Network News

X My Profile
View More Activity

Defcon Speakers Team Up to Fight 'Queen Bots'

Imagine for a moment that our central defense against bank robbers was a technology that recognized criminals based largely upon their physical appearance. Now imagine that the bad guys had figured out a way to rapidly and automatically change not only their facial structure, but their height, weight, clothing and method of attack. The net result those attacks would ultimately be more successful and profitable bank robberies, encouraging the bad guys to step up the frequency and brazenness of their attacks.

That is a rough analogy for describing the dirty little secret of the anti-virus industry today -- that the authors of computer worms and viruses designed to turn regular computers into spam-spewing and data-stealing zombies or "bots" are increasingly outpacing the security vendors, by automatically updating the genetic makeup of their creations before anti-virus companies have time to ship updates to their detection files. As a result, we have an industry whose business is predicated on 10 to 20 percent of its customers being successfully attacked before it can even begin to respond, according to some estimates.

In light of this trend, some security experts say it is high time for anti-virus companies to put aside their competitive interests and partner with the various public-sector malware collection and analysis projects. At the Defcon hacker conference in Las Vegas last week, Internet pioneer Paul Vixie and Georgia Institute of Technology bot researcher David Dagon presented blueprints for an industrywide, automated "malware repository" designed specifically to address the problem of self-updating bot programs, which they called "queen bots."

Queen bots, said Vixie, comprise about half of the known bot programs operating today. They are successful because they can regularly recode themselves on the fly using various "packers," custom programs that can shrink and change a targeted file's appearance. While most anti-virus products can detect malicious files altered by common packer programs, there are a slew of more advanced and stealthy packers emerging each week that presented some tough challenges to the AV companies. On top of that, most of today's self-updating bot programs use multiple packers to further confuse anti-virus programs.

To help with that challenge, Vixie and Dagon have created a "malware repository" that automatically "unpacks" any submitted malware to determine whether the specimen is new or just an obfuscated clone of a known bot program. The process is repeated until the malware is completely unpacked. This allows fully automated analysis, because the system only needs to flag bot malware that includes new components, such as a different exploit or payload. Anonymous users can upload and view aggregate stastics about any samples they share, and users who identify themselves can download a detailed analysis of samples they submit. Users who have been vetted and authenticated can upload and download all malware samples and results of any analysis.

The repository has already attracted tens of thousands of malware contributions from the guys at, and the malware collection folks at Nepenthes. Following Dagon's and Vixie's presentation, I spoke with Thorsten Holz, co-founder of the German Honeynet Project, who said he plans to submit some 30,000 malware samples.

Johannes Ullrich, chief research officer for the SANS Institute, said he is in the process of realligning SANS's malware team to regularly contribute to the archive.

"The most difficult part [of malware analysis] is the unpacking, and there are a dozen or so common ones, but then there are a lot of boutique packers that are only used by particular hacking crews," Ullrich said.

Still, the goal is to attract full participation by the anti-virus industry, not just open-source volunteer research groups. Dagon said to the extent that anti-virus companies do share real-time data from their collections with the larger Internet security community today, such sharing tends to take place in isolated, "hostage exchange" type situations, wherein a company will only share information if they can be assured of getting some privileged data from a competitor in return.

"If we really do have 20 percent infection rate [against new bot malware], I would say the anti-virus industry [is] failing to address the problem," Vixie said. "The interesting part of the problem will be compliance monitoring. We want to find the part of malware that is beneficial for competitors to share with each other ... but whenever you set up cooperative agreements, there is a fairly good chance that some [vendors] will share enough that you think they are sharing everything, when they really are keeping the goodies to themselves."

Vixie added that he is optimistic that at least one anti-virus company will soon agree to contribute any samples it receives on a regular and automated basis. "All it takes is one to act and gain an edge for the rest to adapt and level the playing field. [Anti-virus companies] have to understand that if they hoard [new malware samples], then they're going to be lonesome. The early indications are that the old ways will part pretty easily this time."

By Brian Krebs  |  August 9, 2006; 5:25 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Mac Pro Users Urged to Apply Security Updates
Next: Defcon 14 Wrapup, at Long Last


My computer keep geting discconted from aol like every 5 minutes thats bad

Posted by: Chris | August 9, 2006 11:56 PM | Report abuse

The most basic defense against viruses and malware: Never share your computer with anyone. That includes spouses or significant others. If you have kids, get them their own machine. Youngsters, especially, care little about security and will open any attachment or download without a shred of concern. Storing tax returns on the same machine that is used for gaming and Myspace, is an invitation for identity theft.

Posted by: Ken L | August 10, 2006 11:41 AM | Report abuse

This is the wrong approach. We need tools that will rapidly fix known vulnerabilities -- something better than patching -- more than we need a complete database of ways to exploit it.

Posted by: SecurityWonk | August 10, 2006 12:29 PM | Report abuse

Seems like the Anti-virus industry has a strong conflict of interest, in that they make their money if and only if computers are pretty open to exploit. Solving the problem will put them out of business.

Open-source solutions seem more workable given that reality.

Posted by: Conflict of Interest | August 10, 2006 1:53 PM | Report abuse

Stop using using Microsoft programs, which are inherently defective in order to sell updates of updates that are still defective.

Also, if you must use Microsoft programs, set up plug in hard drives. One for the kids and one with your impotent data.. like your tax returns, bill pay stuff, love letters, rowdy pix, etc which is fully encrypted with 4000 bit code and 20 chr key

Posted by: Joe | August 11, 2006 1:36 PM | Report abuse

This has nothing to do with microsoft products as such. The most used OS get focused. It is that simple. If MacOS would suddently get 95% of the user base we would start to see increasing number of viruses, adware, spyware, worms and other kind of malware for that platform. Same applies for other OSes. Dont blame Microsoft entirely.

Posted by: Gisli | August 18, 2006 4:36 PM | Report abuse

education, education, education...

Posted by: r33x | September 2, 2006 1:15 PM | Report abuse


Baby Shoes. You are showing your ignorance and are comparing apples to oranges. Microsoft has for years and years NOT separated the OS from the user. It shows up all over the place. For example, your better half Sally went and got an infection in her section of the registry. To make matters even worse, she used that hide my files to ostensibly prevent hackers from seeing your files while her better half (you) are surfing the net in what she considers a dangerous manner. Let's ignore for the moment that you really are surfing the Internet in an unsafe manner but you are the luckiest person on the planet. Since you can't see her files the hackers also shouldn't be able to see them. What she doesn't know is that a dozen or so miscreants (worms, trojans, spies, and viruses) are hiding in that hidden file space of hers. She also has a dozen or so other miscreants hiding in her section of the registry (which you also can't see).

You do a full system scan with the AntiVirus program. It detects nothing. See? Actually, all that means is that your AV cannot find the nasties that are probably there. So maybe you aren't so lucky after all. Nothing is said about the half dozen or so viruses and worms that are hiding in her protected file system area because you can't see inside that space. That is not the way to hide personal data. If you want to hide your personal data - encrypt it! After the AV scan you do a full system scan with Spybot Search & Destroy, Ad-Aware (I assume you are poor and can't buy a more powerful product), or your choice of Anti-Spyware (okay, so you are richer than most of us). Your Spyware scans do a lovely job of cleaning out the system of the things known to be bad except for her Current User area of the Registry and her files. They are her areas and you can't see into them. And even if she also does the same scans (she won't give you her login password - what is she hiding?) if the system save / restore is active you are hosed because a lot of those nasties may just got restored again when the system reboots and she logs in again. What a wonderful idea - let's restore the nasties.

Now, this is NOT the place to educate you completely about the Mac or other Unix-type machines, but here are the facts about them. [1] THERE IS NO REGISTRY. [2] There is no Active-X. [3] There is a SUPER user named root. This user is the only user that can see the entire file system of the machine, and more importantly modify or delete all of the files. Actually, with a Discretionary Access Control (DAC) enhanced Unix systems even the root user acquires limitations. DACs are great for servers but are overkill for most home systems. Unless you have the DAC enhancement, only root can hide certain areas of the file systems from the prying eyes of all of the other users. Other users can hide their files from other normal users, but not from the root user. We will ignore for a moment attaching a portion of a hard drive on another computer to the computer you are using via something called NFS. I will say it is possible in that case for a normal user to see into that attached space, whereas the root user can't see it. So what? That file system is on the other machine. The Unix OS has put permissions on system files making them very difficult to be easily altered by a normal user. In fact, the Unix system files are practically impossible to be altered by a normal user unless there is some sort of security hole. A normal user can write files only in their little corner of the world (thankfully with blissfully short but meaningful home area names like /home/hhhobbit making it a piece of cake to back your files up) and in a temporary scratch space called /tmp. [4] Because of all of these features I just mentioned, viruses and worms have a terribly difficult time doing anything with a Unix file system. The same goes for the file systems used by operating systems like OpenVMS (owned by Compaq now that they bought Digital Electronics Corporation - DEC), OS/400 (IBM), MVS (IBM), and MVS (IBM). I must add that these other operating systems are all different from Unix. They do share the feature of more highly protected file systems. Some of these other operating systems are much more secure than Unix systems are, but all of them are much more secure than MS Windows ever was.

Now if you do something stupid by logging on as this root user on a Unix type system and go out surfing the Internet then you are opening yourself up to be whacked. But unlike MS Windows you don't have to log in as the root user to do almost everything you need to do. That is because the demarcation between user and OS on Unix systems has been hammered out over 36 years now and is very well defined. No, I am not logged in as root right now.

This next declaration is not a smug statement. You will always be safer on these Unix type systems (pick your poison) than the current and previous versions of Microsoft Windows no matter how popular they become. It is akin to saying that WPA encryption is much stronger than WEP encryption for wireless networks. It is just the nature of the beast. I will refrain from any comments about Vista until it comes out. But the main problem I see with Microsoft is that they REFUSE to look at both the strengths and weaknesses of these other operating systems with an eye toward improving their own systems. Instead of spending their time bashing these other systems they should blow the cobwebs from their minds by looking at them. If they did that, they may be able to create a much more secure system. They also spend all their time doing what you are doing which is saying that if these other systems like Mac OS-X, Linux, etc. became as popular as Microsoft Windows, the problem will be just as bad. Poppycock! Why Microsoft spends a lot of time bashing Linux baffles me. You can never say anything for sure, but I think I can safely say I don't see Linux as being a contender with Microsoft's products for the vast majority of desktops. If you come back to me in five years I probably will still be saying the same thing. Macs have a chance, and they are advertising heavily but they cost a lot. Part of the reason Linux won't take off is the ignorance of people like you. The other part is not that Windows has X billion apps and Linux doesn't. It is that maybe the Linux systems don't have the apps you need or even a reasonable substitute. Google Earth will never be available for Linux. The same held for Macromedia's Shockwave Player. Now that Macromedia has been bought out by Adobe the latter one may change - I have the Adobe reader installed on Linux. But I know of oil explaration software that runs only on Sun Microsystem's Sun Solaris (another very powerful Unix operating system). If you intend to run that software, then you are going to have a Sun running Solaris. The same holds for Google Earth - you will need to have a dual boot system where you can use MS Windows some of the time even if you normally use Linux. The new Macintoshes with Intel chips will also be able to run Microsoft Windows in addition to OS-X. Does that indicate how important Microsoft Windows is?

Microsoft needs to climb out of the thinking box they are in and look at things from other points of view. The best way to learn your own native language (human) is to learn another one. When you do that, the straitjacket will fall off and you will begin to see a way of making a file system where only one user can see everything and that user should not normally be you. The AV system is something I should be able to use, but it should autonomously handle updating and regular system scans only under the tutelage and guidance of a super user. And the count for Linux nasties is so low that the only AntiVirus products that are marketed for Linux don't scan for much Linux malware - they scan for Microsoft nasties! That is because they are servers doing mail duty, etc.

Posted by: hhhobbit | September 11, 2006 12:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company