Yet again, New Scientist shows us the way to put ourselves out of business. (Yippee, retirement at last!)
Years ago on alt.comp.virus, someone came up with an astonishing solution to the virus problem. Since all virus detection is signature-based (ahem! really?), why not generate all the possible malware signatures proactively, so that viruses would be detected before they’re written? I did try to explain the difficulties of that approach at the time, but I was handicapped by gales of helpless laughter that seriously impaired my typing.
Now those tremendously clever chaps at Qinetiq have invented a whole new wheel. They’re in the process of patenting a process that will “intercept every file that could possibly hide a virus” (cool: they could call it something like, oh I don’t know, generic filtering…) and “and add a string of computer code to it” (another cool idea: perhaps they could call it “immunization”). Not just any computer code, but (gasp) machine code (please stop tittering at the back there) which will be inserted into the file headers to stop it executing, in the event of its turning out to be a program. If it isn’t a program, apparently the code will have no effect (I’m sure we can assume that no application worth having will be confused by having aliencode inserted into data file headers…) If it is a program, it will either be stopped in its tracks or sent into an infinite loop. Would that be an infinite binary loop, then? I guess they’re borrowing some code from Good Times.
Apparently this countermeasure will be introduced onto mailservers, on account of all those pesky attachments. Presumably, once this is implemented as an actual product, they’ll resume work on eliminating the millennium bug before they start on Trojans.
Originally, I was planning to insert a few satirical comments here. But somehow it seems like redundant effort.
Tip of the hat to @DaleInnis for drawing my attention to this gem.
David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET
Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
Tags: @DaleInnis, alt.comp.virus, attachments, file headers, generic filtering, immunization, infinite binary loop, millennium bug, New Scientist, Qinetiq, signature detection
Ah! more TOAST!
One presumes this will work on my ARM based mail server, oh and I *still* have some AIX boxes running exim as well.
Hello,
I guess INT 03h is the new MZ.
Regards,
Aryeh Goretsky
[...] was rather scathing recently in a blog for AVIEN (the Anti-Virus Information Exchange Network) about a New Scientist report that described [...]
[...] John Leyden cited my previous blog on the topic here referring to my job at ESET, I thought it best to continue the discussion there. [...]
[...] in New Scientist, are laughable. I was going to viciously mock them but it turns out David Harley beat me to it. He added less sarcastic commentary [...]