Skip to main content

Looking for malware in all the wrong places?

Anti-virus products scan for malware in two ways. They look for sequences of bits that are found in programs that are known to be bad (but which are not commonly found in good programs). And they run programs in sandboxes and look for known malicious actions. The first approach only catches known malware instances, while the second can also catch variants of these. Still, many malware agents slip through the cracks undetected... until the rules of the anti-virus programs are updated, that is. It is a constant battle between the attackers and the defenders.
Instead of looking for known patterns -- whether of instructions and data, or of actions -- wouldn't it be great if we could look for anything that is malicious? That may sound like a pipe dream.
Not to me.
Let me tell you why. But first, let's agree about some things.
1) There are absolutely only three things malware can do when you scan for it. One: be active in RAM, maybe trying to interfere with the detection algorithm. Two: not be active in RAM, but store itself in secondary storage. It cannot interfere with the detection algorithm then, quite obviously. And option number three: erase itself.
2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?
Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free. Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten. It could store those random bits somewhere else instead... like in secondary storage.
Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean. Or there could be malware in RAM, and the checksum will be wrong. The external verifier would notice and conclude that the device must be infected. Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies. That would result in the right checksum... but a delay. This delay would be detected by the external verifier, which would conclude that the device is infected.
Why a delay, you ask? Because secondary storage is slower than RAM. Especially if the order of the reads and writes are done in a manner that intentionally causes huge delays if diverted to flash, hard drives, etc.
All we need is the help of an external verifier that knows how much RAM a device we want to protect has, and how fast its processor is. And ways to avoid latency variance when we measure the time to compute the checksum.
This tells us a few interesting things. We can guarantee detection of malware. And that includes zero-day attacks and rootkits. We can even guarantee that we will detect malware that infected a device before we installed our detection program. Think about it. Or read more here and here.
Labels:

Comments

Post a Comment

Popular posts from this blog

Email On Deck: A disposable email address that works

Today, Team Inforpioneer brings an interesting Email service for our reader which will definitely help our readers to improve their internet security and will benefit in some other ways.  Here is a short description of this service.  EmailOnDeck.com is the premier site for all things relating to temporary, disposable and throwaway email addresses. We want to help you avoid SPAM, protect your online privacy, and stop you from having to give away your personal email address to every company and person on the internet who insists on you giving it to them. We work hard and will continue to work hard to give you a disposable email address that works with any site or app. We hope to help give you back the control of deciding who you want to give your personal info to. Temporary emails are perfect for any transaction where you want to improve your online privacy. Use them when you buy or sell Bitcoins or trade cryptocurrency, at exchanges, or locally. They can be used for QA tes...
1 comment
Read more

SEO Optimizing A Website For Improved Value

SEO or search engine optimization is something that every web owner and creator should be aware of. Even if a website owner hires an expert to carry out the online marketing, understanding the very basics and how it really can improve a websites performance and popularity is important. Simply put, optimizing a website is important and is built around keywords that are valuable to a website and to the products or services it is trying to provide. By focusing on main keywords or key phrases for a business, and expanding on them over time, can improve the amount of visitors a website receives, in turn increasing profits or simply improving its popularity if it is an information website. SEO is valuable, and means a way of making a site appear at a higher ranking in search engines such as Google, Yahoo, AOL etc. Using this important type of online marketing can reap great benefits. It takes time to learn and time to complete, and is a constant job to keep a website performing well above co...
Post a Comment
Read more

Dr. Elmi Zulkarnain Osman. The Award Winning Trainer With The Right Humour.

Dr. Elmi Zulkarnain Osman – an award-winning educator, a popular corporate trainer and a highly paid Malay English Language Coach started his career as a teacher in a government school in Singapore before becoming a lecturer in a government-based institute. Throughout his career with the Singapore Public Service, Dr. Elmi has already been acknowledged as an accomplished public speaker and a motivational speaker known for his high energy delivery and humorous approach. He is also well known in the grassroots circle as an experienced Chief Facilitator and an accomplished Forum Moderator. Upon completing his PhD in Educational Leadership with Trident University International in 2018, he and a few like-minded friends decided to set up Elemantra Training Consultancy. A consultancy that has been delivering their promise to deliver an “enriching experience every time”. As the CEO and Principal Trainer at Elemantra Consultancy, Dr. Elmi is very much known for his exceptional communication ...
2 comments
Read more