One of the reasons malware gets past corporate defences is that a single HTTP request can look perfectly innocent. However, according to research to be presented at a security conference next week, those requests reveal themselves if the defender takes a “big picture” view. According to research to be presented at the Internet …
Nothing really new
This more ambitious approach, of looking for characteristic patterns in requests and data, has been used by top-end firewall manufacturers for at least 15 years and possibly longer. After all, it's the logical thing to do if you want to identify more attacks and thus have a chance of shutting them out, rather than having to clean up the damage afterwards.
However, like all "smart" software, I suspect it will turn out to have distinct limitations. The idea is somewhat similar, in the broadest terms, to that behind Web content filtering - and we know how well that works in practice. It always looks fairly straightforward, at first glance, to make software behave "intelligently" by making it carry out a set of rules. Trouble is, life tends to be a lot more complicated than any simple set of rules we can devise. There are exceptions, and the exceptions also have exceptions... and so on.
Pretty much pointless
The malmongers will just adapt and enlarge their directory structures, add some JPG, PDF, etc. files to widen their range of filetypes and generally do whatever is necessary for business as usual.
I see what they did there.
Call me pedantic but...
... saying that it does not inspect content but takes MD5 hashes of the first few Ks is like saying that one does not watch adult movies but takes a look at the first five minutes... you know, just to see if they are one of these.
And by the way, doing this only makes malware writers to pad its malicious content with a few kilobytes of cat pictures at the beginning.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- NASA to reformat Opportunity rover's memory from 125 million miles away