In an earlier post we talked about how malware is built to morph or change to avoid detection. This time we’ll look at what security firms are doing about it.
The short answer is heuristics or self-educating computer programs.
Heuristic programs essentially profile a computer system and flag programs or operations that look like a virus. Over time, the software learns how the user uses her system, what kinds of programs are allowed, and, of the flagged operations, which ones are actual threats. It’s an automated way for a computer to track its own “behavior.” It builds a profile of itself.
To see how complicated this is, download Microsoft Sysinternals. This developer tool displays every program and library running on a Windows system. What you’ll see is somewhat shocking. Even with all your programs closed—such as Word, Chrome, email client—there are still 40 or 50 programs running in the background. These programs—which are attached to dozens of libraries—keep Windows afloat. Different processes call up the most popular libraries, which create a flow of information that lets your mouse scroll and keyboard click.
This sounds good, and it often works well too. But the drain on system resources—system power—is very real. A more powerful computer isn’t always the answer, either. A user with the latest system out there is likely running resource-intensive programs that compete with the heuristic scan. The more you do, the more you have to scan. It’s a vicious cycle.
So what’s the takeaway? It’s simple: Code-morphing is powerful enough to defeat many software protection tools. It takes time for bad software to be detected. It’s good to know what these programs do, but they’re too impractical for most users.
Our computer systems are never really secure, so it’s good to think of security as a process rather than a product. It’s a journey with a steep learning curve. That could be a hard message to hear, but it’s an important one. Only then can you begin the hard work of profiling your own computer behavior in your brain, not the computer’s brain.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
Leave a Reply