thursday September 23, 2004 @11:03PM (#10336936) Homepage
    The best solution, in my humble opinion, is quarantine. Get the infected user off the Internet. My ISP does it and hopefully many others do too.
    • Unfortunately, it ain't gonna happen anytime soon. Many (most?) ISP admins/abuse departments are either too clueless or too overworked to bother with infected clients.

      I have been receiving the same virus (Beagle variant) from the same IP and reporting same for months (including at least two phone calls to the abuse department), and it just keeps on coming.

      Perhaps they see "virus" infection as some sort of social stigma and therefore hands-off in the name of political correctness.

  • Hello? Viruses????? Doorknob? (Score:3, Insightful)

    by Mulletproof ( 513805 ) on Thursday September 23, 2004 @11:04PM (#10336940) Homepage Journal
    Um, the epidemic thing ain't an original thought, let alone new news. Infact, I seem to remember an that article said it was good that the internet have all these pesky bugs here and there. Like the human body, countermeasures will be inacted to not simply limit the current infection, but help future minor and potential major outbreaks as well. The tactics of the small cases help devise strategies to deal with larger cases and so forth. I mean, naming the damn thing a virus oughta lead you strait to this line of logic that is now amazingly being considered breaking news here...

    Next story, please.

  • Hello??? (Score:3, Funny)

    by fred911 ( 83970 ) on Thursday September 23, 2004 @11:05PM (#10336946) Journal
    $6.2 million ?????? $6.2 million ??????

    It better be a sucess not an attempt!

    Where have our values gone?

  • Linux tagline (Score:2, Interesting)

    by microsopht ( 811294 )
    Computer security analysts have also warned that more viruses in the future will be written to attack systems that run on the Linux operating system and hand-held devices like cell phones.

    Every article seems to have his tagline attached.Looks like people cant seem to wait for Linux Viruses!

    Perhaps they wanna entice people into writing L.virus

    • Re:Linux tagline (Score:5, Insightful)

      by unoengborg ( 209251 ) on Friday September 24, 2004 @01:08AM (#10337585) Homepage
      Well, if the security of the average Linux distro will not get better this is an accident just waiting to happen.

      Most Linux distros relies on the same types of protection of illegitimate use as windows. Just like in windows we have users and groups with read, write and execute permissions. It is therefore likely to have similar problem if sombody decides to write malware like viruses.

      So far this has been fairly uncommon, perhaps because there are more constructive ways for hackers to make a difference in the open source world than in the land of Microsoft.

      Furthermore, Linux have the advantage of having more skilled users than windows. The average Linux user would be much harder to fool into open e-mail attachments etc than the average Windows user. But as the use of Linux becomes more widespread we can assume that it will get into the hands of users just as badly educated as the average windows user usually is. They will run their systems as root and do stupid things just like they do in windows today. As a result we will see more problems on the Linux platform.

      The fact is, that if you avoid MS-Outlook, don't open attachments from unknown people, make sure that you always have the latest security patches from Microsoft installed, the chance of getting hin in windows is quite small. So far I have never had a windows virus, neither have my wife and we have used windows since the release of NT4.

      Clearly both Linux and Windows needs enhancements to protect it from clueless users. Microsoft will probably try to do this by shutting the user out of his computer and only allow trusted software to run through the use of their TCPA system.

      In Linux we have the SELinux stuff NSA put into the latest 2.6x kernel series that provides mandatory security. It makes it possible to on an application basis control what files an application may read. write, execute or even see regardless of what user that runs the application including root. In similar way it is possible to control what capabilities an application have with regards to e.g. networking or memory.

      In this kind of system anything that isn't explicitly allowed is forbidden so if you have a good security policy a virus would be allowed to do very little harm and have limited ability to spread.

      E.g you could configure your system to refuse to execute anything downloaded by mozilla or you favorite e-mail client until you explicitly allow it from a password protected user role. This would of course not prevent mozilla from doing some harm if the virus was running within the mozilla process perhaps as a result of a buffer overflow security breach. But even here SELinux could help. If mozilla only could see html files and only was allowed to alter them if you had the role of webmaser the damage would be limited.

      So, Linux already have the tools to be secure. The problem is that they are not widely used, and in the cases they are, security policys are often to lenient. One reason for this might be that the tools for creating policys are too hard to use.
      I'm happy to see that SELinux is enabled by default in the new Fedora Core 3 test release.

    • I've noticed the same thing, but on a historical basis, too. For years, the "Anti-virus" people have predicted plagues of unix or linux viruses or worms. They've never happened, short of one or two outbreak s of Tom Duff's sh-script virus that someone types in and tries out. Worms (proper worms, ones that don't require clicking on a link in Outlook) seem to have worked the same way: they appeared on Unix (1988 Morris Worm), had a brief renaisssance in 2000-2001, and now worms only seem to plague Windows.

  • The computer-organism paradigm doesn't work (Score:5, Interesting)

    by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Thursday September 23, 2004 @11:12PM (#10336995) Journal
    Because living organisms are more or less static, and if it weren't for evolution, would be completely unchanging. Living organisms can defend against viruses reasonably well because they know what they are and can therefore easily recognize anything that doesn't match that, and just go bezerk on it.

    Desktop computers, on the the other hand, are not static systems at all. So there's no really good way for a system to differentiate what's not really supposed to be there from something that was deliberately put there by the user. As I said, this isn't a problem for a living organism because that's a closed system, and anything new that gets put into it, without suitable precautions taken beforehand, will be attacked by the body's defenses as a foreign invader. Such a mechanism implemented on a desktop computer would render the computer practically useless for anything that we take for granted that programmable computers do today.

    • Re:The computer-organism paradigm doesn't work (Score:5, Interesting)

      by Qzukk ( 229616 ) on Thursday September 23, 2004 @11:28PM (#10337076) Journal
      So there's no really good way for a system to differentiate what's not really supposed to be there from something that was deliberately put there by the user.

      Thats not a good way to categorize things, given the number of malware and trojans "deliberately" installed by the user. Rather, we should identify the malware based on its behavior: Does it alter other executables not installed with it? Does it connect to one site repeatedly? Many sites rapidly? Does it attempt to access the addressbook? Mail itself out? Make multiple copies of itself in the windows directory? Edit registry settings it doesn't create? Remove or replace other files that weren't installed with it? And so on...

      Once we look at it that way, its fairly simple to identify malware as its operating, and once its identified, the cleanup process can begin.

      • Rather, we should identify the malware based on its behavior: Does it alter other executables not installed with it?

        Careful. Microsoft could use this as an excuse to prohibit competing compiler toolchains [mingw.org] from running on Windows.

        Does it connect to one site repeatedly? Many sites rapidly?

        Firewalls already detect this by hooking into the network stack, but correlating these with your other heuristics might provide a better idea.

        Edit registry settings it doesn't create?

        And watch it misclassify

    • Desktop computers, on the the other hand, are not static systems at all. So there's no really good way for a system to differentiate what's not really supposed to be there from something that was deliberately put there by the user.

      Read about some of the trusted computing technologies. That is almost exactly what they provide, down to the bit level in memory.
  • I dislike generalization like this. It is neither correct or incorrect, but somewhere in between. In generalizing you can predict or explain some aspects of the object in questing, yet the little details that are just as important slip through the cracks of the generalization and mess up the whole model you built. Sure you can describe computer viruses with biological terms and arguments; however, you will never be 100% correct.

  • Conjecture on their conclusions (Score:3, Interesting)

    by Large Bogon Collider ( 815523 ) on Thursday September 23, 2004 @11:16PM (#10337011)
    If their conclusions about computer viruses vs biological viruses are similar then my guesses as to the outcome are:

    1) Monoculture is bad in containing viral spread (good for other operating systems)

    2) Since viruses cannot be totally eliminated, a virus resistant host is important (good for most other OSes)

    3) Effective antivirus/vaccination efforts should be made (most open source OSes are intrinsically resistant to attack)

    4) Public education to help prevent risky behaviors (open OS users are generally much more computer adept)

    See a pattern here?

  • I'm involved, any questions? (Score:4, Informative)

    by nweaver ( 113078 ) on Thursday September 23, 2004 @11:19PM (#10337027) Homepage
    I'm involved in the center, at ICSI in Berkeley.

    If people have questions, feel free to ask.

  • OK, let's go with this (Score:5, Interesting)

    by bigberk ( 547360 ) <bigberk@users.pc9.org> on Thursday September 23, 2004 @11:20PM (#10337032)
    In a biological system (an ecosystem) you want a large diversity of species participating in the system, so that environmental fluctuations and pathogens don't wipe out large parts of the ecosystem all at once.

    If you extend this to interoperating computer systems, then ideally you want a variety of platforms (indeed, operating systems but also processor architectures and device types).

  • Internet Virus Hoaxes (Score:3, Informative)

    by monsterhead78 ( 815842 ) on Thursday September 23, 2004 @11:24PM (#10337054) Homepage
    Periodically I get frantic messages from members and friends with "important messages" about new email and
    computer viruses that are actually hoaxes. While savvy Internet users can usually immediately spot the hoaxes,
    many of our members can be both intimidated and frightened (not to mention the time and effort wasted when the
    messages are passed back and forth, to spread these 'alerts/hoaxes'). Running virus checking software can also be
    a very time-consuming endeavor (especially on a large Local Area Network), when you find that you have
    stopped everyone from working for several hours to check for a hoax, it can be really embarrassing.

    My advice is to do a little checking on your own before you excitedly message all of your friends and associates,
    and possibly embarrass yourself by wasting a lot of their time. Here are some of the better sites that track both
    email and other computer viruses and virus hoaxes. I rely heavily on the U.S. Department of Energy Computer
    Incident Advisory Capability's (CIAC) Internet Virus Hoaxes page, but the others all have good and usually
    current information.

    Between them, they describe more than a dozen hoaxes, from Good Times, to PENPAL GREETINGS, to Join
    the Crew. Background, including the actual "warning" message is provided. These sites provide a valuable service
    to the Internet community, especially for new users.

  • Two words (Score:5, Funny)

    by unixbum ( 720776 ) on Thursday September 23, 2004 @11:36PM (#10337120)
    Natural Selection.

    If only this applied to computers :)
  • "...and we shall call it Skynet."
  • Have the virus record timestamps, hops, path, etc. Then have the virus relay the data to a central server and delete itself. That should garnish a LOT of information.
  • A lot of human social structures tend to mimic nature, partly because we often conciously imitate succesful natural activities and partly because some structures are inherently efficient and will arise spontaneously.

    Looking at malware and similar internet problems through the perspective of biological controls may be helpful in other aspects too - spammers, for example live in a remarkably similar ecologogical niche to human parasites such as head lice. Seeing how our current attempts to control those pa

  • This is not biology. The severe, frequent virus outbreaks that have happened in recent times were entirely, realistically, preventable. You don't have to conduct a 6.2 million dollar study into "vectors" and whatnot.

    How many more incidents does it take until some major corporations start sueing Microsoft for the damages caused by their gross negligence?

  • Hate to say it... (Score:3, Insightful)

    by MortisUmbra ( 569191 ) on Friday September 24, 2004 @12:51AM (#10337521)
    But I honestly think the only way we are ever going to alleviate this problem is by writing, as some others have done recently, "virii" to exploit these know holes and patch the machines they exploit.

    Then of courseon could forsee a sort of arms race whereby virus authors write in the ability to stop another program from using the same exploit to gain entry to the machine and patch it. So basicly it would be an early bird gets the worm sort of scenario where whomever infects the machine first wins.

    Still I think its better than leaving it up to a bunch of lazy computer users who make the rest of the world suffer because they are either too inept or too lazy to patch their machines.

  • Difference between computers and organisms: (Score:5, Interesting)

    by cr0z01d ( 670262 ) on Friday September 24, 2004 @12:57AM (#10337544)
    Organisms can die from diseases. A virus won't destroy a computer, the worst case scenario is a wipe and fresh install. This means that Microsoft can make their software bug-ridden.

    Maybe if viruses were to fry hardware, we could see some improvements.
    • The recent viruses (including worms and trojans) on the computing world are more like "smart" parasites than killers. They don't go as far as some biological viruses (though the ones that overuse your bandwidth are getting quite close).
    • Viruswriters have a different goal than destroying the computer. Their intention is to make the computer accessible to their writer, so that it can be used to perform other tasks like hacking, spamming, capturing account data, etc.

      When more of these tasks cause real damage to the owner of the computer (like stealing his or her money, or legal consequences because a computer owner would be held responsible for for relaying spam), there would be more research and anti-measures.

      Right now they seem to be at
    • Organisms can die from diseases. A virus won't destroy a computer, the worst case scenario is a wipe and fresh install. This means that Microsoft can make their software bug-ridden.

      Actually there has been cases where hardware has been fried from software, as computers get more 'advanced' it isn't hard to imagine a virus disabling protections and running the CPUs at max on your G5 until they boil themselves. But that's beside the point.

      Step into a corner of the box, and realize that while your computer ma

  • Everything-is-like-biology fallacy (Score:3)

    by Pan T. Hose ( 707794 ) on Friday September 24, 2004 @06:29AM (#10338452) Homepage Journal
    Comparing every aspect of computing and networking to biology is not any less fallacious than trying to understand how does a car work looking at it like it was a biological organism. Real life has evolved randomly together with virii and parasites but all of the software including any kind of malware was intelligently designed. The most common misconception resulting from such a reasoning is that computer malware will always be relatively harmless because killing the victim is not smart from any parasite's point of view. Wrong. A deadly worm quickly spreading and erasing all of the data an hour later would not survive so long as Code Red, but it doesn't have to survive in the first place if that is not important for its creator. Survival is not important because software doesn't have to live long enough to evolve. It is designed and created manually and then released. It can be written for months or years and then live only few hours if that is the purpose of writing it. I think that assessing the spreading patterns of Internet malware like those of human epidemics might be very interesting but there is a hidden fallacious reasoning that comparing the virii themselves to human diseases will somehow help fighting them which leads to concentrating on spectacular effects instead of boring causes of the problem. The problems are buffer overflows which can be completely eliminated, running code from untrusted sources, etc. It has nothing to do with literally anything known in the real world any more than proving a theorem does. Another thing is comparing Internet to a population and fighting malware in the context of epidemics. This is foolish. In reality, there is a user with a computer and her data. She can lose her data or some of her secrets may become public and in that case she won't say "that's OK because this epidemic disease is contained and the population of computer users will survive" because if she loses her work she doesn't care about other computers. When she gets broken into she shouldn't think "I am sure my system will keep working because killing it would be disadvantageous from the evolutionary standpoint for the software" becuase the ultimate reason of the attack is not just the existence itself. The reason may be getting user's credit card number or performing a DDoS attack. The reason may be causing panic by deleting everything. The reason may be anything. And the problem is not millions years of evolution side by side with parasites but using "gets" instead of "fgets." It's not that we don't know how does the malware work or that we cannot write secure code. Look at KeyKOS or EROS. Look at OpenBSD. Look at Debian. Do we have any "epidemics" there to contain and to fight? No. Such studies are interesting but only because observing symptoms and effects is interesting. If we really want to stop malware we should start from reading the source code of EROS [eros-os.org] instead of analysing global patterns in problems with Windows. Please read this paper from 1979: GNOSIS: A Prototype Operating System for the 1990s [upenn.edu]. The problem is that we have 2004 and still the most popular operating system completely ignore the solutions from the 1970s.

  • if we're going to use analogy- then (Score:3, Funny)

    by way2trivial ( 601132 ) on Friday September 24, 2004 @08:25AM (#10338826) Homepage Journal
    we're comparing human virus and computer virus, and that makes Microsoft the mucus membranes... right?
  • Laziness and stupidity.

    Laziness = not patching your systems when you know you should.

    Stupidity = being willfully ignorant - anyone who wants to be safe can easily find out how. But it seems that most people not only don't bother, they're proud to stay ignorant. That = stupidity.
  • One major difference between human and computer viruses is topological. Because diseases spread by contact, connectivity regulates the pattern of transmission. For people, connectivity is largely 2-D -- the flu spreads through in neighborhoods and cities before moving across countries and the globe. (Exceptions do come from air travel and intracity connectivity is somewhat greater than 2-D). Human connectivity is also very sparse. A given person can only reach a minute fraction of the population in a d
  • Viruses come from email, web surfing, program files, image files, music files, floppy disks, cd's, dvd's, thumb drives, network attached storage, routers, hijacked ip streams...

    (And I bet I have just listed more than the 6.2 million dollar study).

    I am really glad the government has decided this is worth 6.2 million dollars. Couldn't they have purchased a report from any *one* of the specialized companies that does this for a living. Cripes...

Slashdot Top Deals

No man is an island if he's on at least one mailing list.

Close