×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A New Approach to Mutating Malware

Zonk posted more than 7 years ago | from the bigger-hammers dept.

Security 80

mandelbr0t writes "CBC is reporting that researchers at the Penn State University have discovered a new method of fighting malware that better responds to mutations. From the article: 'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.' This is a change from previous methods, which compared suspected viruses against known signatures. Mutations in malware took advantage of the time-delay between the initial infection and the time taken by the anti-virus system to update its known signatures. This new system claims to be able to recognize new infections nearly instantly, and to cancel the quarantine in case of false alarm."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

80 comments

a high rate of homogeneous connection requests (4, Funny)

HTH NE1 (675604) | more than 7 years ago | (#17956076)

The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.
Great, so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net? Did this idea come from Korea?

Re:a high rate of homogeneous connection requests (3, Interesting)

dgatwood (11270) | more than 7 years ago | (#17956116)

I suspect that every mailing list server would be a false positive, too.

Re:a high rate of homogeneous connection requests (1, Informative)

Anonymous Coward | more than 7 years ago | (#17960292)

Don't forget, this comes from the University that only allows 1.5 GB of TCPIP upload/download a week per student.

Go over that, and your connection is terminated for the year!

Check out the Bandwidth policy at www.rescom.psu.edu (not sure if accessible off campus)

Re:a high rate of homogeneous connection requests (1)

Nasarius (593729) | more than 7 years ago | (#17956120)

If your game is rapidly generating hundreds of connection requests, something is very wrong.

Re:a high rate of homogeneous connection requests (1)

cheater512 (783349) | more than 7 years ago | (#17957822)

This doesnt work against malware running on dialup computers then.

Re:a high rate of homogeneous connection requests (1)

Maian (887886) | more than 7 years ago | (#17961040)

Correct me if I'm wrong, but you can still generate hundreds of connection requests on dialup - most will just timeout.

Re:a high rate of homogeneous connection requests (3, Insightful)

HTH NE1 (675604) | more than 7 years ago | (#17956236)

OK, now I've read the article. Doesn't help much:

Pen Liu, the lead researcher on the project and director of the university's Cyber Security Lab, estimates that under the new system, only a few dozen packets could be sent before an attack is halted. In comparison, the Slammer worm sent about 4,000 packets a second.
Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

Oh, they're probably talking about end-user computers emitting too many similar packets quickly. There goes the idea of me running my own server; I will no longer be an equal on the net and will always have to pay someone else to host my content. This will also curb actions like sharing files, posting binaries to Usenet, streaming video out of my SlingBox, or other high-outgoing-bandwidth tasks.

But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.
I doubt this will be the same "fractions of a second" that it takes to block. I suspect it's more like human intervention on the order of days or weeks.

Re:a high rate of homogeneous connection requests (3, Insightful)

Wesley Felter (138342) | more than 7 years ago | (#17956502)

This isn't hard to understand; a worm sends thousands of packets per second, each to a different IP address and most legitimate applications don't.

Re:a high rate of homogeneous connection requests (1)

zcat_NZ (267672) | more than 7 years ago | (#17957168)

Say goodbye to bittorrent and emule though...

Re:a high rate of homogeneous connection requests (1)

Wesley Felter (138342) | more than 7 years ago | (#17957216)

In my experience Azureus (and presumably other BT clients) will only open about 10 new connections per second, which should be much less than the threshold for a worm detector.

Re:a high rate of homogeneous connection requests (1)

HiggsBison (678319) | more than 7 years ago | (#17957286)

In my experience Azureus (and presumably other BT clients) will only open about 10 new connections per second, which should be much less than the threshold for a worm detector.

...and then the newer stealth worms will moderate to only about 10 new connections per second, and sneak in under the radar.

Re:a high rate of homogeneous connection requests (0)

Anonymous Coward | more than 7 years ago | (#17957700)

...and then they spread less rapidly and tie up fewer network resources.

Re:a high rate of homogeneous connection requests (1)

zCyl (14362) | more than 7 years ago | (#17959948)

...and then the newer stealth worms will moderate to only about 10 new connections per second
...Good.

Re:a high rate of homogeneous connection requests (1)

LarsG (31008) | more than 7 years ago | (#17962666)

You do know that XPSP2 limits the number of concurrent half-open connections to 10? A worm would have to patch tcpip.sys to go above that.

Re:a high rate of homogeneous connection requests (3, Insightful)

abigor (540274) | more than 7 years ago | (#17957766)

You know, somehow it strikes me that they thought of these dead-simple, everyday use cases.

Also, you need to learn the difference between "connecting" and "sending". If you're interested, you should pick up one of the classic Stevens books on tcp/ip. That should clear things up for you.

Re:a high rate of homogeneous connection requests (3, Insightful)

vux984 (928602) | more than 7 years ago | (#17961018)

Great, how many packets per second is sent for streaming video? Downloading a Usenet posting?

Unless you download each packet from a different server I can't see how that would possibly be relevant.

Oh, they're probably talking about end-user computers emitting too many similar packets quickly.

No they're talking about a computer emitting too many CONNECTION REQUESTS to too many different computers. If you read the article you'd probably have a better idea of what was going on. ;)

Two types of applications that could in theory trigger a quarantine that would be a mass-mailout, where you are directly delivering mail to thousands of recipient mail exchangers (instead of relaying through your ISP), or running a web-crawling robot of some sort that was traversing thousands of websites.

Typical use, from playing games, to browsing, to sending email, to streaming video... even p2p software wouldn't even register as a potential threat nevermind trigger quarantine. Nor would running a busy web server, as in that case all the connection requests are inbound, not outbound.

Re:a high rate of homogeneous connection requests (1)

boone (3018) | more than 7 years ago | (#17956626)

so I happen to spend a whole day on the computer doing nothing but playing one first-person shooter and I'll get cut off from the net?
No, you don't get a whole day, just a few seconds. It had already determined you were going to lose anyway.

There are products out there that already do this and trend using seasonality and anomalous behavior already, I don't know why anyone would call this new. oh, wait, this is /. q1labs.com as a great product for this, found a compromised host doing call home to a p2p control network without any signatures and that was rather new behavior at the time.

Re:a high rate of homogeneous connection requests (0)

Anonymous Coward | more than 7 years ago | (#17956940)

You would just have that game whitelisted. Duh.

And around we go (0)

Anonymous Coward | more than 7 years ago | (#17956090)

Behaviour blocking.

Everything old is new again!

Re:And around we go (1)

acidrain (35064) | more than 7 years ago | (#17956390)

Everything old is new again!

Like mutating the connection requests just enough to evade blocking? Because that would be a "new" trick they were not already doing... Patentable perhaps, but not something that would require more than a few seconds thought.

This technique could be considered something to slow worm propagation, but no more.

What happens when... (2, Interesting)

LiquidCoooled (634315) | more than 7 years ago | (#17956094)

What happens when I buy a new game and it connects to the other players in a tight mesh.
It might send out a storm of packets to each of the possibly hundreds of other servers.

Will it be blocked, if so who do you see to get it unblocked, what happens if my ISP are running this software?

From TFA ... (1)

khasim (1285) | more than 7 years ago | (#17956200)

"But because high packet rates aren't always triggered by worms, the new technology can also determine whether a suspected host is actually infected and release clean systems.

PWC can quickly unblock mistakenly blocked hosts," said Liu, an associate professor of information sciences and technology at Penn State.

It appears to be magic.

I can see isolating a box when its connection pattern changes. But I don't see any way to identify whether it has been infected without a person looking at it or comparing it to existing signature files.

Deterministic flaws and P2P networks. (3, Interesting)

Short Circuit (52384) | more than 7 years ago | (#17956112)

This will (mostly) work on worms which attack flaws which behave in a nondeterministic fashion; A worm isn't guaranteed an infection by only one connection attempt. I don't think it would work for flaws that require only one connection to infect, though.

That could be improved by setting up a pool of computers which combine their connection details, but that poses privacy concerns, along with the possibility of misidentifying a host. If someone running a cjb.net server gets assigned a new IP address, and someone keeps attempting to connect to the old IP (Say, via a badly-configured DNS cache like they have at my college), that whole pool of computers would block the client, possibly harming his participation in P2P networks.

cause and effect (2)

User 956 (568564) | more than 7 years ago | (#17956198)

'The new system identifies a host computer with a high rate of homogeneous connection requests, and blocks the offending computer so no worm-infected packets of data can be sent from it.'

So they're focusing on a symptom. But it sounds like this could be used block other "homogeneous" traffic, like Bittorrent, no?

RTFAKW (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17956386)

read the fucking article, karma whore

flush out your headgear, new guy

if I'm going to get my balls blown off for a word, my word is poontang

How does it work? (4, Informative)

Aryeh Goretsky (129230) | more than 7 years ago | (#17956380)

Hello,

There's not really a lot of information about how Proactive Worm Containment (PWC) works in the article. A quick bit of searching found the Penn State University Cyber Security Lab's home page here [psu.edu] and Professor Peng Liu's home page here [psu.edu] along with the university's press release here [psu.edu] , but I did not see any actual articles on PWC.

A more detailed description would be most welcome, since the press release makes it sound like this is an automated response to quarantining a host which is performing a DDoS, and it is not clear how PWC would differentiate between that and just a very busy server.

Regards,

Aryeh Goretsky

Re:How does it work? (3, Informative)

nuckfuts (690967) | more than 7 years ago | (#17959894)

It's trivial to differentiate between outbound and inbound tcp connections. (The first packet has the SYN flag set to begin a three-way handshake). A busy server woould have a lot of connections coming TO it. A bot would have a lot of connections coming FROM it. In the case of other protocols the SRC and DST information in the packets should suffice to determine direction.

Huh? (2, Funny)

EvanED (569694) | more than 7 years ago | (#17956414)

I wish the article didn't pretty much suck...

This [psu.edu] is the webpage for the Cyber Security Lab. I don't see anything about this on there, but a Google search for Proactive Worm Containment brings up this presentation [psu.edu] .

Yeah. (1)

jd (1658) | more than 7 years ago | (#17957446)

When I saw the title "A New Approach to Mutating Malware", I was looking forward to an excellent piece on how to develop polymorphic destructive code, or maybe a way to infect viruses with Polonium-210. But all I got was some cheesy article on how to use a network intrusion detector to shut down malware. Boooring.

Safemaker, Safebreaker (2, Insightful)

sehlat (180760) | more than 7 years ago | (#17956420)

OK. This will work for a while. However, sooner or later, two things will happen:

1. The Malware Boys(TMB) will change the software to spit out connection attempts more slowly so that
it falls below the threshold

and

2. Since TMB seem to be increasingly financed by organized crime, they'll duplicate the technique
in their own labs and build worms that work around it, just the way they've gotten a lot of crud
by Bayesian Filters and anti-virus software.

Summary: no magic bullet

Re:Safemaker, Safebreaker (2, Insightful)

EvanED (569694) | more than 7 years ago | (#17956540)

Is there ever a magic bullet though?

What fix has there ever been that would totally stop a class of attacks in their tracks? The only one I can come up with is typesafe languages.

Re:Safemaker, Safebreaker (3, Insightful)

hedwards (940851) | more than 7 years ago | (#17957030)

Yes, but forcing them to slow down makes an outbreak easier to contain.

One of the bigger problems has been the speed of infection. Forcing a worm or virus to slow down significantly increases the amount of time that researchers have to identify it and release and update.

Re:Safemaker, Safebreaker (1)

jotok (728554) | more than 7 years ago | (#17958214)

Alas, no. Very, very few members of TMB understand the kind of mathematical traffic analysis that can be used to detect them. As a security professional, I encourage their ignorance (and yours).

Re:Safemaker, Safebreaker (1)

sehlat (180760) | more than 7 years ago | (#17958444)

It doesn't take a lot of them, just the needs of the few, or the one. As with, say, Poincare's Conjecture, where genius can go, lesser minds can follow. Admittedly TMB are a small, secretive bunch (for very good reason), but there are large incentives to being able to tap into other people's computers and networks, and while it's not like anybody's going to be publishing papers on the topic in "Journal of the ACM," word will get around.

The only thing one can say about ANYTHING in this world is "for a time."

Re:Safemaker, Safebreaker (1)

jotok (728554) | more than 7 years ago | (#17958690)

This is surely correct. At the same time, there are radical differences in the way people with an engineering mentality (programmers, for instance) and people with an synthetic (as opposed to analytical) mentality think about problems. Check out wikipedia articles on top-down and bottom-up analysis, or study the differences in the philosophies of physics and biology (the structure-function paradox). I think it's less an issue of "genius" versus "lesser" minds so much as a gap in understanding, or the ability to understand, certain ways of seeing reality.

Or, the short version, programmers are generally really shitty at modeling real-world phenomena. They all think they're great at it, which is partly why they're so bad. There is almost nothing you can do to convince them otherwise, but again, when they're coding the worm du jour, a security engineer is really glad that they don't understand or care to understand the techniques used to dig them out of the traffic--they're too busy telling everyone it can't be done.

Re:Safemaker, Safebreaker (0)

Anonymous Coward | more than 7 years ago | (#17959512)

I'll stick to one of the many Windows personal firewalls because of your stated reasons and a few other ones as well. PFs can block all packets from any application that were not previously given access. Maybe some people find it a problem to have to authorize an app to use the network but in reality, once you have the PF running a few days, you should not see many apps at all that you need to give permission for.
As a side note, I have IE as my default web browser and have it set to ask when it needs internet access. I only use FF but if IE or any rogue application that tries to use IE or its rendering engine tries to access the internet, I will be prompted. If I did not directly or indirectly initiate the request for IE to do something, I know something fishy is going on. Yes, not every PF is equal or perfect but I'm sure this "new" method described in the story has its share of issues as well.

high rate of homogeneous connection requests (5, Funny)

Anonymous Coward | more than 7 years ago | (#17956488)

I don't see what anyones sexuality or promiscuity should matter. Live and let live.

Re:high rate of homogeneous connection requests (4, Funny)

Dirtside (91468) | more than 7 years ago | (#17957986)

Maybe it's a "Don't ACK, don't tell" policy.

Re:high rate of homogeneous connection requests (0)

Anonymous Coward | more than 7 years ago | (#17963308)

Assuming this thing really works, it's probably more of a "don't SYN, don't ACK" policy

And where's the new bit? (2, Informative)

Rich (9681) | more than 7 years ago | (#17956526)

I read the article, and I'm still wondering what the 'new' part is. The text doesn't mention anything that hasn't been around for ages, is this a bad article or bad research?

Re:And where's the new bit? (1)

Rich (9681) | more than 7 years ago | (#17956588)

I'll just add that if the system really works as described then making a certain percentage of crap connections (10%?) would completely defeat it.

Not a new idea....but still a good one (5, Informative)

Arrogant-Bastard (141720) | more than 7 years ago | (#17956556)

This idea was discussed in considerable depth on various
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)

Such systems, if observed suddenly making connections on
port 25 to hundreds (or more) other mail servers, are almost
certainly spewing spam. This is particularly true if those
connections meet certain criteria (e.g. traffic sent before
waiting for SMTP greeting from remote side, or failure to
send QUIT before closing connection). Slapping a port 25
block on such systems at least partially quarantines the
problem, buying time for more thorough investigation.

The same could be said of systems observed making hundreds
of SSH connections (to one destination or many), etc. The
basic concept is to figure out what "normal" looks like --
which, granted, may vary with what uses a system normally
has -- and then do something when things don't look normal.
"something" could be "log it" or "issue an alert" or "rate-limit
connections" or "rate-limit traffic" or "block" or some
combination; the trick is to select an appropriate response
that does something useful while not making the mechanism
so twitchy that it trips when it shouldn't.

Re:Not a new idea....but still a good one (3, Informative)

jofny (540291) | more than 7 years ago | (#17956718)

That doesn't work for most machines you'll find on the internet. Network data simply doesn't contain enough information to concistently build a flexible, accurate profile of normal usage. You're either going to miss a significant amount of stuff youd like to catch, or catch so much legit traffic that it's unusable. You might find the right middle ground between them, but it'll be infrequent and coincidental.

Re:Not a new idea....but still a good one (1)

Arrogant-Bastard (141720) | more than 7 years ago | (#17962130)

While I'll grant that your point is true for *some* systems, it's not
true for most. If you watch network traffic with tools such as ntop
or etherape for a while (especially the latter thanks to the way that
it facilitates visualization), and then focus on particular systems,
what you'll likely find it that traffic patterns are surprisingly predictable.

Consider, for example, a client system (OS doesn't matter) sitting on
a corporate network. It probably uses DHCP at boot and periodically
thereafter -- so we should expect to see light, sporadic DHCP traffic
and we should expect to see that traffic confined to the LAN. It probably
uses local DNS servers (and has been told about them via DHCP) so we
should expect to see a relatively low-level stream of DNS queries and
we should expect to see all of them directed at those local servers.
We should expect to see HTTP requests going out -- but none coming in.
We should expect to see SMTP traffic going out, but only to local SMTP
servers and none coming in.

And so on. Now -- as someone pointed out in a followup -- a good way
to make *sure* that this is what we see is to put in place a solid firewall
and configure it properly -- starting with bidirectional "deny all" and then
opening up only the ports/protocols necessary. (And then we can also
use that firewall to observe exceptions to the "normal" traffic that I started
to laundry-list above.)

This gets sightly more complicated for servers, especially multi-purpose
ones, but it's still a tractable problem. For example, an inbound SMTP
gateway should not be sending out HTTP requests; and a dedicated web
server shouldn't be making outbound SMTP connections (except perhaps
to a local SMTP server for mail traffic generated on the web server).

The Bad Guys can evade some of this by severely rate-limiting traffic.
But while that makes detection more difficult, it does at least mean that
their attempt at evasion slows down their own attacks. And that malware
which just blunders around is more likely to be spotted, which helps a
little bit.

So it's not "a fix" or anything like that; it's just another approach, to
be combined with firewalls/self-scanning/etc.

Re:Not a new idea....but still a good one (1)

jofny (540291) | more than 7 years ago | (#17968688)

Having spent time using the data from thousands of systems in multiple large networks (some of them multicontinent) trying to work out threshold rules for classifying anomalous traffic (to guide both human and machine analysis for data reduction and highlighting purposes), I can say that my experience (Yours might vary) is that what you say is true in aggregate on average, but is not reliable enough on a machine by machine basis across all machines for every distinct machine. It DOES work sometimes. But not all the time, and you cant predict when it wont work. That very much limits its usefulness as a solution.

Said another way: yeah....Ive done a ton of visualization work and you're right - the patterns are exceedingly recognizable to the human eye. That doesn't mean it translates to something easily predictable in a numeric fashion. Those patterns have lots of exceptions and the thresholds of normalcy vary significantly by themselves from machine to machine and environment to environment. for example, you say

relatively low-level stream of DNS queries
. That's true...but "relatively" is a very difficult word to translate consistently to numbers.

Re:Not a new idea....but still a good one (1)

jofny (540291) | more than 7 years ago | (#17968718)

Forgot to add something important: Part of the measurement problem is the tokenization of network "sentences". When you're measuring your traffic - how big are your buckets? What consitutes the start and end of a bucket? How many buckets do you have? Which relationships between which types of traffic are important? Do you measure distribution of DNS traffic against HTTP? All TCP? Why? etc. etc.

These questions just go on and on when you really start getting down to implementing "the patterns of machine network traffic all look similar, so we can look for behavior that falls out of that".)

Re: Something else that would stop a lot of crap (1)

transporter_ii (986545) | more than 7 years ago | (#17957386)

A large amount of malware configures itself so that it starts up each time you reboot. If something just popped up and said program x wants to start each time you boot your computer, do you want to allow this, yes/no, a ton of crap could be stopped right there. I know that is similar to a firewall asking if it is ok for an application to access the internet, but I have haven't ever seen anything that monitors programs that start on boot up.

On my list of windows annoyances, is that there are too many ways for a program to load itself at boot time, several of them pretty hard to understand for people who aren't too computer savy.

I have started putting the Startup Control Panel, by Mike Lin, on a lot of people's computers and it really makes it easier for them to control this crap. Plus, from time to time, someone actually gets a clue that huge amounts of stuff running in the background slows your computer down.

Transporter_ii

So wouldn't it be easier... (1)

raehl (609729) | more than 7 years ago | (#17959264)

This idea was discussed in considerable depth on various
anti-spam lists several years ago. Nearly all hosts on the
Internet talk to one mail server: the one designated for
mail submission from the network they're on. (s/one/few/
for networks large enough to have multiple SMTP gateways.)


Or you could just block all connections on port 25 to all servers other than the designated SMTP server for all computers on the network (unless, maybe, the owner of that computer asked nicely.)

Maybe I missed something: Whats new here? (2, Interesting)

jofny (540291) | more than 7 years ago | (#17956622)

The ability to block things by numer/frequency/type/foo of connection attempts is pretty old...it's just not particularly useful in cases as open-ended as this (trying to block worm activity based on no other information than connection behavior). It seems someone here is, as usual, reporting on the rediscovery of the wheel. (Not to mention the fact that the fast moving DoS worm is out of fashion right now. The heat is too much for people looking for kicks and people looking to make money from it have better tools.)

Helloo.... (2, Informative)

idontgno (624372) | more than 7 years ago | (#17956634)

connectionless packet services? [wikipedia.org]

Or have we forgotten about SQL Slammer [nai.com] , which used a UDP vector?

Unless, with appropriate hand-waving, we are no longer talking about connections patterns and switching the discussion to packet-destination patterns. Which opens up other UDP-based legitimate applications to pre-emptive blockage. Imagine your lag rage when your antivirus whacks your MMO session.

Re:Helloo.... (1)

tepples (727027) | more than 7 years ago | (#17959220)

Imagine your lag rage when your antivirus whacks your MMO session.

Unless you, the administrator of the PC, have digitally signed the MMO's EXE to your antivirus program.

Quick best solution (1)

bendodge (998616) | more than 7 years ago | (#17956696)

A really simple solution to most virus problems is a good firewall. This project seems to be not much more than a glorified firewall with heuristics.

A firewall won't protect you much from the initial infection, but it will stop you from spreading the malware or becoming a spam-bot. A smart firewall could also accurately warn the user of suspicious activity, as evil connections are a much more reliable symptom to check than signatures.

A good idea, though not a 100% new one. (1)

mlts (1038732) | more than 7 years ago | (#17956856)

I'm not sure if this is a totally idea or not, but any help with this is a positive thing. Watching a machine and trying to find signs of malware behavior isn't new. NAV and other programs already have heuristics built in.

What is needed is more of a "block all, allow only what is needed" policy rather than "permit all, find bad things, block them" which is a never-ending cycle. For example, unless an ISP's customer specifically requests it (and signs that he/she is fully responsible for any damage), a number of outgoing ports should be blocked by default (with obvious notice to the user on signup and in the ISP's help pages. For example, outgoing SMTP should be blocked, and the ISP will unblock it on user request as well as offer a mail server for authorized relaying.)

Maybe one idea is for programs (doesn't matter what OS) to have a manifest (which after installation is stored somewhere protected by the OS) of what ports the program will be using for incoming/outgoing connections. Program uses a port different from what is listed in its manifest, the connection either is blocked, or the user is prompted to manually add an ACL entry allowing it. If a program is updated to use more ports, the manifest can be changed (although an administrative user will need to allow the request.)

Re:A good idea, though not a 100% new one. (1)

element-o.p. (939033) | more than 7 years ago | (#17958400)

...what ports the program will be using for incoming/outgoing connections. Program uses a port different from what is listed in its manifest, the connection either is blocked, or the user is prompted to manually add an ACL entry allowing it...

Incoming, yes. Outgoing, no.

The reason why is that most software uses a range of ports for outgoing connections. For example, take an HTTP session. A web server typically listens on port 80 for HTTP requests. But, your web client (Mozilla, IE, Opera, etc.) can use *any* of the high-numbered/non-reserved ports for the outgoing web traffic. Furthermore, even your web server will spawn a new child process listening on a new port after negotiating the initial connection. Take a look at what's happening on my PC right now:

$ netstat -ep | egrep -i "(mozilla|firefox|80|http)"
<...snip...>
t cp 0 0 myhost:44595 mu-in-f104.google.:http ESTABLISHED mwallette 71522 10128/firefox-bin
tcp 0 0 myhost:44596 mu-in-f104.google.:http ESTABLISHED mwallette 71523 10128/firefox-bin
<...snip...>


Firefox is using ports 44595 and 44596 for outbound connections, but is talking to google on port 80 (http). This is so that your web browser can talk to multiple hosts. Each outgoing connection requires a unique socket, and each socket is a unique combination of IP address and port. Unless you have a unique combination of your IP address and port for each connection, you can't have a tab open to Google, another tab open to /. and another tab open to...well, I don't want to know what else you are browsing :) It gets even harder to filter applications based on IP Address/Port when you try to introduce a router doing Port Address Translation, since now there are multiple internal hosts with the source IP address/Port getting rewritten by the PAT router.

Re:A good idea, though not a 100% new one. (1)

mlts (1038732) | more than 7 years ago | (#17963828)

I stand corrected, and you are 100% right. A program that is connecting to another host can have pretty much what it wants as an outgoing port on its local box (for example, Firefox is outgoing on port 4480), what matters is what port the outgoing program is connecting to on the remote box. I should have clarified that.

Not new, sorry (0)

Anonymous Coward | more than 7 years ago | (#17956904)

"This paper gives an overview of Virus Throttling, a new technique to limit the damage caused by fast spreading computer worms and viruses. Rather than preventing a machine becoming infected, the technique prevents the virus propagating further from the infected machine. This addresses the two main ways that viruses cause damage: the spread of the virus will be slowed (less machines infected) and the traffic created by the virus will be reduced(less likely to overload network infrastructure)."

http://www.hpl.hp.com/techreports/2003/HPL-2003-69 .html [hp.com]

Trivial to defeat this approach (1)

Xeger (20906) | more than 7 years ago | (#17957418)

Malware authors will just throttle the rate at which their software sends spam (or exploit payloads or whatever dirty work it happens to be doing).

Deploying this kind of detection will mitigate the spam problem somewhat by slowing down the propagation of spam -- but this isn't a silver bullet to stop malware.

New idea? (1)

Kazrath (822492) | more than 7 years ago | (#17957716)

This sounds more like a mutated form of spam greylisting than a completely new method of detection. And this packet watching by itself is going to have a very high false positive rate unless they are truely doing it in the method of spam greylisting which learns who is "okay" to receive packets from.

Now I suppose if this was designed to prevent an infected computer from sending packets out.. wait thats a firewalls job. I guess I don't understand the usefulness of this new feature unless it is designed to hinder users even further. AV software and their current methods are used because of the very low false positive rates. Most of the heuristic technologies by default are set at minimal settings because of the high false positive rates in these types of technologies.

Bittorrent? (1)

molo (94384) | more than 7 years ago | (#17958604)

Hundreds of connections to many clients on the same set of ports? Sounds like someone is running a bittorrent client. They would have to only do this on a certain set of ports or something. Would block too much legitimate traffic otherwise.

-molo

Simple fix (2, Funny)

Quiet_Desperation (858215) | more than 7 years ago | (#17958826)

Hunt down the authors and cut their balls off. Publically. People underestimate the visual deterrent power of a Bowie knife taken to some testicles.

Seriously, we need to start SOLVING problems in this world, and you don't solve problems without leaving at least a few asses in a well kicked state.

Sorry, but welcome to the human race.

mod 0p (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17958920)

Dim. If *BSD is

New? (1)

drolli (522659) | more than 7 years ago | (#17959270)

Excuse me, that is a "generic paper for gaining Attention" case.

Ingredients:

1) Old Method (heuristic approach, is around since the 1980's and never worked)

2) Well known Countermeasure (Block outgoing ports)

3) Implication that false positives are not so bad as false negatives (cite from the link: "...cancel the quarantine in the event of a false alarm.", without a specification how to do that.

4) A Newspaper reporter who obviously does not know anything about security

A Remark: Implementing this Method enables an escalation of some minor problem (e.g. when an attack targe can be forced to make connections to other hosts) to a DOS.

Brillant! (0)

Schraegstrichpunkt (931443) | more than 7 years ago | (#17961194)

Cool! It's not every day that you get to witness the creation of a new DoS attack vector.

This technology will be toast as soon as somebody defaces Yahoo or some other popular home page---by adding a dozen or so IFRAMES to random http://hostport/ [hostport] URLs---thus causing anyone "protected" by this system to drop off the Internet.

Re:Brillant! (0)

Anonymous Coward | more than 7 years ago | (#17963212)

Why do I never have mod points when I need them?? Mod this guy up!

Good IPS already use simmilar technology (0)

Anonymous Coward | more than 7 years ago | (#17962070)

You can check Radware [radware.com] and their IPS called DefensePro [radware.com] . You will see that they use what they call Behavioral DoS protection. So this is not really a new thing in the world of combating malware.

ping (1, Funny)

Anonymous Coward | more than 7 years ago | (#17962836)

so what if i DoS 127.0.0.1?

Simpler (1)

The Cisco Kid (31490) | more than 7 years ago | (#17965254)

Just evaluate the TCP packet signatures and identify MS platforms, and deny all traffic from it. Malware would stop dead in its tracks.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...