Ferreting Out Virus 'DNA'

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,48072,00.html

By Michelle Delio 
2:00 a.m. Nov. 5, 2001 PST 

Tools used to detect computer viruses and stop malicious hack attacks
may not be as effective as they could be because they lack the human
touch.

Security experts contend that protecting computers from people-created
plagues and problems requires technology based on human biology and
behavior.

"Computers are the scapegoats of the modern age," said systems
administrator David Young. "Computers never do bad things to people.
But people often do really bad things to computers."

Help for those poor, beleaguered boxes is now available. Two new
security programs use what science knows about humans' physical and
psychological makeup to protect computers from people.

Harris' STAT Neutralizer, stops humans from doing bad things to
computers. A STAT-protected machine can't have its vital files deleted
or altered, either purposely or by well-intentioned error. The
computer simply won't allow it.

TASC's eDNA program identifies and stops malicious programs such as
viruses in the same way that a human's DNA can be used to identify his
or her centuries-old genetic makeup.

EDNA does not rely on heuristics scanning as many antiviral programs
do. Heuristics looks for specific patterns of code associated with
known viruses in order to spot new or rewritten viruses. EDNA digs
deeper and ferrets out the old ancestral links, even if the program's
code has been greatly altered.

"A person can be matched from his or her DNA no matter what makeup
they are wearing or what body altering surgery they have undergone,"
said David Sanders, head scientist at TASC. "Similarly, eDNA can
identify version 3.2 of a virus or Trojan with a sample from version
1.0, just like a child can be identified and differentiated from all
the other children in the neighborhood by a DNA sample from its
father."

TASC's eDNA application was not originally designed to work against
malicious code, but was intended to assist computer forensics
examiners -- people who check computers to gather evidence used in
legal investigations or criminal trials.

But as computer hard drives increase in size, forensics experts are
faced with not only finding the proverbial needle in the haystack but
also contending with a lot more hay. So Sanders' team set out to write
a "data reduction" program that could quickly identify and remove
"known" files -- typically system files and applications -- from the
list of things that the examiner needed to look at.

Sanders' team used a two-step method to accurately ID all
standard-issue files. Their program checked the file's size against
the typical size of that application or file, and also used "MD5
hash," a technology that produces a digital fingerprint of a file or
application.

Sounds foolproof, but as any programmer knows, two legitimate copies
of a program may produce slightly different MD5 hash fingerprints from
their code files, due to small programming changes.

So Sanders and his team coded a program, now called eDNA, which
examines and matches program code at a very primitive level. The idea
was that once you had the basic "DNA" of a program, you should be able
to identify all of its "parents" and "children."

"While we never really gave much thought to identifying malicious code
during the eDNA project, after its completion we discovered that eDNA
worked just as well against Tand viruses as it did any other code,"
Sanders said.

The team tested eDNA on the well-known Trojan "Back Orifice" (BO).
After extracting BO's DNA, they turned eDNA loose. It easily found the
"donor" program and also accurately recognized rewritten, altered
versions of BO.

EDNA has also found previously unknown "parents" of malicious code.

"I remember one day we downloaded a Trojan known as Seek," said Joe
Ailinger of TASQ. "After extracting its DNA, we ran eDNA to see if it
could pick out Seek. To our horror, it not only picked out Seek but
also identified two other programs, Girlfriend and Paradise, as being
closely related despite there being no known link between them. We
were sure eDNA was wrong. But upon further examination of these
programs' code, we found that both Girlfriend and Paradise are
derivatives of Seek. EDNA easily spotted the relationship."

After tests involving thousands of donor code files, eDNA has never
falsely identified a code file as being related to the DNA donor nor
has it missed matching a code file, according to Sanders.

"Putting on my scientific skeptic hat, I have to assume there is a
false positive or missed match out there somewhere lurking in the
darkness waiting to laugh at me, but I have yet to encounter it,"
Sanders said.

Currently, eDNA is being tested by several government agencies, but
agency spokespeople said that beta testers would be unable to comment
on specifics immediately.

"Anything that essentially gives investigators an infallible brain is
useful," said an FBI agent who did not want to be identified. "We are
quite aware that criminals and terrorists use malicious programs to
gather intelligence and jam critical systems, and obviously we're
familiar with DNA tracking -- eDNA extends that science to computers.
It's a pretty neat idea."

Sanders also declined comment on what specific tests the government
might be carrying out, although his experience is probably being put
to good use. Sanders retired from the U.S. Army in 1997. He has over
16 years experience as a Special Agent with Army Counterintelligence
and has taught at the Army's Advanced Foreign Counterintelligence
Training Course.

"I'd love to discuss specifics, but I really can't go there," Sanders
said. "We are really sensitive about not making the bad guys smarter."

Harris' STAT Neutralizer also defuses bad guy or bad code behavior,
and even blocks good people or code that are innocently attempting to
do bad things.

Neutralizer monitors everything that's going on in a system via
electronic "agents." The agents allow "good" behavior, anything that a
system should normally do, while blocking abnormal or "bad" behavior,
such as sending e-mail to everyone in an e-mail program's address
book, or making changes to the system software.

Since STAT Neutralizer blocks virus and Trojan activity, systems
administrators don't have to take networks offline while they
download, test, and install a new security patch.

Dr. Chris Feudo, the director of EDS's Global Information Assurance
Group a technical consulting firm, has tested STAT Neutralizer. Feudo
said he is impressed with its ability to detect the computer viruses
he set loose on the test system.

"STAT basically places a protective shell around the (operating
system's) kernel," Feudo said. "It protects the kernel from being
altered in any way by anyone who doesn't have explicit permission."

Some systems administrators were particularly interested in STAT
Neutralizer's ability to protect computers from their users.

"Given a choice, I've learned that users will almost always choose
entertainment over security. That's why e-mailed viruses promising
glimpses of interesting material if you just 'click on the attachment'
are so effective," said David Young, a systems administrator of a
Manhattan publishing firm. "A product that protects the system from
its users is a big step in the right direction."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.