Researchers Use Machines To Analyze Malware 55
Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."
The future is now (Score:5, Insightful)
Advantages? (Score:4, Insightful)
Re:Advantages? (Score:4, Insightful)
Re:One-sentence summary (Score:4, Insightful)
That's the most attractive option for the big malware prevention/removal companies, and is the most likely scenario in the near future.
The opportunity this type of forensic analysis creates though, is that it exposes and classifies the methods the malware uses to insinuate itself into the host operating system. That means OS vendors can analyse the failure points of their products and harden them against the malware. At the moment, the two key problems with malware removal are
If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.It's also an example of why an OS vendor who also sells malware tools has such a dangerous conflict of interests.
Re:The future is now (Score:5, Insightful)
Because the owner of the IP is not always the originator of the malware, but a victimized third party? Ya think? Haven't you ever looked at your phishing spam URLs?
Only a seriously stupid criminal would illegally collect information at a machine that he owns himself.
That said, the prisons are not full of geniuses.
--
BMO
90% isn't good enough (Score:4, Insightful)
Wow (Score:2, Insightful)
I now present... the Polymorph (Score:5, Insightful)
Re:One-sentence summary (Score:3, Insightful)
The point is, however, that malware mostly (ab)uses perfectly legal system instructions.
Therefore, whatever it is that will be running in people's backgrounds, it will have to have a heuristic algorithm and monitor every single system activity.
To abuse the good old car analogy, it's as if more and more safety measures were introduced in cars instead of teaching people to drive safely.
Wait, where was I going with that one?
Anyway, I do not want (at the times when I'm using Windows) another program which will protect me some of the time and hog resources all of the time.
But to discuss one of your points:
Now, that I can't really agree with.People mostly do not write malware as a programming exercise or 'because they can'. /. meme goes, 4) Profit!!!1one
The romantic days of great hackers seem to be long past.
The reason people do write malware is, as
You may make it more difficult, but as long as the motive is plain and simple profit, the motive will remain.