ON THE day a new computer virus hits the internet there is little that antivirus software can do to stop it until security firms get round to writing and distributing a patch that recognises and kills the virus. Now engineers Simon Wiseman and Richard Oak at the defence technology company Qinetiq's security lab in Malvern, Worcestershire, UK, have come up with an answer to the problem.
Their idea, which they are patenting, is to intercept every file that could possibly hide a virus and add a string of computer code to it that will disable any virus it contains. Their system chiefly targets emailed attachments and adds the extra code to them as they pass through a mailserver. A key feature of the scheme is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised "zero day" viruses as well as older ones.
Many mailservers already block attachments that will run as executable programs - such as PC files with a .exe suffix - in case they are viruses. But virus writers have tricks up their sleeve to get round this. For example, they can disguise files as an innocent Microsoft Word (.doc) or Adobe Acrobat (.pdf) file, and then fool unsuspecting users into converting them into an "executable" program file that will run on their computer.
Qinetiq aims to prevent this by inserting a line of machine code - the raw code that microprocessor chips understand - into the header area of incoming files. This is the part of the file that holds the formatting data that defines such aspects as a document's layout and fonts.
If the file is simply opened by another program, the code is ignored. But if someone attempts to run it as a program in its own right, Qinetiq's code will run first - and stop the rest of the program in its tracks, either by exiting or by sending it into an infinite loop.
"This is not based on virus signature detection, so it is not something malware writers can imagine their way around," Wiseman says. Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mailservers.
This is not based on virus signatures, so it is not something malware writers can get around
"It sounds like it might have some promise," says Ross Anderson, a software security engineer at the University of Cambridge. But he adds: "I'm not sure that injecting raw machine code into attachments will be a panacea."
Anderson doubts the wisdom of patenting the scheme, however. "Now that Qinetiq have patented this idea nobody will use it, even if it works. Patents are seen as damage: people route around them."
- Subscribe to New Scientist and you'll get:
- New Scientist magazine delivered to your door
- Unlimited access to all New Scientist online content -
a benefit only available to subscribers - Great savings from the normal price
- Subscribe now!
If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.
No comments:
Post a Comment