Researchers Use Machines To Analyze Malware

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

The future is now

[Umbral Blot]

Obviously solutions like this will be the way of the future, combined with a finer grained permission system. I just hope you can manually exempt programs. For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware. I am also curious if their system could defeat a rootkit, which will do its best to hide its activity and existence almost completely from the system.

Advantages?

[bsdluvr]

Does this new classification method really have any advantages for the average user? I'm sure most people just want to keep their systems malware-free, and could care less about the names of the individual threats.

Re:Advantages?

[Aneurysm]

If you can group malware threats together it may be easier/quicker to come up with methods to remove them. Common system actions probably means common steps to get rid of the malware. Also, having a database of actions that a piece of malware takes when infecting a system could help identify an infection sooner. If you had an anti-malware package running on your computer and intercepting reg key changes, directory creations etc. before they happened, it could step in to alert the user and eradicate the threat before it had even finished installing itself. Admittedly many people wouldn't want an anti-malware system constantly monitoring every API access, but if it was made transparent this is the sort of thing that would greatly benefit the less technically minded user.

Re:One-sentence summary

[ozmanjusri]

So, basically, we'll have another anti-virus-like program monitoring our systems.

That's the most attractive option for the big malware prevention/removal companies, and is the most likely scenario in the near future.

The opportunity this type of forensic analysis creates though, is that it exposes and classifies the methods the malware uses to insinuate itself into the host operating system. That means OS vendors can analyse the failure points of their products and harden them against the malware. At the moment, the two key problems with malware removal are

1. Recognising its presence
2. Removing the malware and returning the computer to a safe state

If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.

It's also an example of why an OS vendor who also sells malware tools has such a dangerous conflict of interests.

Re:The future is now

[bmo]

"Why cant I just sue the owner of that IP?"

Because the owner of the IP is not always the originator of the malware, but a victimized third party? Ya think? Haven't you ever looked at your phishing spam URLs?

Only a seriously stupid criminal would illegally collect information at a machine that he owns himself.

That said, the prisons are not full of geniuses.

--
BMO

90% isn't good enough

[m874t232]

Attempts at classifying malware automatically have been around for a number of years. Trouble is: 90% isn't good enough--it's too many false alarms. You need something that works almost perfectly in order to deploy it on real machines.

Wow

[ms1234]

Maybe it could be trained to categorize my socks?

I now present... the Polymorph

[packetmon]

After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source [securityfocus.com]). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.

Re:One-sentence summary

[cp.tar]

The point is, however, that malware mostly (ab)uses perfectly legal system instructions.

Therefore, whatever it is that will be running in people's backgrounds, it will have to have a heuristic algorithm and monitor every single system activity.

To abuse the good old car analogy, it's as if more and more safety measures were introduced in cars instead of teaching people to drive safely.
Wait, where was I going with that one?

Anyway, I do not want (at the times when I'm using Windows) another program which will protect me some of the time and hog resources all of the time.

But to discuss one of your points:

If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.

Now, that I can't really agree with.

People mostly do not write malware as a programming exercise or 'because they can'.
The romantic days of great hackers seem to be long past.
The reason people do write malware is, as /. meme goes, 4) Profit!!!1one
You may make it more difficult, but as long as the motive is plain and simple profit, the motive will remain.