A Norwegian graduate student reckons his new antivirus program which can detect unknown viruses is thirty times faster than rival systems developed by the team at Massachusetts Institute of Technology. Tom Lysemose’s software can also effectively detect attacks by unknown computer viruses. The press release from the Research Council of Norway claims that no previous software can detect unknown viruses, but I’m pretty sure that’s not the case. The antivirus companies have been using heuristic algorithms to spot virus characteristics in suspect files for years, albeit with nowhere near 100% accuracy.
Nevertheless, Lysemose hopes to address the rather embarrassing situation in which many software vendors have found themselves – namely that common programming errors lead to so-called buffer overflow, which can be exploited transparently by a virus.
Lysemose points out that such programming mistakes are common for all programrs who write in C, one of the world’s most common programming languages. The web browser Internet Explorer, the VOIP telephony system Skype and the database software from Microsoft SQL Server are all affected, even antivirus software itself, such as that proferred by Symantec, is susceptible to this problem.
The effects can be devastating. In 2003, the Slammer virus took control of a huge number of database servers, spreading itself rapidly. The virus was not especially destructive, it spread so widely that it slowed down the entire Internet. Systems over the entire world were affected, and even some banks’ automated teller machines were shut down, says Lysemose.
To understand Lysemose’s software, one needs a quick introduction to how Buffer Overflow is a unfortunate programming error. Within a computer’s internal memory are a series of containers called buffers. When running a program that communicates over the Internet, such as a web browser, the technology functions so that the contents in the buffers of the network server are transferred to the buffers in the computer.
One example is when a password is entered on a web page. The password is stored in its own buffer on the local computer. Consider, for example, that this buffer could only have enough space for eight characters. If the programr forgets to check the buffer size, the buffer runs over if someone enters more than eight characters.
Unfortunately, not all programrs are aware of this. If those who write software have not included a routine that checks if enough room exists in the buffer, the areas that are physically next to the buffer will be overwritten. This is extremely regrettable. The computer gives no warning and continues to run as if nothing has happened.
Unfortunately, the overwritten areas can hold important instructions for the software that’s running, such as “Please provide an overview of all my documents”.
This is exactly the type of weakness that virus creators exploit. They can make a virus that sends a larger data packet than the computer’s buffer capacity. If the hacker discovers exactly where the most important instructions are located, the virus can be programd so that it overwrites these instructions with completely different commands, such as “Delete all of my documents now”. And then the user is out of luck.
Which is where Lysemose’s innovation comes in to its own. His system, ProMon, cannot prevent an unknown virus from attacking a buffer and the areas around it, but ProMon monitors programs to ensure that they do not do things that they are not programd to do. This means that ProMon will stop a program if it suddenly begins to do another thing.
This solution is a new way of thinking about virus prevention. ProMon works within a program, such as the web browser Internet Explorer, in order to monitor the interaction between the program’s modules. As long as the program performs legitimate transactions between its modules, ProMon does nothing. But if an illegal transaction occurs, ProMon decides a virus has attacked and promptly stops the program, Lysemose explains. As such, ProMon can monitor any program. The product will be introduced to the large anti-virus companies later this month.
In the meantime, check out the sciencebase spyware, trojans and worms page