September 29, 2009, 9:50 PM — It's nearly impossible for anti-virus protectors to keep up with the pace of malware – producing descriptions of what that malware looks or acts like – around the clock, especially with forty thousand new and unique malware instances every day. And things are only getting worse.
Despite the fact that malware wants to hide itself, let's argue that there are secure ways antivirus protectors could learn about all installations of software -- good and bad -- that any of their end-users perform. Let's also assume that they could easily collect other data from these machines and users: geographic location, social networking information, type of operating system, installed programs and configurations.
If they could collect this information, it would enable them to quickly identify new malware strains without even looking at the code.
How is this possible?
We'll argue that if you know the circumstances of software installations and executions, then you can often tell what kind of software it is without even looking at the code. This information can auto-inform antivirus protectors. It can be used to provide immediate advice to a client machine, which turns to the "centralized [malware] nervous system" to ask whether a particular piece of code is safe to install or not. Let me provide a few examples of how this could work.
Geographic location. Consider a sequence of installations of some unknown program, performed over a short period of time within a small geographic area. Malware installation patterns, seen as a function of time, typically do not have a strong geographic component. But wait! Some malware does -- for example, malware that spreads over Bluetooth or Wi-Fi channels, infecting machines close to them. Of course, if everybody in a large local company patched some software at once this would also show up as geographically correlated installations. But the same patch is likely to also be installed in many other places at the same time, and will not spread like rings on water.
Social graph. Now imagine a graph representing all the computers in the world, where two nodes are connected to each other if and only if the owners of the corresponding two machines know each other -- or, more practically, if one of them lists the other in his address book. In plotting installations of new software, does it seem to spread along the vertices (the connections between the nodes) of the graph? Several infamous types of malware (like the Melissa virus) did just that, since they spread using the address books of infected machines. We don't need to know what the software looks like or what it does to determine if it is good or bad -- we only need to look at the pattern of installations.
However, a legitimate application -- advertised on a social network and shared between friends -- will also spread along social connections. But consider the speed at which the Melissa virus spread: a moment after a machine was infected, 50 emails were sent out to people in the address list. No matter how much users love the app their friends told them about, everyone is not likely to act that fast. And while malware writers can artificially slow down their spreads to avoid automated detection, that action helps antivirus companies distribute patches in a timely manner.
Time. Automated patching occurs around the clock, and worms infect no matter what time of day. But a Trojan, for example, depends on its victim being awake – the user has to approve its installation. Roughly speaking, if the malware takes advantage of a machine vulnerability, it often will spread independently of the local time of the day (to the extent that people leave their machines on, of course), whereas malware that relies on human vulnerabilities will depend on the time of the day (as does most legitimate software).
Behavior. Malware typically behaves in a very static manner – either it uses the address book, or it does not; either it spreads over Bluetooth, or it does not; and so on. But legitimate software is different. Think of a game: a small number of enthusiasts play it, and tell their friends about it. Then, a local newspaper picks up a story about the game, and lots of people in the city where the newspaper is published – whether they know each other or not – start playing it. Some of them are in the same neighborhood, others are miles away from the closest person who also installed the game. The patterns change for many kinds of legitimate software, but not for typical malware.
Yield. This is the term used to measure the chances that a machine that could become infected actually does become infected. Or, for legitimate software, the chances that a person who is given the opportunity to install the software decides to do so.
