[ISN] Ferreting Out Virus 'DNA'

From: InfoSec News (isnat_private)
Date: Tue Nov 06 2001 - 02:01:34 PST

  • Next message: InfoSec News: "[ISN] COMDEX bans bags, laptops; requires ID at all times"

    http://www.wired.com/news/technology/0,1282,48072,00.html
    
    By Michelle Delio 
    2:00 a.m. Nov. 5, 2001 PST 
    
    Tools used to detect computer viruses and stop malicious hack attacks
    may not be as effective as they could be because they lack the human
    touch.
    
    Security experts contend that protecting computers from people-created
    plagues and problems requires technology based on human biology and
    behavior.
    
    "Computers are the scapegoats of the modern age," said systems
    administrator David Young. "Computers never do bad things to people.
    But people often do really bad things to computers."
    
    Help for those poor, beleaguered boxes is now available. Two new
    security programs use what science knows about humans' physical and
    psychological makeup to protect computers from people.
    
    Harris' STAT Neutralizer, stops humans from doing bad things to
    computers. A STAT-protected machine can't have its vital files deleted
    or altered, either purposely or by well-intentioned error. The
    computer simply won't allow it.
    
    TASC's eDNA program identifies and stops malicious programs such as
    viruses in the same way that a human's DNA can be used to identify his
    or her centuries-old genetic makeup.
    
    EDNA does not rely on heuristics scanning as many antiviral programs
    do. Heuristics looks for specific patterns of code associated with
    known viruses in order to spot new or rewritten viruses. EDNA digs
    deeper and ferrets out the old ancestral links, even if the program's
    code has been greatly altered.
    
    "A person can be matched from his or her DNA no matter what makeup
    they are wearing or what body altering surgery they have undergone,"
    said David Sanders, head scientist at TASC. "Similarly, eDNA can
    identify version 3.2 of a virus or Trojan with a sample from version
    1.0, just like a child can be identified and differentiated from all
    the other children in the neighborhood by a DNA sample from its
    father."
    
    TASC's eDNA application was not originally designed to work against
    malicious code, but was intended to assist computer forensics
    examiners -- people who check computers to gather evidence used in
    legal investigations or criminal trials.
    
    But as computer hard drives increase in size, forensics experts are
    faced with not only finding the proverbial needle in the haystack but
    also contending with a lot more hay. So Sanders' team set out to write
    a "data reduction" program that could quickly identify and remove
    "known" files -- typically system files and applications -- from the
    list of things that the examiner needed to look at.
    
    Sanders' team used a two-step method to accurately ID all
    standard-issue files. Their program checked the file's size against
    the typical size of that application or file, and also used "MD5
    hash," a technology that produces a digital fingerprint of a file or
    application.
    
    Sounds foolproof, but as any programmer knows, two legitimate copies
    of a program may produce slightly different MD5 hash fingerprints from
    their code files, due to small programming changes.
    
    So Sanders and his team coded a program, now called eDNA, which
    examines and matches program code at a very primitive level. The idea
    was that once you had the basic "DNA" of a program, you should be able
    to identify all of its "parents" and "children."
    
    "While we never really gave much thought to identifying malicious code
    during the eDNA project, after its completion we discovered that eDNA
    worked just as well against Tand viruses as it did any other code,"
    Sanders said.
    
    The team tested eDNA on the well-known Trojan "Back Orifice" (BO).
    After extracting BO's DNA, they turned eDNA loose. It easily found the
    "donor" program and also accurately recognized rewritten, altered
    versions of BO.
    
    EDNA has also found previously unknown "parents" of malicious code.
    
    "I remember one day we downloaded a Trojan known as Seek," said Joe
    Ailinger of TASQ. "After extracting its DNA, we ran eDNA to see if it
    could pick out Seek. To our horror, it not only picked out Seek but
    also identified two other programs, Girlfriend and Paradise, as being
    closely related despite there being no known link between them. We
    were sure eDNA was wrong. But upon further examination of these
    programs' code, we found that both Girlfriend and Paradise are
    derivatives of Seek. EDNA easily spotted the relationship."
    
    After tests involving thousands of donor code files, eDNA has never
    falsely identified a code file as being related to the DNA donor nor
    has it missed matching a code file, according to Sanders.
    
    "Putting on my scientific skeptic hat, I have to assume there is a
    false positive or missed match out there somewhere lurking in the
    darkness waiting to laugh at me, but I have yet to encounter it,"
    Sanders said.
    
    Currently, eDNA is being tested by several government agencies, but
    agency spokespeople said that beta testers would be unable to comment
    on specifics immediately.
    
    "Anything that essentially gives investigators an infallible brain is
    useful," said an FBI agent who did not want to be identified. "We are
    quite aware that criminals and terrorists use malicious programs to
    gather intelligence and jam critical systems, and obviously we're
    familiar with DNA tracking -- eDNA extends that science to computers.
    It's a pretty neat idea."
    
    Sanders also declined comment on what specific tests the government
    might be carrying out, although his experience is probably being put
    to good use. Sanders retired from the U.S. Army in 1997. He has over
    16 years experience as a Special Agent with Army Counterintelligence
    and has taught at the Army's Advanced Foreign Counterintelligence
    Training Course.
    
    "I'd love to discuss specifics, but I really can't go there," Sanders
    said. "We are really sensitive about not making the bad guys smarter."
    
    Harris' STAT Neutralizer also defuses bad guy or bad code behavior,
    and even blocks good people or code that are innocently attempting to
    do bad things.
    
    Neutralizer monitors everything that's going on in a system via
    electronic "agents." The agents allow "good" behavior, anything that a
    system should normally do, while blocking abnormal or "bad" behavior,
    such as sending e-mail to everyone in an e-mail program's address
    book, or making changes to the system software.
    
    Since STAT Neutralizer blocks virus and Trojan activity, systems
    administrators don't have to take networks offline while they
    download, test, and install a new security patch.
    
    Dr. Chris Feudo, the director of EDS's Global Information Assurance
    Group a technical consulting firm, has tested STAT Neutralizer. Feudo
    said he is impressed with its ability to detect the computer viruses
    he set loose on the test system.
    
    "STAT basically places a protective shell around the (operating
    system's) kernel," Feudo said. "It protects the kernel from being
    altered in any way by anyone who doesn't have explicit permission."
    
    Some systems administrators were particularly interested in STAT
    Neutralizer's ability to protect computers from their users.
    
    "Given a choice, I've learned that users will almost always choose
    entertainment over security. That's why e-mailed viruses promising
    glimpses of interesting material if you just 'click on the attachment'
    are so effective," said David Young, a systems administrator of a
    Manhattan publishing firm. "A product that protects the system from
    its users is a big step in the right direction."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 03:49:09 PST