back to article Zoom out for a view of malware, say boffins

One of the reasons malware gets past corporate defences is that a single HTTP request can look perfectly innocent. However, according to research to be presented at a security conference next week, those requests reveal themselves if the defender takes a “big picture” view. According to research to be presented at the Internet …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Nothing really new

This more ambitious approach, of looking for characteristic patterns in requests and data, has been used by top-end firewall manufacturers for at least 15 years and possibly longer. After all, it's the logical thing to do if you want to identify more attacks and thus have a chance of shutting them out, rather than having to clean up the damage afterwards.

However, like all "smart" software, I suspect it will turn out to have distinct limitations. The idea is somewhat similar, in the broadest terms, to that behind Web content filtering - and we know how well that works in practice. It always looks fairly straightforward, at first glance, to make software behave "intelligently" by making it carry out a set of rules. Trouble is, life tends to be a lot more complicated than any simple set of rules we can devise. There are exceptions, and the exceptions also have exceptions... and so on.

1
0
Bronze badge

Pretty much pointless

The malmongers will just adapt and enlarge their directory structures, add some JPG, PDF, etc. files to widen their range of filetypes and generally do whatever is necessary for business as usual.

0
0

nazca

http://en.wikipedia.org/wiki/Nazca_Lines

I see what they did there.

0
1
Anonymous Coward

Call me pedantic but...

... saying that it does not inspect content but takes MD5 hashes of the first few Ks is like saying that one does not watch adult movies but takes a look at the first five minutes... you know, just to see if they are one of these.

And by the way, doing this only makes malware writers to pad its malicious content with a few kilobytes of cat pictures at the beginning.

0
0
This topic is closed for new posts.

Forums