http://www.wired.com/news/technology/0,1282,48072,00.html By Michelle Delio 2:00 a.m. Nov. 5, 2001 PST Tools used to detect computer viruses and stop malicious hack attacks may not be as effective as they could be because they lack the human touch. Security experts contend that protecting computers from people-created plagues and problems requires technology based on human biology and behavior. "Computers are the scapegoats of the modern age," said systems administrator David Young. "Computers never do bad things to people. But people often do really bad things to computers." Help for those poor, beleaguered boxes is now available. Two new security programs use what science knows about humans' physical and psychological makeup to protect computers from people. Harris' STAT Neutralizer, stops humans from doing bad things to computers. A STAT-protected machine can't have its vital files deleted or altered, either purposely or by well-intentioned error. The computer simply won't allow it. TASC's eDNA program identifies and stops malicious programs such as viruses in the same way that a human's DNA can be used to identify his or her centuries-old genetic makeup. EDNA does not rely on heuristics scanning as many antiviral programs do. Heuristics looks for specific patterns of code associated with known viruses in order to spot new or rewritten viruses. EDNA digs deeper and ferrets out the old ancestral links, even if the program's code has been greatly altered. "A person can be matched from his or her DNA no matter what makeup they are wearing or what body altering surgery they have undergone," said David Sanders, head scientist at TASC. "Similarly, eDNA can identify version 3.2 of a virus or Trojan with a sample from version 1.0, just like a child can be identified and differentiated from all the other children in the neighborhood by a DNA sample from its father." TASC's eDNA application was not originally designed to work against malicious code, but was intended to assist computer forensics examiners -- people who check computers to gather evidence used in legal investigations or criminal trials. But as computer hard drives increase in size, forensics experts are faced with not only finding the proverbial needle in the haystack but also contending with a lot more hay. So Sanders' team set out to write a "data reduction" program that could quickly identify and remove "known" files -- typically system files and applications -- from the list of things that the examiner needed to look at. Sanders' team used a two-step method to accurately ID all standard-issue files. Their program checked the file's size against the typical size of that application or file, and also used "MD5 hash," a technology that produces a digital fingerprint of a file or application. Sounds foolproof, but as any programmer knows, two legitimate copies of a program may produce slightly different MD5 hash fingerprints from their code files, due to small programming changes. So Sanders and his team coded a program, now called eDNA, which examines and matches program code at a very primitive level. The idea was that once you had the basic "DNA" of a program, you should be able to identify all of its "parents" and "children." "While we never really gave much thought to identifying malicious code during the eDNA project, after its completion we discovered that eDNA worked just as well against Tand viruses as it did any other code," Sanders said. The team tested eDNA on the well-known Trojan "Back Orifice" (BO). After extracting BO's DNA, they turned eDNA loose. It easily found the "donor" program and also accurately recognized rewritten, altered versions of BO. EDNA has also found previously unknown "parents" of malicious code. "I remember one day we downloaded a Trojan known as Seek," said Joe Ailinger of TASQ. "After extracting its DNA, we ran eDNA to see if it could pick out Seek. To our horror, it not only picked out Seek but also identified two other programs, Girlfriend and Paradise, as being closely related despite there being no known link between them. We were sure eDNA was wrong. But upon further examination of these programs' code, we found that both Girlfriend and Paradise are derivatives of Seek. EDNA easily spotted the relationship." After tests involving thousands of donor code files, eDNA has never falsely identified a code file as being related to the DNA donor nor has it missed matching a code file, according to Sanders. "Putting on my scientific skeptic hat, I have to assume there is a false positive or missed match out there somewhere lurking in the darkness waiting to laugh at me, but I have yet to encounter it," Sanders said. Currently, eDNA is being tested by several government agencies, but agency spokespeople said that beta testers would be unable to comment on specifics immediately. "Anything that essentially gives investigators an infallible brain is useful," said an FBI agent who did not want to be identified. "We are quite aware that criminals and terrorists use malicious programs to gather intelligence and jam critical systems, and obviously we're familiar with DNA tracking -- eDNA extends that science to computers. It's a pretty neat idea." Sanders also declined comment on what specific tests the government might be carrying out, although his experience is probably being put to good use. Sanders retired from the U.S. Army in 1997. He has over 16 years experience as a Special Agent with Army Counterintelligence and has taught at the Army's Advanced Foreign Counterintelligence Training Course. "I'd love to discuss specifics, but I really can't go there," Sanders said. "We are really sensitive about not making the bad guys smarter." Harris' STAT Neutralizer also defuses bad guy or bad code behavior, and even blocks good people or code that are innocently attempting to do bad things. Neutralizer monitors everything that's going on in a system via electronic "agents." The agents allow "good" behavior, anything that a system should normally do, while blocking abnormal or "bad" behavior, such as sending e-mail to everyone in an e-mail program's address book, or making changes to the system software. Since STAT Neutralizer blocks virus and Trojan activity, systems administrators don't have to take networks offline while they download, test, and install a new security patch. Dr. Chris Feudo, the director of EDS's Global Information Assurance Group a technical consulting firm, has tested STAT Neutralizer. Feudo said he is impressed with its ability to detect the computer viruses he set loose on the test system. "STAT basically places a protective shell around the (operating system's) kernel," Feudo said. "It protects the kernel from being altered in any way by anyone who doesn't have explicit permission." Some systems administrators were particularly interested in STAT Neutralizer's ability to protect computers from their users. "Given a choice, I've learned that users will almost always choose entertainment over security. That's why e-mailed viruses promising glimpses of interesting material if you just 'click on the attachment' are so effective," said David Young, a systems administrator of a Manhattan publishing firm. "A product that protects the system from its users is a big step in the right direction." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 03:49:09 PST