Detecting Unknown Viruses

A Norwegian graduate student reckons his new antivirus program which can detect unknown viruses is thirty times faster than rival systems developed by the team at Massachusetts Institute of Technology. Tom Lysemose’s software can also effectively detect attacks by unknown computer viruses. The press release from the Research Council of Norway claims that no previous software can detect unknown viruses, but I’m pretty sure that’s not the case. The antivirus companies have been using heuristic algorithms to spot virus characteristics in suspect files for years, albeit with nowhere near 100% accuracy.

Nevertheless, Lysemose hopes to address the rather embarrassing situation in which many software vendors have found themselves – namely that common programming errors lead to so-called buffer overflow, which can be exploited transparently by a virus.

Lysemose points out that such programming mistakes are common for all programrs who write in C, one of the world’s most common programming languages. The web browser Internet Explorer, the VOIP telephony system Skype and the database software from Microsoft SQL Server are all affected, even antivirus software itself, such as that proferred by Symantec, is susceptible to this problem.

The effects can be devastating. In 2003, the Slammer virus took control of a huge number of database servers, spreading itself rapidly. The virus was not especially destructive, it spread so widely that it slowed down the entire Internet. Systems over the entire world were affected, and even some banks’ automated teller machines were shut down, says Lysemose.

To understand Lysemose’s software, one needs a quick introduction to how Buffer Overflow is a unfortunate programming error. Within a computer’s internal memory are a series of containers called buffers. When running a program that communicates over the Internet, such as a web browser, the technology functions so that the contents in the buffers of the network server are transferred to the buffers in the computer.

One example is when a password is entered on a web page. The password is stored in its own buffer on the local computer. Consider, for example, that this buffer could only have enough space for eight characters. If the programr forgets to check the buffer size, the buffer runs over if someone enters more than eight characters.

Unfortunately, not all programrs are aware of this. If those who write software have not included a routine that checks if enough room exists in the buffer, the areas that are physically next to the buffer will be overwritten. This is extremely regrettable. The computer gives no warning and continues to run as if nothing has happened.

Unfortunately, the overwritten areas can hold important instructions for the software that’s running, such as “Please provide an overview of all my documents”.

This is exactly the type of weakness that virus creators exploit. They can make a virus that sends a larger data packet than the computer’s buffer capacity. If the hacker discovers exactly where the most important instructions are located, the virus can be programd so that it overwrites these instructions with completely different commands, such as “Delete all of my documents now”. And then the user is out of luck.

Which is where Lysemose’s innovation comes in to its own. His system, ProMon, cannot prevent an unknown virus from attacking a buffer and the areas around it, but ProMon monitors programs to ensure that they do not do things that they are not programd to do. This means that ProMon will stop a program if it suddenly begins to do another thing.

This solution is a new way of thinking about virus prevention. ProMon works within a program, such as the web browser Internet Explorer, in order to monitor the interaction between the program’s modules. As long as the program performs legitimate transactions between its modules, ProMon does nothing. But if an illegal transaction occurs, ProMon decides a virus has attacked and promptly stops the program, Lysemose explains. As such, ProMon can monitor any program. The product will be introduced to the large anti-virus companies later this month.

In the meantime, check out the sciencebase spyware, trojans and worms page

Regulatory Compliance

Did you know that all US firms have to keep all records, including e-mails and other electronic records for at least five years under the Sarbanes-Oxley Act of 2002? Moreover, if your company is in healthcare, then you also have to hang on to a variety of emails and documents, such as contracts, policy and procedure documents, patient communications, authorizations and consumer complaints for six years! You can find out more and how to manage your email and IM (instant messaging) files in this White Paper

Funnel Back Search Engine

A search engine spun out from the Australian research organisation CSIRO is already powering the Australian Government Information
Management Office, Westpac Banking Corporation, the Australian Broadcasting Corporation, the University of Sydney, National Research Council of Canada, University of Staffordshire, and the Scottish Care Commission and could soon offer users from multinational down to SOHOs a way to search their websites, intranets, file-shares and databases that side-steps the security risks associated with other desktop search engine software that has recently come to light.

“Funnelback is a better search engine because of its superior ability to
help users find the information they are looking for quickly and
accurately,” says Dr Stephen Kirby, Chairman of Funnelback Pty Ltd. [That has to be one of the most trite press release statements ever, Ed.]

Nevertheless, the “new” search engine could improve the lot of scientists who only see so much spam and commercial garbage when searching with the more commonplace SEs.

According to the Funnelback development website, however, the SE “offers a better search experience based on its high-quality ranking algorithms.” These it claims take into account many factors when ranking a document. So far, nothing new, the likes of Google have been doing that for years.

Indeed, the Funnelback site spells out exactly what it uses to rank a webpage:

* The anchortext pointing to the page
* The number of incoming links from other pages and sites
* The length of the page address (URL) and the presence of query words in the URL
* The number of times your query words appear in the page and in the collection, and the length of the page

So, basically, it ranks pages in pretty much the same way as Google. Of course, we’re not going to be “Funnelbacking search results” like we “Google” them in our everyday searching. “We’re not tackling the global web search market dominated by Google, Yahoo and MSN,” Funnelback’s Francis Crimmins told us. He adds that “we have a strong story in the enterprise and hosted search space.” One additional interesting aspect of this SE is that Funnelback, as well as carrying out basic web ranking, supports a “free-text + metadata search”.

Novel Prize Controversy

Regular sciencebase visitors will be well aware of my interest in what keywords visitors use to either find the site or to search the site once they’re here. Four hits on the site this month were after Novel Prize controversy, again and again. I’m not sure what they hoped to find by adding that phrase “again and again”, but more to the point, I’m not aware of any Novel Prize. If they’re after the Nobel Prizes, then sciencebase offers a run down of those in Chemistry, Physics, and Medicine.

Think Geek

I found a great site for all those gadgets that will make you the envy of the lab! Check out ThinkGeek gifts for geeks for hi-tech lights and lasers, Swiss Army USB knives, PIX Sports LED pedometer and message display, PowerSquid outlet multipliers, USB lava lamps (don’t ask!), wifi digital hotspot spotter, atomic dog tags (for supercool mutts with a penchant for retro chic), LED candles, and best of all – green laser pointers (beats those old-fashioned red ones on the lecture circuit any day).

And, as it’s my birthday today, feel free to send me any gadgety gift you like!

EFF has Google over a Desktop

The Register reports today that the Electronic Frontier Foundation has issued a warning to potential users of Google Desktop (version 3) to configure it carefully.

The program’s “Search Across Computers” means some very private files, such as your web histories, documents, spreadsheets, presentations, PDF and text files in your “My Documents” folder could be held on Google’s servers for up to a month.

The idea is that you would login to your Google space and be able to search your own files from another PC. You can exclude filetypes and folders , but EFF has raised its proverbial eyebrows as the new version of Google Desktop could unleash a whole new set of security problems for non-technical users.

If you need more advice on computer security (and who doesn’t?), I can recommend The Hacker’s Nightmare, which I have mentioned several times in this blog.

Open Access Referees

The new journal (Biology Direct), hopes to revolutionise the peer review process by placing the burden of selecting “referees” for a paer on the shoulders of the authors themselves and removing the protection of referee anonymity that has been the mainstay of the scientific publication system for decades, if not centuries.

The journal suggests that such an approach to peer review will increase “both the responsibility and the reward of the referees…eliminating sources of abuse in the refereeing process” and presumably reducing the risk of fraudulent results entering the scientific literature.

It remains to be seen whether referees will voluntarily expose themselves to the criticism of their peers for those papers they review, whether that’s authors wishing they’d picked someone else when a paper is slated, or rivals suggesting that a referee is at fault when a paper receives a positive review.

Constraint Satisfaction Problem

Wikipedia is fab, isn’t it? But, every now and then it throws up information that really doesn’t help. I’m currently writing a feature for the journal Complexus, for which I’m an editorial board member, and the phrase Constraint satisfaction problem is key to understanding the research paper I’m writing about. So, thinking good-old Wiki could help out with a neat and crisp definition for our readers, I plugged in the phrase, like you do. Bingo! There she blows!

Trouble is the definition apears to be entirely circular – a CSP being simply a problem the solution to which must satisfy certain constraints. That’s the equivalent of defining a long curvy yellow fruit as a “fruit that is yellow, curved, and long” isn’t it?

So, if anyone has a neat and crisp definition of CPS they’d like to share please let me know…

Now….where’s that banana?

Kama Sutra Worm Comes of Age Friday

If you’ve recently been a bit naughty and opened a file with any of the following subject lines:
*Hot Movie*
Arab s*x DSC-00465.jpg
F*ckin Kama Sutra pics
Fw: S*X.mpg
Fwd: Crazy illegal S*x!
give me a kiss
Miss Lebanon 2006
Part 1 of 6 Video clipe
School girl fantasies gone bad
The Best Videoclip Ever

You may have infected your PC with a virus that will wipe data on the 3rd of the month. Today is a good time to ensure your AV software is up to speed and to get any confessions out of colleagues on your network. According to Sophos, the virus will destroy files with the following extensions

DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP

and replace their contents with:

DATA Error [47 0F 94 93 F4 K5]

Not worth it for a little online titillation was it?

I Lurv Your Photo

You may not have been fooled by claims of love from anonymous email correspondents nor messages purportedly from Paypal urging you to check your security settings and sending you via their servers in Russia to verify your password, but would you be sucked in by this missive, which could appeal to anyone’s vanity, especially if they post a lot of photos on the web:

“Hello,

Your photograph has reached editing stage as part of an article we are
publishing for our February edition of the Guardians business section.
Can you check over the format and get back to us with your approval or
any changes?
If the picture is not to your liking then please send a preferred one.
We’ve attached the photo with the article here.

Kind regards,

William Morrison
Editor
www.Guardian.com”

This message (there are variations on the theme) came with a zip file attachment containing a rather malicious piece of software that goes by the name of Troj/Stinx-N. According to Sophos this worm “Turns off anti-virus applications, Allows others to access the computer, Downloads code from the internet, Reduces system security, Installs itself in the Registry”

The smoking gun, of cours, is that line “If the picture is not to your liking then please send a preferred one.” Anyone in the trade would know immediately that this was not a message from any real editor. Editors very, very, very, very, very, very, rarely give photographers (or writers, come to that) the option of submitting a “preferred” piece after editorial attention has already been given to the original submission. It just doesn’t happen.

You have been warned!

The bottom line is: DON’T OPEN EMAIL ATTACHMENTS
(unless you’re absolutely certain they’re genuine and can verify their veracity)

Check out the sciencebase site for more on spyware, trojans and worms