|
|
|
Part II: Viruses and worms are likely to be with us for the foreseeable future - but how will the methods used to fight them develop? Although this approach works well for most viruses, worms and other malware, it does little for polymorphic and metamorphic viruses. These dynamically rewrite themselves every time they replicate, leaving as little as possible unchanged from copy to copy. All a scanner can hook onto is the small amount of code that doesn't change, and the trouble with looking for small chunks of code is that there's a high chance of false positives from legitimate messages. Also, it is impossible to add heuristics to scanners that check bitstreams in real time. In the end, there is no guaranteed way to distinguish malware from legitimate data -- to take an extreme example, a signature file distributed by an antivirus company to update its scanners will by definition contain all the hallmarks of the virus it is designed to detect. It's merely the context that makes it good, rather than bad, information. Trusted computing initiatives are ways to manage that context. By arranging the hardware and operating system of a computer so that only specifically authorised code can be run -- and by preventing the user from deciding what is authorised -- whole families of infection can be disarmed. Such schemes are still being developed for personal and enterprise computing, but are already in place for embedded systems such as Microsoft's Smartphone platform. Here, it is already possible to arrange things so that no application can be loaded onto a phone except with the express authorisation of the network operators. Although this has met with considerable user resistance -- one of the selling points of smartphones is their ability to run games and multimedia applications, where users prefer as much choice as possible -- the companies concerned are persisting. Microsoft's Next Generation Secure Computing Base (NGSCB, formerly known as Palladium) and Intel's LaGrande hardware specification are both being heavily promoted as increasing security against malware. This is as much for commercial reasons as to protect the user. As John Lockwood points out, techniques used to deflect viruses can also be used to deflect any form of unauthorised data -- and as digital rights management and other aggressive copyright protection schemes are adopted, the definition of unauthorised widens considerably to cover anything to which a user does not have the explicit rights. The future of antivirus software will most probably be a mixture of all the above techniques. PC hardware is becoming more robust and more flexible -- Intel's Vanderpool virtualisation will create multiple independent virtual processors, one of which could be given over to heuristic analysis of suspicious code away from live data -- and email server providers are already using anti-spam analysis ideas to check for viral behaviour. ISPs have learned that the first sign of a successful attack can be a sudden increase in network activity on an unusual port, and have established links to antivirus software company laboratories. There are even signs that the users themselves are learning not to run suspicious email attachments, but researchers privately admit that they expect true artificial intelligence to be developed before they can inculcate the real thing in their clients. Malware will never go away, because there is always a way to persuade legitimate software to behave in dangerous ways. The only truly safe software is that which cannot access or change anything of value, and that is truly useless. But with security finally registering as a top concern for hardware, software and network companies, the days when a twisted teenager can cripple the Internet with a few hundred bytes of Windows exploitation are numbered.
|
| |||||
|
|
