Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Auto-Detecting Malware? It's Possible

timothy posted about 5 years ago | from the would-love-to-see-the-install-prompt-for-this dept.

Security 178

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

cancel ×

178 comments

Sorry! There are no comments related to the filter you selected.

Privacy (5, Insightful)

sopssa (1498795) | about 5 years ago | (#29597621)

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

Re:Privacy (4, Insightful)

gnick (1211984) | about 5 years ago | (#29597693)

I see no reason why individuals volunteering information about their machines or habits should be any kind of privacy breech. Just leave it off by default and, should you choose, don't click the box.

Re:Privacy (-1, Troll)

Mr. Firewall (578517) | about 5 years ago | (#29598093)

I don't see how ANYTHING could be any kind of privacy breech. What the hell does "privacy hind end" mean, anyway?

Note that we're talking about Privacy's breech, not yours... had you said "breech privacy", it would at least make sense, but I still don't see how information about your computer has anything to do with the privacy of your buttocks...

Re:Privacy (1, Insightful)

Anonymous Coward | about 5 years ago | (#29598381)

Dear gods some people love typos. Enjoy:
Your welcome.

Re:Privacy (2, Insightful)

DigitAl56K (805623) | about 5 years ago | (#29598539)

Some thoughts:

A) This isn't a new idea and I'm pretty sure that some AV packages already automatically submit questionable files for analysis, all it takes on top of that is for a vendor to track trends. I've had anti-virus software ask me to opt-in to such schemes before.
B) Self-encrypting viruses that choose to infect non-common running process images (i.e. avoid Windows system files) might have different signatures everywhere and still require manual analysis.
C) Once a virus is running on a host surely it can circumvent reporting agents, or even intercept them and report clean results, delaying or preventing this type of detection?

Re:Privacy (1)

clang_jangle (975789) | about 5 years ago | (#29597725)

Step 1: All your data are belong to us.
Step 2: Profile users.
Step 3: ???? (as in "won't tell", not "don't know".)
Step 4: Profit!

I know, it's a tired, old meme but I just couldn't help myself...

Re:Privacy (3, Funny)

pseudorand (603231) | about 5 years ago | (#29597763)

> If antivirus protectors could collect data from machines and users... ...it would be malware.

As is, antivirus simply eats up all your CPU and memory, so it's more like a DOS.

Re:Privacy (1, Insightful)

Anonymous Coward | about 5 years ago | (#29597885)

As is, antivirus simply eats up all your CPU and memory

It doesn't though, does it? Stop talking shit.

Re:Privacy (2, Interesting)

sopssa (1498795) | about 5 years ago | (#29597923)

I'm actually more surprised all the time how the antivirus vendors go more the way that scareware does. Good example is Symantec and their Norton product (I feel sorry for the guy..)

I haven't had an antivirus product on my machine for years because I know how to use to the internet. But there was a case when I though I've made a mistake - so I got myself an antivirus scanner just to make sure.

Unluckily for me, it happened to be Symantec's. For this day I've still tried to get it off my system, with no luck. Every week it popups during night, scans all of my harddrives and tells me I have to buy their product to protect myself - just like every scareware product. And it only detected some *tracking cookies*.

With all their publicity stunts, bloatware and other shit it's getting on everyones nerves. Everyone here on slashdot know what they think of symantec. This is more or less the same issue.

Atleast theres still good vendors like ESET with Nod32 and Kaspersky around. I wont touch Symantec even with a stick again.

Re:Privacy (3, Informative)

Orbijx (1208864) | about 5 years ago | (#29597973)

Usually, the Norton Removal Tool [symantec.com] does the job in blowing Norton's software off the system.

I've had to be able to get enough people there in my line of work that I know the way there. Grab it, and let it wipe that damn thing out.

Re:Privacy (1)

Xaedalus (1192463) | about 5 years ago | (#29598659)

Does McAfee have one?

Re:Privacy (1)

jimbolauski (882977) | about 5 years ago | (#29597827)

Just think of it this way you give them you bank id and password and they keep you safe. Where do I sign up.

Re:Privacy (2, Insightful)

Ethanol-fueled (1125189) | about 5 years ago | (#29598037)

Exactly. This already came up here fairly recently.

First, the service better be free. No way in hell I'm going to pay an AV vendor to do their job for them. Second, what if malware lifts credit cards and passwords are from my computer? Will enough info be relayed to the good guys before my identity is stolen? Third, malware authors will become savvy, cat-and-mouse game, etc.

It wouldn't hurt for apps to compress and encrypt (0)

Anonymous Coward | about 5 years ago | (#29597831)

Popup: This application is attempting to open this user's profile, grant temporary polycrpt word or deny SENSITIVE INDIVIDUAL INFORMATION?

Session;
[x] DENY, forever
[ ] DENY, for now
[ ] Allow, ___ hours
[ ] Allow, then re-encrypt
[!] epic fail, ignore, retry, abort, Bitchslap CowboyNeal

Re:It wouldn't hurt for apps to compress and encry (1)

bakawolf (1362361) | about 5 years ago | (#29598065)

profile? POLYCRPT??? oh god! I have no idea what these mean..better say no.... wait, it didn't run...better say yes....every time I ever see this again.

Re:Privacy (1)

Errtu76 (776778) | about 5 years ago | (#29597849)

Antivirus protectors. So this is malware then. It protects against an anti-virus application. Malware to fight malware. I like it!

Re:Privacy (1, Insightful)

Anonymous Coward | about 5 years ago | (#29597895)

Indeed. Why worry about malware collecting your private information when you can have the guys supposedly protecting you collect it for them? Businesses (and government) have a TERRIBLE reputation for safeguarding info. I would expect a year after such things became common place that we'll start reading about stories of how anti-virus company X lost critical information from a few million people due to an employee leaving a laptop conveniently unguarded, unlocked, with no encryption on the files in a deserted parking lot at 2am one rainy night inside a waterproof garbage bag.

While I have your attention, I sell tinfoil hats!

Re:Privacy (4, Informative)

Z34107 (925136) | about 5 years ago | (#29597959)

Well, yes and no; it depends on what kind of data.

Windows Defender, which is on pretty much every XP and Vista box, already does this. Out of the box, it will submit information on startup programs, malware detected and removed, and which services and startup programs you have disabled, to the aptly named Microsoft SpyNet [microsoft.com] .

It's not quite as scary as it sounds; if you're using Windows Defender to decide whether or not to kill that fishy-looking SynTpEnh.exe process from starting, you can see that 99% of SpyNet members leave it enabled because it makes your laptop's touchpad work. </contrivedexample>

So, maybe be a bad idea, but not a new one - it's already being done.

Re:Privacy (2, Interesting)

elFisico (877213) | about 5 years ago | (#29598353)

If antivirus protectors could collect data from machines and users

This idea stopped being a good one here.

not necessarily. privacy could be protected by pseudonymizing the data. the information is in the connections between the nodes, not in the names of the nodes.

why pseudonym and not anonym? because you should tell the infected that they are infected. and yes, who should be trusted to manage the nyms? that's another point for long discussions...

trojans (4, Insightful)

Hatta (162192) | about 5 years ago | (#29597625)

Malware generally moves the same way any other software moves. The user downloads and installs it.

Re:trojans (3, Informative)

Anonymous Coward | about 5 years ago | (#29597653)

They thought of that:

Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake â" the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of the day (as does most legitimate software).

Re:trojans (1)

Hatta (162192) | about 5 years ago | (#29597675)

That doesn't say anything about how they are going to distinguish manually installed malware from manually installed apps.

an amazingly bad idea (4, Insightful)

leehwtsohg (618675) | about 5 years ago | (#29597665)

"If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations"
Malware writers and credit card phishers would have an immensely easier time.

It is quite mindboggling how bad this idea is. Cookies are not bad enough for you, eh?

Re:an amazingly bad idea (1)

Killer Orca (1373645) | about 5 years ago | (#29597779)

Cookies are also hard to even browse without, most sites don't load if the cookie is rejected. After I read the EFF article about web privacy, http://www.eff.org/deeplinks/2009/09/online-trackers-and-social-networks [eff.org] I tried setting FF to ask me for cookies, it was such a hassle I had to just set it to delete them after I close out.

Re:an amazingly bad idea (1)

Anonymous Coward | about 5 years ago | (#29598257)

I tend to like chocolate chip cookies best. And of those the Tollhouse recipe it the "best of the best" however Oreos were good in their day.

Now, however, Nabisco and all (or at least most) of the cookie manufacturers use cheaper, inferior ingredients which have lessened the flavor of ALL cookies.

Most sites do not actually need cookies (1, Interesting)

sjbe (173966) | about 5 years ago | (#29598575)

Cookies are also hard to even browse without, most sites don't load if the cookie is rejected.

Don't know where you are browsing but I've been blocking the majority of cookies for years with little problem. Yes some sites need them, usually the ones you are trying to log into or buy something from. That only describes a small minority of sites - most don't actually need to set a cookie and if you block them you'll never notice the difference. If it is a site you trust and do business with regularly, cookies are fine. Otherwise either block them forever or only allow them for that session. Your web experience will be no worse for the lack of cookies.

Re:an amazingly bad idea (1)

martas (1439879) | about 5 years ago | (#29597789)

the only difference is, the people collecting the data are the freaking security experts you decided to trust with your data's integrity and privacy. it's not that similar to uploading personal data to facebook, or using google docs to store your banking info. of course, security experts aren't infallible, but i'd readily trust them with ALL my data if they convince me that doing so will make their protection substantially better.

And amazingly badly written. (1)

khasim (1285) | about 5 years ago | (#29598559)

Come on! I RTFA and it only talked about different characteristics of different forms of "malware". It even ENDS with that crap.

Can this be done?
Of course, I shared the above with the assumption that this type of installation information can be harvested from millions of client machines, infected or not. I believe this is possible, and will share some thoughts here soon.

Fuck you very much. This isn't "possible". This is "something I thought up between beers".

AND that crap was spread over THREE PAGES.

Here's the biggest flaw, once a machine is cracked, you simply cannot rely upon it to report correctly. It's been CRACKED!

well... (2, Funny)

eexaa (1252378) | about 5 years ago | (#29597677)

" And the moment malware gives up what allows us to detect it, it also stops being a threat."

Sounds like we will get a computer filled with malware that is configured to wait until exact date/second and kill everything.

Great idea, this is how it would work... (0)

Anonymous Coward | about 5 years ago | (#29597697)

This sounds like the type of service your government would like to implement. They could use the local law enforcement agencies as field support technicians. Of course you'd have to leave a copy of your keys and alarm codes on file so they can respond as soon as they detect some malware.

Or just switch to linux! (0, Redundant)

oo_HAWK_oo (1619801) | about 5 years ago | (#29597703)

Problem solved!!

Re:Or just switch to linux! (1)

XPeter (1429763) | about 5 years ago | (#29597799)

I really hate when people say "Oh, just go to Linux and no more virus's"

Windows is leaps and bounds more secure than any distro of linux, and will be for quite a while. The reason windows is so exploited, is because it is on 90%+ of the machines in the world which make it the prime target. If Linux had 90% of the desktop, I'm sure you wouldn't be saying "Switch to Linux"

Re:Or just switch to linux! (1)

bastardadmin (660086) | about 5 years ago | (#29598355)

Windows is leaps and bounds more secure than any distro of linux, and will be for quite a while.

Citation, please?

 

The reason windows is so exploited, is because it is on 90%+ of the machines in the world which make it the prime target. If Linux had 90% of the desktop, I'm sure you wouldn't be saying "Switch to Linux"

Very true.

Re:Or just switch to linux! (0)

Anonymous Coward | about 5 years ago | (#29598497)

Actually, Linux is really good with Viruses, at least on servers:

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.

[http://en.wikipedia.org/wiki/Computer_virus]

It is, however, no better against trojans, than windows, since trojans attack the user to infect the computer which is much easier than attacking the computer to do the same.

Re:Or just switch to linux! (1, Insightful)

Issildur03 (1173487) | about 5 years ago | (#29597845)

'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?

(Or is linux just not popular enough among the computer-illiterate to be a good target for attacks?)

Re:Or just switch to linux! (1, Insightful)

Anonymous Coward | about 5 years ago | (#29598041)

'Cause that would really solve everything. If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?

Of course not. But Linux is written by users who don't want to be exploited (be they individuals or corporate users). The developers of Linux have a direct motivation to adapt Linux to deal with any new security threats. If trojans become a problem for Linux users, SELinux type solutions or default VM sandboxes or something else will become the norm and applications will be adapted to work well with it.

The core security problem with Windows isn't that it has large market share or inferior technologies. It is that it has so much market share and lock-in that the developers of Windows don't lose significant money even when malware is a large problem for many users. As a result the developer (MS) is not directly motivated to solve the problem. They benefit more financially by expanding into a new market leveraging their existing monopolies or even by introducing features that work to the detriment of their users (like DRM).

The interesting thing about Linux is that the license is designed to avoid any one player from being able to control it, so even if Linux had the same market share next year as Windows does today, developers would still be motivated to solve any new security problems.

Re:Or just switch to linux! (1)

Mr. Firewall (578517) | about 5 years ago | (#29598315)

If everyone switches to linux, the malware writers will just give up and not exploit security holes in linux, right?

Actually-- yes, pretty much. A properly configured 'nix machine is much more difficult to exploit than a 'doze box. If everyone switched to Linux, you'd easily wipe out at least 80% of the malware writers, and probably closer to 98%.

Have you ever bothered to keep up on the security reports? Every month, Microsoft typically "patches" half a dozen "critical" (i.e., remote execution of arbitrary code) vulnerabilities, while the worst 'nix problem is typically something that can only be exploited while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".

Re:Or just switch to linux! (1)

thewils (463314) | about 5 years ago | (#29598447)

while the worst 'nix problem is typically something that can only be exploited while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".

Damn, I wondered what that guy was doing in our server room! Brb...

Shoot that f*cker on sight! (1)

Xaedalus (1192463) | about 5 years ago | (#29598737)

while the attacker is standing on his head, drinking a glass of water, and whistling "Yankee Doodle".

Anyone who can successfully code a virus for Linux while doing everything you just specified above is a walking holy terror and needs to be shot on sight before he (or she) decides the world is boring and it needs to be more "interesting".

Re:Or just switch to linux! (1, Insightful)

CannonballHead (842625) | about 5 years ago | (#29597877)

You actually think that nobody would start making malware/adware for Linux? Not all adware/malware is installed without knowledge of the user... downloading a smiley pack that has malware in it seems to still be fairly common. I see no reason why someone wouldn't do the same for Linux. It would just have ".rpm" instead of ".exe"

Sure, it wouldn't probably be in one of the good repositories, but since when has availability-from-reputable-sources that stopped people from downloading/installing software?

Re:Or just switch to linux! (0)

Anonymous Coward | about 5 years ago | (#29598277)

no it will be a bunch of .c and .h and they'll get they user to compile them

Re:Or just switch to linux! (1, Insightful)

Anonymous Coward | about 5 years ago | (#29598035)

Problem solved!!

Solved? Are you telling me that users can't install software in Linux?

Re:Or just switch to linux! (0)

Anonymous Coward | about 5 years ago | (#29598109)

Windows for Workgroups 3.11 is more stable than any GNU Linux.

Re:Or just switch to linux! (1)

jbezorg (1263978) | about 5 years ago | (#29598149)

You know... the SANS Internet Storm Center was created in 2001 following the release of the Li0n worm. It exploited a BIND vulnerability on Linux systems and installed a rootkit on those boxes....

Hubris, it's not just for Mac owners.

Re:Or just switch to linux! (1)

smoker2 (750216) | about 5 years ago | (#29598709)

It also exploited microsoft systems, and a warning was issued less than 14 hours after it was first spotted. Mitigating the attack was fairly straightforward, and fixes were quickly available and easy to apply. There are windows worms, trojans and viruses still going around that are years old. But you drag up a situation that was resolved nearly a decade ago.

I have a better idea (0, Flamebait)

Mr. Firewall (578517) | about 5 years ago | (#29597741)

Let's NOT ignore the fact that malware basically only infects Windows, and instead look at how we can kick Windows systems off of the Internet. That is much easier to do. And the moment malware formats the hard drive of a Windows system and installs 'nix in its place, it also stops being a threat

Okay to say, "There, fixed that"?

Re:I have a better idea (0)

MarkvW (1037596) | about 5 years ago | (#29597965)

Nonsense. Malware writers will then target Linux. If you think Linux is inherently more secure than Windows, you're absolutely nuts. Windows computers are where the people are, and more importantly--are where the money is. If Linux becomes the place where the people and money are, Linux will have its own legion of malware writers . . . and obnoxious antivirus software manufacturers.

Re:I have a better idea (0)

Anonymous Coward | about 5 years ago | (#29598151)

Nonsense. Malware writers will then target Linux. If you think Linux is inherently more secure than Windows, you're absolutely nuts.

Linux is inherently more secure because of the development process, and I don't mean open source versus closed. I mean MS writes whatever code makes them the most money. When users get infected by malware, MS rarely loses any money on the deal because MS has overwhelming influence in the desktop OS market and has most customers very heavily locked in.

Linux, on the other hand, is developed by the users, be they corporations that use Linux in an appliance they build or hobbyists who code and run Linux at home. Both of these groups are always strongly motivated to solve any security issues, whereas MS is sometimes moderately motivated to make security not quite so bad that people put up will all the inconveniences involved in running an alternative OS

If Linux becomes the place where the people and money are, Linux will have its own legion of malware writers . . . and obnoxious antivirus software manufacturers.

Yes it will. Unlike Windows, however, it will effectively adapt to defeat the vast majority of those malware writers such that it is not a major problem for most users. Further, because of the licensing, it is unlikely even overwhelming market share would undermine this motivation, since no one company is likely to ever monopolize Linux development and distribution.

Re:I have a better idea (2, Informative)

thewils (463314) | about 5 years ago | (#29598179)

I'll just point out here that Linux users generally do not run as Admin-God on their machines, so while they could still bork their own user account it becomes that much more difficult to compromise the entire machine.

Re:I have a better idea (1)

CannonballHead (842625) | about 5 years ago | (#29598645)

But it requires root access to install updates (keep your system updated!) and software typically, does it not? Which means the normal user will be in the habit of typing in the root password, just like Windows users are accustomed to clicking "Yes, allow" and/or typing the Administrator password.

No, Linux users don't generally run as root on their machines, but I type the root password into Ubuntu installations very frequently.

There is little difference. One clicks "Yes" to allow something to happen, the other types in the root password. When installing malware - on purpose, because it's a smilie pack that I want to use!! it's so cute! brb! lol! - I doubt most "normal" Linux users would think twice about typing in their root password.

Re:I have a better idea (1)

zonky (1153039) | about 5 years ago | (#29598793)

No, it just depends if there is also an exploit (perhaps a totally seperate one) at that point in time that allows privilege elevation.

Distro's do tend to patch pretty fast, but there is at the moment, a clear day or two gap over some apps like Firefox releasing, and the distro's having patch versions.

The real problem remains between the chair and the keyboard.... The operating system can't prevent a total retard clicking yes to everything, or typing in their password because something looks cool....

Whoosh! (1)

Mr. Firewall (578517) | about 5 years ago | (#29598359)

Lighten up, it was a JOKE!

Re:I have a better idea (3, Interesting)

Ungrounded Lightning (62228) | about 5 years ago | (#29598401)

If you think Linux is inherently more secure than Windows, you're absolutely nuts.

Linux is more secure against malware than Windows in the same way that a solid storm window with a few pinhole air leaks at the edge of the frame is more secure against poison gas than a window screen.

This is a "feature" of the way Windows and its application suite are designed.

Now that elaborate malware constructs have been designed and debugged for decades on the Windows Swiss Cheese platforms, and a multibillion dollar malware industry built upon them, if Windows should ever be displaced as the dominant platform by Linux you can expect the payloads to be ported. Then ANY successful Linux exploit the authors can find will give them a new "infection head" and an opportunity to pull the same stunts on Linux, despite the far smaller number of vulnerabilities.

So Windows' security issues (and the failure of the company and users to adequately address them) have made things bad, not just for Windows users, but for everybody. The plague has been bred to enormous strength and virulence in other species and now poses a general threat - much like H1N1 in birds and pigs now poses a threat to humans. Thanks, Microsoft.

Meanwhile, with Windows still the big target, avoiding it in favor of the harder-to-crack, quicker-to-fix, less-profit-for-bad-guys-meanwhile Linux platform remains a benefit for those who use it.

And if it ever DOES become a big enough target to go after, we can hope that the lower number of vulnerabilities, more rapid fix cycle, the model of "fix the holes" in preference to "identify and intercept the latest mutant strains", and the far more varied population of instalations, might keep the problems far smaller than it is with Windows.

Mac: It's where the money is. (2, Interesting)

Gary W. Longsine (124661) | about 5 years ago | (#29598471)

Hell, Steve Ballmer keeps repeating over and over how much more expensive the Mac is. If that's true, then people with Macs have more money. Where's the shitstorm of malware trying to steal identities from all those Mac users with hefty bank accounts?

Impractical (3, Insightful)

Null Nihils (965047) | about 5 years ago | (#29597743)

This idea is impractical in so many ways. Leaving aside the privacy issues raised by the prerequisite of collecting the kinds of information the author mentions, he makes far too many assumptions (and of course, does not back them up with any hard facts).

Even if his assumptions are partially correct, he fails to factor in how real security software interacts with real users. Modern viruses are very fluid things, and thus modern virus detection is non-deterministic (and so is this author's system as far as I can tell). So in order to catch all viruses a certain level of false positives will inevitably arise. And it doesn't take many false positives before the user starts to ignore the warnings.

What does it do.. (1)

Lewis Daggart (539805) | about 5 years ago | (#29597791)

...when all it can detect is itself?

That's too much (3, Insightful)

greymond (539980) | about 5 years ago | (#29597815)

It's like saying, if everyone knew what everyone was doing and thinking at any given moment we'd never have any type of crime. However, who wants to be monitored 24/7 and in their head? Likewise, who wants all of their computers information, sensitive or not, to be handed over to McAffee or Symantech or whoever. Not me.

Re:That's too much (1)

Capt.DrumkenBum (1173011) | about 5 years ago | (#29598387)

You sound like someone with something to hide...

Is that a black helicopter behind you?

Malware vulnerability is profitable for Microsoft. (5, Interesting)

Futurepower(R) (558542) | about 5 years ago | (#29597823)

The best way to stop malware is to audit code so that it doesn't have vulnerabilities. The OpenBSD [openbsd.org] volunteers have been doing that for many years.

In my opinion, and the opinion of many others, the vulnerability of Microsoft products to malware is a result of Microsoft managers not allowing Microsoft programmers to finish their jobs.

When people have problems with their computer, they often buy a new computer. Then Microsoft sells another copy of Windows, which, of course, still has huge security risks. For examples, see the New York Times article Corrupted PC's Find New Home in the Dumpster [nytimes.com] . Vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

Solving the problems with malware will not be fully successful if Microsoft managers do not want it to be successful. Vulnerabilities are profitable when a company has a virtual monopoly.

Re:Malware vulnerability is profitable for Microso (0, Flamebait)

Dog-Cow (21281) | about 5 years ago | (#29598085)

That won't stop malware. You are truly an idiot.

If OSX, Linux, & BSD can do it, Microsoft can (2, Informative)

Futurepower(R) (558542) | about 5 years ago | (#29598265)

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Re:If OSX, Linux, & BSD can do it, Microsoft c (1)

bastardadmin (660086) | about 5 years ago | (#29598423)

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Those operating systems have fewer vulnerabilities because they were designed to be secure.

Apple has a horrible record for patching OSX.
Linux and *BSD have plenty of advisories and vulnerabilities.
No, they were NOT designed to be secure. There are specialised variants, such as OpenBSD and SELinux that can make that, but the vast majority of *nix operating systems can not.
If you want security by design look at the mainframe or iSeries.

Re:If OSX, Linux, & BSD can do it, Microsoft c (1)

Dann25 (210278) | about 5 years ago | (#29598453)

Is their software malware-free or has it just not been targeted yet?

Re:If OSX, Linux, & BSD can do it, Microsoft c (0)

Anonymous Coward | about 5 years ago | (#29598527)

They have fewer vulnerabilities because there are less people poking holes in them.

Re:If OSX, Linux, & BSD can do it, Microsoft c (2, Interesting)

Penguinisto (415985) | about 5 years ago | (#29598589)

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also.

Depends on how stable the codebase is, how much backwards-compatibility is needed, how much of a kludge the component code bits in question were in the first place, how modular the overall design is/was, etc.

Sure - Microsoft can do it, but judging from complaints by former Microsofties, and the leaked code from way back in Windows 2000 as a design guide of sorts? Well, on the same note I can, with the same probabilities, dig out Mount Everest and relocate it by using nothing more than a pick axe with a busted handle.

 

Those operating systems have fewer vulnerabilities because they were designed to be secure.

More importantly, they were designed to be modular in nature. This means that you can rip out and re-write parts of, say, the kernel, without worrying as much about borking the whole thing by doing so*, or inducing even worse problems elsewhere in it.

*assuming you don't do anything outright stupid, of course...

Re:If OSX, Linux, & BSD can do it, Microsoft c (2, Interesting)

Ronald Dumsfeld (723277) | about 5 years ago | (#29598719)

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.

Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.

What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.

I still wonder if the No Such Agency [nsa.gov] still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix fans really hated it, but the entire development of the OS was done using good, tested Software Engineering principles. It was fun when everyone was screaming about the world ending because of the Y2K problem. Alas, I can't find the great response one of the engineers - basically saying that Y2K was not an issue due to the internal date format, and Y10K would only be a problem for displaying the dates.

Re:Malware vulnerability is profitable for Microso (0)

Anonymous Coward | about 5 years ago | (#29598775)

Why, because if we fix all software vulnerabilities that will solve all our problems? Ever heard of a trojan horse? The software might not be vulnerable, but that doesn't mean the user isn't.

The reason we see fewer malware outbreaks on other platforms is a COMBINATION of effects, not just software security. The user bases are different and have different habits. The installed base is much smaller than the Windows installed base, making it a less attractive target. And yes, maybe the code is more secure, but that's not the whole story by a long shot.

The only way you can ELIMINATE malware is to get rid of human gullibility. Good luck with that.

Refocus malware views (1)

onyxruby (118189) | about 5 years ago | (#29597829)

People need to refocus malware views and start focusing on some of the largest scourges of the issue.
  • Visa
  • Mastercard
  • American Express

People write malware because it is profitable to so. Regardless of how a machine has been owned, it typically boils down to one of two uses, a botnet or hijacking financial data. The easiest way to do this is get people to submit their own credit card details voluntarily through a webform. While the hosted pages are typically fake, the billing is almost always real, and this should be the target.

Enable companies to watch and report on the merchants accounts where malware authors get there money from. Somehow get the big credit card companies to become proactive about shutting them down without a several month investigation. I've done credit fraud in a former career, it's remarkably easy to detect and find. All of this could be fairly easily detected by the credit card companies if they could be bothered.

The biggest problem is that they can't be bothered as the fraud is profitable for them. Even in the event of a chargeback they can still make money and the administrative costs they occur are nothing compared to the profit they receive. Cut off the source of funding for malware authors quickly instead of slowly and the profit motive for writing malware will take a hit.

Re:Refocus malware views (2, Funny)

MrEricSir (398214) | about 5 years ago | (#29597945)

Consumer protection laws? Hmmm, I don't think the bank lobbyists in DC are going to be in favor of that.

Re:Refocus malware views (1)

jonbryce (703250) | about 5 years ago | (#29597999)

Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

Re:Refocus malware views (1)

onyxruby (118189) | about 5 years ago | (#29598513)

They are excellent targets, and getting these companies to cooperate with international anti-fraud efforts would be a huge win. Without doubt they are the favored methods of 419 scammers and many other scammers for their ability to send money internationally. That being said, sending money through one of these services isn't nearly as convenient or automated as sending money through a credit card. Whilst you may see larger transactions through those services, they can't begin to compare to the sheer volume of traffic of the credit card companies.

Re:Refocus malware views (1)

jonbryce (703250) | about 5 years ago | (#29598011)

Moneygram and Western Union are probably better targets. That is the final link in the chain between the victim and the scammer, and is the reason why the "follow the money" approach doesn't work.

there are simpler ways (1)

jipn4 (1367823) | about 5 years ago | (#29598155)

Enable companies to watch and report on the merchants accounts

There are much simpler ways than "watching merchant accounts": banks and credit card companies simply need to use standard security procedures. For example, banks and credit card companies could have all large transactions confirmed by text message. Or they can use hardware tokens or smart cards.

The biggest problem is that they can't be bothered as the fraud is profitable for them.

Exactly. If banks and credit card companies wanted to eliminate most fraud, they could do so easily.

The way to fix this is to penalize banks for fraud, for the trouble they are causing to their customers.

Re:Refocus malware views (1)

sulliwan (810585) | about 5 years ago | (#29598455)

Credit card details are actually surprisingly cheap on the black market. Credit card companies are doing a pretty good job at fraud detection and transaction authentication considering how insecure the cards by themselves are. Both your identity information and your World of Warcraft account are probably worth more than your credit card details.

How about a ROLL Back to Install Tool? (2, Insightful)

jameskojiro (705701) | about 5 years ago | (#29597847)

How about building a tool in windows that ensures all windows system files are Genuine and then shows what extra crap and drivers startup and lets you choose to either disable or enable them. How about a Registry locker that you lock down your registry while running said tool so you can see if the Malware is trying to re-install itself back onto your computer?

Re:How about a ROLL Back to Install Tool? (2, Insightful)

Penguinisto (415985) | about 5 years ago | (#29598681)

The first part IIRC already exists somewhat (especially in Vista, which is why UAC was so damned annoying and usually gets shut off at first opportunity). If you were thinking of some other mechanism, I apologize (unless that mechanism involves some sort of local or remote database of 'approved' software to check against, which is a very bad idea).

The second part would be cool, but the Windows Registry, being a constantly evolving thing (and of piss-poor design) has data written to it by the OS constantly during runtime. All the malware has to do (and usually does once infection hits) is to mimic the perms of the system itself and happily write to whatever parts of the registry it wants, discreet user-locks be damned. The only thing a user-lock would accomplish is to prevent you, the user, from removing the malware-written registry bits.

Snort? Anyone? Anyone? Snort? (1)

mpapet (761907) | about 5 years ago | (#29597887)

I've used snort to do this passively in a couple of different shops. I don't know why client software is even necessary when I have traffic destinations in a pretty web gui via BASE.

Re:Snort? Anyone? Anyone? Snort? (0)

Anonymous Coward | about 5 years ago | (#29598131)

Hell, throw nTop on a machine and it'll give you that along with bandwidth info, etc.. It's a lot easier to get up and running than your Snort/BASE combo.

LOL cats (1)

ArhcAngel (247594) | about 5 years ago | (#29597921)

Did anyone else read the headline and look for the picture to go with the lolcats caption?

Re:LOL cats (0)

Anonymous Coward | about 5 years ago | (#29598357)

I was thinking of the "Centipedes in my vagina? It's more likely than you think." one, personally.

Re:LOL cats (1)

bastardadmin (660086) | about 5 years ago | (#29598433)

No, but I should have.

So... (0)

Anonymous Coward | about 5 years ago | (#29597939)

So you install a malware to remove malware?

Re:So... (1)

ciderVisor (1318765) | about 5 years ago | (#29598839)

Sup Dawg ?! I heard you like bein' clean so I put a malware in yo malware so you could disinfect while you disinfect.

Host-Based Detection (1)

Ponga (934481) | about 5 years ago | (#29598079)

I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee [mcafee.com] product line for example.The US government or at least the DoD [disa.mil] is really jumping on this band wagon.

Any thoughts about this approach?

Best way to remove malware and keep it off (0)

Anonymous Coward | about 5 years ago | (#29598091)

There already is a method [ubuntu.com] to keep malware from attacking a system.

Already being tested by Symantec (2, Insightful)

Aryeh Goretsky (129230) | about 5 years ago | (#29598105)

Hello,

What Dr. Jakobsson has described is a reputation system.

At Virus Bulletin 2009 [virusbtn.com] , Symantec gave a presentation on reputation systems: " Using the wisdom of crowds to address the malware long tail [virusbtn.com] ," which cited data from one that began development in 2006. While I do not claim to understand the system, in a nutshell, it seems to work by generating a hash for files after they are downloaded or when they are to be executed, and sends this to Symantec along with some metadata, such as source IP/host, filename, path specification on the local host, date and time stamp on the file and other useful information, which is sent to Symantec, initially to provide a quick lookup, but more information can be sent if additional analysis is required. Symantec's client software can then display a message saying "Program XYZ.EXE has been seen n time(s) over the course of n day(s)/week(s)/month(s)." along with some suggestions about how safe it is likely to be based on new/unique program files more likely to be untrusted (higher potential for malcode) and older, commonly program files having a higher degree of trust.

One advantage of this approach is that it quickly allows malcious files encoded using server-side polymorphism to be quickly identified, as well as the sites hosting them. This negates the technique used by the bad guys to constantly modify code to in order to escape detection by anti-virus software.

Regards,

Aryeh Goretsky

Misleading (0)

pecila (1647383) | about 5 years ago | (#29598125)

Malware exists ONLY on certain operating systems, interestingly all of them published by ONE company (not going to name it here, but here are a few hints: based in Redmond, name starts with Latin word for something very small). Well, the sad truth is that for those machines that do run operating system made by that company - malware is the reality and will be there to stay, no matter how much privacy of users is compromised by anti-malware companies. For others, malware is just a part of scary stories.

Re:Misleading (0)

Anonymous Coward | about 5 years ago | (#29598525)

You, sir, are, and idiot. ;)

Rootkits are called rootkits because they originally surfaced on systems with a user named "root".

Malicious software is distributed for all operating systems. It usually requires idiot users (most of whom are on Windows boxes), but there are exploits for every kernel version if you care to look.

Thank you and good night.

Re:Misleading (1)

Ivan Stepaniuk (1569563) | about 5 years ago | (#29598625)

The 'micro' prefix comes from the greek mikrós, not latin, and it just means small, not 'very small'. Besides that, I agree, malware is here to stay, and it is also a huge business.

Where the Windows White List? (2, Interesting)

schwit1 (797399) | about 5 years ago | (#29598167)

I would love a build-in security component that white lists what is permitted to run.

And include whether the component can run as limited or root permissions.

best av ever (0)

Anonymous Coward | about 5 years ago | (#29598191)

Guys... www.prevx.com it's the best protection out there. It works Borg style! Really.. check it out. Doesn't slow your computer, light footprint, doesn't take much memory, fastest learning scan, doesn't require any other scan as long as it is there to check on new apps. It's your computer bodyguard. I am sold to them since I discovered Prevx. My computer has been virus-free for 4 years now..

Complete drivel (0)

Anonymous Coward | about 5 years ago | (#29598239)

This author should be ashamed of bringing this theoretical academic drivel to the public (even if it is posted on ITWorld.com). It is possible to detect anything if you know what you're looking for. Sure, 10 years ago a virus looked through some peoples address book in order to spread, and now it's common sense to look for this functionality. How about some hard facts of how to do this, rather than just "we could do this. It is possible!".

Every time... (1)

Ihmhi (1206036) | about 5 years ago | (#29598249)

...I hear a leading question like that, I automatically fill in, "There's an app for that," in my mind. Damn your marketing to Hell, Apple.

Their own staff.... (1)

DrRiAdGeOrN (1411971) | about 5 years ago | (#29598343)

They should collect their staffs user data, given the example of the NSF yesterday, and how big Symantec is, they should be able to cover almost everything I would say. Let their employees be the guinea pigs for this....

Wisdom follows, pay attention! (0)

Anonymous Coward | about 5 years ago | (#29598375)

> Auto-Detecting Malware? It's Possible

A basic law of computing says it is impossible to write a program, which could inspect any possible program and say with 100% accuracy how long it will take to execute that program. This is a mathematically proven theorem.

To automatically detect any possible malware with 100% accuracy and zero false positives is a task identically equal to the above condition, which is plain impossible to achieve.

The human, the well-trained and talented antivirus analyst, will never be out of the loop, QED.

Great idea, 'Lets ignore what it does' (2, Interesting)

Ivan Stepaniuk (1569563) | about 5 years ago | (#29598437)

So we let the malware freely send itself to hundreds of other computers, steal our sensitive information, and then decide that something is wrong and remove it? Besides that, a lot of malware get's installed by unexperienced users that wanted ringtones/wallpapers/porn/games/porn/porn. Move along, there is nothing to detect.

So Wrong (2, Insightful)

ratboy666 (104074) | about 5 years ago | (#29598475)

"The insight is: Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat."

But of course, malware that doesn't actually DO anything isn't a threat. As an administrator, I am worried about the misuse of resources.

Staging a DDOS attack from malware is a problem for me, because it uses my bandwidth inappropriately. Stealing credit card numbers because it is an inappropriate information leak. And so on.

I actually DON'T CARE if someone clicks on the funny cursors package, in exchange for complete information on their browsing habits -- as long as inappropriate information is not leaked. If the user loses the contents of their savings account to a hacker with a trojan? My initial reaction is to laugh, and then feel pity. As long as its not a theft of resources I am controlling.

Which boils down to: malware is defined by what it does. If propagation is an issue (usually network issues), it becomes my concern. Otherwise? I don't care. So, I use behaviour based approaches to malware control. If a new (to this system) piece of software doesn't have access to resources, it can't misuse them.

Simple trojans, viruses and worms? Amusing, but not particularly on my radar. Specific attacks on security frameworks designed to contain software? Definitely, along with root kits.

About the only reason I bother with "malware detection" is to keep Windows users happy(ier). They seem to think that this stuff is somehow important.

ok noobs (1)

CHRONOSS2008 (1226498) | about 5 years ago | (#29598483)

here's how life goes they make say this wonderful tool that does this.
HACKER then creates tool to infect it unawares to you and the maker.

repeat this in your head.

It's impossible (0)

Anonymous Coward | about 5 years ago | (#29598503)

It's impossible to determine whether or not a piece of code contains a virus. Mathematically.

And like all active-response systems ... (4, Insightful)

Ungrounded Lightning (62228) | about 5 years ago | (#29598517)

... it depends detection of a significant number of machines being compromised to produce the detection event and response. Meanwhile a significant number of machines have been compromised. The horses are out of those barns by the time the doors are closed.

Rinse and repeat, with a fresh variant of the malware, until "all your horse are belong to us".

Meanwhile, all they're doing is detecting a pattern of distribution of a pattern of data, without any way to differentiate whether the data itself is malware. Surprise: This same pattern occurs with news and with ideas. Do we really want a surveillance system to treat the spread of, say, stories of government corruption, as a malware infection?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?