Malware bites

Aug 15, 2013

Antivirus software running on your computer has one big weak point - if a new virus is released before the antivirus provider knows about it or before the next scheduled antivirus software update, your system can be infected. Such zero-day infections are common.

However, a key recent development in antivirus software is to incorporate built-in defences against viruses and other computer malware for which they have no prior knowledge. These defences usually respond to unusual activity that resembles the way viruses behave once they have infected a system. This so-called heuristic approach combined with regularly updated antivirus will usually protect you against known viruses and even zero-day viruses. However, in reality, there are inevitably some attacks that continue to slip through the safety net.

Writing in a forthcoming issue of the International Journal of Electronic Security and Digital Forensics, researchers at the Australian National University, in Acton, ACT, and the Northern Melbourne Institute of TAFE jointly with Victorian Institute of Technology, in Melbourne Victoria, have devised an approach to virus detection that acts as a third layer on top of scanning for known and heuristic scanning.

The new approach employs a data mining algorithm to identify malicious code on a system and the anomaly of detected is predominantly based on the rate at which various operating system functions are being "called". Their initial tests show an almost 100% detection rate and a false positive rate of just 2.5% for spotting embedded malicious code that is in "stealth mode" prior to being activated for particular malicious purposes.

"Securing computer systems against new diverse malware is becoming harder since it requires a continuing improvement in the detection engines," the team of Mamoun Alazab (ANU) and Sitalakshmi Venkatraman (NMIT) explain. "What is most important is to expand the knowledgebase for security research through anomaly detection by applying innovative pattern recognition techniques with appropriate machine learning algorithms to detect unknown malicious behaviour."

Explore further: Malware: Vobfus and Beebone infections are double-trouble

More information: Alazab M. & Venkatraman S. (2013). Detecting malicious behaviour using supervised learning algorithms of the function calls, International Journal of Electronic Security and Digital Forensics, 5 (2) 90. DOI: 10.1504/IJESDF.2013.055047

Related Stories

Malware: Vobfus and Beebone infections are double-trouble

Jul 02, 2013

(Phys.org) —Vobfus and Beebone sound like two lovable crayon-colored goldfish still on the Pixar drawing boards: Wouldn't that be nice. Microsoft's security team would much prefer they be animated box-office ...

Glitch in antivirus software troubles PC users

Jul 10, 2009

(AP) -- Antivirus software cuts two ways. It's great at blocking known viruses, but it can sometimes misfire, mistakenly flagging clean files as malicious. That sends a computer into a tailspin trying to clean up stuff that's ...

Android antiviral products easily evaded, study says

May 30, 2013

Think your antivirus product is keeping your Android safe? Think again. Northwestern University researchers, working with partners from North Carolina State University, tested 10 of the most popular antiviral ...

Recommended for you

User comments : 17

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
1 / 5 (2) Aug 15, 2013
Sounds good at first - but there is one fatal flaw with the idea:

Malware producers aren't stupid. They TEST their malware on computers where the latest versions of antivirus software is installed. There's no use fielding malware if you know it's not going to work. So they'll only release a software when it's in a state which is currently not detectable.

(Actually this has given me an idea: if you want to identify a malware producer you'd probably be best of searching for someone who regularly pulls updates for ALL major antivirus suites on the market. No normal user would do that.)
MikeBowler
not rated yet Aug 15, 2013
(Actually this has given me an idea: if you want to identify a malware producer you'd probably be best of searching for someone who regularly pulls updates for ALL major antivirus suites on the market. No normal user would do that.)


if you did this you would be labeling lots of innocent computer users as producers of malicious programs/code
antialias_physorg
2 / 5 (4) Aug 15, 2013
if you did this you would be labeling lots of innocent computer users as producers of malicious programs/code

Don't confuse correlation with causation. If someone were suspected of being a malware producer one could use this as circumstantial evidence. One could NOT use this to ascertain that someone were a malware producer in the first place.
Newbeak
1 / 5 (1) Aug 15, 2013
I use a free sandboxing program called Sandboxie when surfing or trying out software.Keeps the baddies in a box till you delete it,and I haven`t had malware problems in I don`t know how long.Here`s the website link: http://www.sandboxie.com/
Newbeak
1 / 5 (1) Aug 15, 2013
Oh,and I also run Avast! as well,which is handy to test downloaded programs I want to test-run..
antialias_physorg
not rated yet Aug 16, 2013
I use a free sandboxing program called Sandboxie

Don't trust too much in sandboxes. They can be circumvented.
A rootkit will make short work of them (and your anti virus software) to a degre thatyou won't even notice anything is wrong.

There's also several videos on youtube that show you how easily you can bypass sandbox protection.
It's a neat idea - but not foolproof (and by now the bypass methods are, unfortunately, included as an almost de facto standard in most malware.)

I used to have sandboxie, too. Nowadays it just slows the machine down as all browsers (and all firewalls) have sandbox features. Using two sandboxes doesn't make the system more secure (if anything it makes it less secure)
Newbeak
1 / 5 (1) Aug 16, 2013
Interesting.I have posted a question about this on the Sandboxie website forum.Maybe Tzuk will answer it.I have been fortunate if what you are saying is true,and have managed to avoid rootkit infections so far.Do you have to download rootkits,or can you be infected just by visiting an infected website?
dtxx
1.7 / 5 (6) Aug 16, 2013
When you visit a purposefully malformed website it can very easily send malicious code to your operating system. It's called a driveby download. Ad banners are one way this happens. Let's say I buy a banner on a non-malicious site, like this one. Typically the advertisers host the banners themselves, so that's a way I could get malicious code onto an otherwise harmless site.
Newbeak
1 / 5 (1) Aug 17, 2013
I am confused now,but then I know next to nothing about computer programming.I found an old exchange on the Sandboxie forum that suggests that Icesword is NOT able to execute if it has only been run in a sandboxed environment. If it has previously been opened outside the sandbox,it can launch successfully IN the sandbox: http://sandboxie....ghlight= (pay particular attention to the post dated Tue Nov 08, 2005 10:34 pm) See also: http://www.wilder...t=105850
In summary,if I ONLY surf WHILE SANDBOXED,in theory any malicious code cannot run outside my sandbox,unless I allow it to so.
meBigGuy
1 / 5 (1) Aug 18, 2013
@antialias
I don't understand how you think that you can easily get rooted through a sandbox. I would think that only the virtual disk gets rooted. The sandbox doesn't have access to areas you haven't intentionally shared. I run virtualbox windows under linux (not for security). Explain to me how the windows malware executable roots my linux machine. Now, if someone exploits a bug in the sandbox, of course they can do bad stuff. Or if the main OS has already been rooted, that a completely different scenario.

Anyway, anything that provides more information for early detection is OK by me. Nothing is perfect, but more detections is better.
dtxx
1 / 5 (4) Aug 18, 2013
The underlying operating system is still vulnerable because there will always be flaws in the code used to create the sandbox. Take Chrome's sandbox for example. Google has plenty of resources to spend on developing secure code (way more than boxie), but every time they hold a contest with a cash prize for someone to break out of the sandbox with malicious code, they always do.

As for running a linux vm sandboxed on windows, sure it's a good idea, but far from foolproof. Once the sandbox is broken the malware can connect back to its command and control server and download exploits for whatever OS is running underneath.

Every new security advance is tirelessy attacked, and the prize for a criminal with a zero day exploit can be lots of cash. Take ASLR - adress space layout randomization. Most malware involves writing bad stuff to ram, and aslr randomizes how ram is written to. It was supposed to be a panacea against certain types of attacks, but it was quickly defeated.
Newbeak
3 / 5 (2) Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!
dtxx
1 / 5 (5) Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!


Hey, good for you. Way to go. But how do you really know you haven't acquired stealth malware?

Sandboxie bullet proof? Nope. An example for you, the cross-platform vulnerability CVE-2012-0217 affects your sandbox.

Good luck out there ;)
dtxx
1 / 5 (5) Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!


Are you shilling as well?
meBigGuy
1 / 5 (1) Aug 19, 2013
A number of things are in your favor if you sandbox, especially if the underlying OS is different from what's running in the sandbox. To think or say otherwise is ridiculous. Playing word games.

No system is 100% safe, or even close. Read the test data at AV-Comparatives. AV Software can't even protect you against what is already known. Run in a sandbox and you isolate the infection, most of the time.

There simply are not as many sandbox breaking malware programs. You need to exploit the sandboxed OS to get to the sandbox, and then the sandbox, and then the underlying OS.
There are simply not enough targets to make that a mainstream/widespread problem.

My question for dtxx would be how many infections he got in the sandboxed OS. If he didn't get any, then it did him no good.
antialias_physorg
not rated yet Aug 19, 2013
Here's a video
http://www.youtub...sLM6E6wo
(No sound, but it's pretty easy to follow what he's doing.)

1) He's installing severeal types of rootkits/malware (A rootkit, a backdoor, and 3 types of trojans)
2) Checking whether antivirus software finds them (nope)
3) Watching via Commodo (a good Firewall) process monitor what happens:
The rootkit/malware disables all sandboxie processes (although you may notice that it's still displayed as active in the taskbar)
Any process started has direct access to the computer (even though it is displayed as nominally sanboxed)

Game over.

That said: sanboxes aren't a BAD idea. It's good that your browser has one. But I wouldn't trust in them too much.
Newbeak
1 / 5 (1) Aug 19, 2013
I again refer back to the Sandboxie forum I posted a link to earlier. If you look at the last post,it does suggest Sandboxie will prevent rootkits from running in the sandbox,but you have to be very careful how you proceed: http://sandboxie....ghlight=







More news stories

Patent talk: Google sharpens contact lens vision

(Phys.org) —A report from Patent Bolt brings us one step closer to what Google may have in mind in developing smart contact lenses. According to the discussion Google is interested in the concept of contact ...

Wireless industry makes anti-theft commitment

A trade group for wireless providers said Tuesday that the biggest mobile device manufacturers and carriers will soon put anti-theft tools on the gadgets to try to deter rampant smartphone theft.