Alternative medicine: Future virus fighting

Although viruses have been with us for 20 years and worms considerably longer, there has been remarkably little movement in the way they are written, detected and removed. In general, an unknown writer identifies a vulnerability in a common system, writes software to exploit it and releases it to his chums and the antivirus companies, sometimes into the wild. The virus is analysed, a unique pattern within it is identified and the antivirus companies release the update to their customers.

This works unless the malware -- a generic term for harmful software -- can propagate itself faster than the companies can respond. One approach to counter that is heuristic analysis, where software examines email attachments and incoming files and attempts to work out what they actually do. Typically, a heuristic detector would look for programs that attempt to access your address book, check for a particular date set in the future, overwriting system files and so on -- if a piece of software does enough things that the detector considers suspicious, it flags the file as suspicious and issues an alert. This process can spot unknown viruses -- it's been particularly successful in detecting email-borne worms -- but can also easily flag legitimate files as dangerous.

A more advanced form of heuristic scanning involves running the code, either in emulation or a virtual machine, and watching for dangerous activity. In theory, this will discover all malware: in practice, it can only find that which misbehaves early on. A virus that does nothing suspicious for a week after infection will only be revealed in this way after a week in quarantine has passed, and that's not an acceptable delay. Yet another approach is to monitor not the suspect code, but the entry points to the operating system: as software runs, the antivirus program constantly checks for dangerous activity.

Hardware scanning is an old idea that is constantly reinvented. One of the latest demonstrations comes from Washington University, where John Lockwood and his students have developed a device called the Field Programmable Port Extender (FPX) that can scan incoming bitstreams at up to 2.4 gigabits per second. This is fast enough for the device to be used much like a firewall, monitoring all traffic at the point it enters or leaves an organisation.

The hardware builds incoming packets into a message, analyses the protocol headers and compares the contents of the message against a database of known signatures -- all things that are normally done in software. At the heart of the FPX is a device called a field-programmable gate array (FPGA), a chip containing millions of logic gates that can be reconfigured through software. It's this that checks for known signatures by setting up circuits that respond to matches; by putting many of these in parallel, incoming traffic can be scanned as fast as it arrives. Automatic tools take virus signatures and convert them into circuit configuration data: the idea is that as soon as a threat is detected anywhere in the world, new configurations are generated.

Next page