On Friday, Stevens University hosted a Security and Privacy Day, organized in conjunction with Columbia University and IBM Research. Two of the speakers—one each from Stevens and Columbia—spoke in detail about the issues facing those who are trying to defend against malware. The take-home was pretty grim; it's simply easier for malware authors to mount an attack than it is to defend against one. But some degree of defense is possible, and that may be enough to secure at least some networks.
Sven Dietrich of Stevens discussed the prospects for detecting the activity of botnets and tracing them back to their source. Early versions of networked malware followed a design similar to client-server, with standard point-to-point TCP connections back to a central controller. These were relatively simple to defend against. "That was easy, thinking back now," Dietrich reminisced, "although at the time, it didn't seem easy."
Malware writers' first adaptation was to use IRC communications to control the botnets, so that the network traffic looked legitimate and the controlling computers could hide behind the IRC servers. Since then, communications have moved off TCP entirely and into acknowledgment-free protocols such as UDP, and the content is often encrypted. Botnets now communicate on a peer-to-peer basis, either using common methods (Storm uses the eDonkey UDP protocol) or with custom code (as is the case with SpamThru).
Professor Dietrich thinks that these developments have made traditional anti-malware tactics largely ineffective. It's no longer realistic to expect to be able to identify controllers of botnets so that new instructions can be blocked or traced back to a source. The use of encryption to deliver payloads and instructions also makes it much harder to determine what a given botnet is up to.
The encryption issue was the main focus of a talk by Salvatore Stolfo of Columbia University. Stolfo's focus is content-based anomaly detection; in practice, this means protecting computers by recognizing network traffic that could pose a threat before it reaches the computer, even in cases where the code doesn't match any existing malware signatures. Stolfo described a system, called Anagram, that generates a hash of a portion of the incoming traffic and checks it against known safe and malware signatures. Anything that's unknown gets sent to a "shadow server" where it is observed while running in a sandbox to evaluate its safety.
To work without an excessive number of false positives, however, this system requires that the malware hashes occupy a finite amount of space. This is where Stolfo's bad news comes in: malware writers are now compressing their payloads, and there are an immense number of ways to express a specialized decompression algorithm in about 30 bytes. Using a genetic (evolutionary) algorithm, he and his coworkers could easily produce millions of decompressors that showed no detectable pattern. He also described how some malware inserted safe-looking content (such as images) into the payload so that the typical hash generated by scanning them would indicate that they're safe.
Neither Dietrich or Stolfo offered any suggestions on how to ensure security from the computer science perspective, but both suggested that cultural aspects of the current malware scene were key to future security. Dietrich pointed out that our success against earlier malware came in part because the hackers, both black- and white-hat, were willing to talk with computer scientists. Now, most malware is the product of organized crime networks, primarily based overseas. They're not talking to us and, unless we make some effort to understand their culture, Dietrich suggests that we're going to have a hard time combatting them.
Stolfo thinks that we know enough about the culture to know one thing: it's all about the money. Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target.
Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time.
reader comments