Alternative medicine: Future virus fighting

Although viruses have been with us for 20 years and worms considerably longer, there has been remarkably little movement in the way they are written, detected and removed. In general, an unknown writer identifies a vulnerability in a common system, writes software to exploit it and releases it to his chums and the antivirus companies, sometimes into the wild. The virus is analysed, a unique pattern within it is identified and the antivirus companies release the update to their customers.

This works unless the malware -- a generic term for harmful software -- can propagate itself faster than the companies can respond. One approach to counter that is heuristic analysis, where software examines email attachments and incoming files and attempts to work out what they actually do. Typically, a heuristic detector would look for programs that attempt to access your address book, check for a particular date set in the future, overwriting system files and so on -- if a piece of software does enough things that the detector considers suspicious, it flags the file as suspicious and issues an alert. This process can spot unknown viruses -- it's been particularly successful in detecting email-borne worms -- but can also easily flag legitimate files as dangerous.

A more advanced form of heuristic scanning involves running the code, either in emulation or a virtual machine, and watching for dangerous activity. In theory, this will discover all malware: in practice, it can only find that which misbehaves early on. A virus that does nothing suspicious for a week after infection will only be revealed in this way after a week in quarantine has passed, and that's not an acceptable delay. Yet another approach is to monitor not the suspect code, but the entry points to the operating system: as software runs, the antivirus program constantly checks for dangerous activity.

Hardware scanning is an old idea that is constantly reinvented. One of the latest demonstrations comes from Washington University, where John Lockwood and his students have developed a device called the Field Programmable Port Extender (FPX) that can scan incoming bitstreams at up to 2.4 gigabits per second. This is fast enough for the device to be used much like a firewall, monitoring all traffic at the point it enters or leaves an organisation.

The hardware builds incoming packets into a message, analyses the protocol headers and compares the contents of the message against a database of known signatures -- all things that are normally done in software. At the heart of the FPX is a device called a field-programmable gate array (FPGA), a chip containing millions of logic gates that can be reconfigured through software. It's this that checks for known signatures by setting up circuits that respond to matches; by putting many of these in parallel, incoming traffic can be scanned as fast as it arrives. Automatic tools take virus signatures and convert them into circuit configuration data: the idea is that as soon as a threat is detected anywhere in the world, new configurations are generated.

Although this approach works well for most viruses, worms and other malware, it does little for polymorphic and metamorphic viruses. These dynamically rewrite themselves every time they replicate, leaving as little as possible unchanged from copy to copy. All a scanner can hook onto is the small amount of code that doesn't change, and the trouble with looking for small chunks of code is that there's a high chance of false positives from legitimate messages. Also, it is impossible to add heuristics to scanners that check bitstreams in real time.

In the end, there is no guaranteed way to distinguish malware from legitimate data -- to take an extreme example, a signature file distributed by an antivirus company to update its scanners will by definition contain all the hallmarks of the virus it is designed to detect. It's merely the context that makes it good, rather than bad, information.

Trusted computing initiatives are ways to manage that context. By arranging the hardware and operating system of a computer so that only specifically authorised code can be run -- and by preventing the user from deciding what is authorised -- whole families of infection can be disarmed. Such schemes are still being developed for personal and enterprise computing, but are already in place for embedded systems such as Microsoft's Smartphone platform. Here, it is already possible to arrange things so that no application can be loaded onto a phone except with the express authorisation of the network operators. Although this has met with considerable user resistance -- one of the selling points of smartphones is their ability to run games and multimedia applications, where users prefer as much choice as possible -- the companies concerned are persisting. Microsoft's Next Generation Secure Computing Base (NGSCB, formerly known as Palladium) and Intel's LaGrande hardware specification are both being heavily promoted as increasing security against malware.

This is as much for commercial reasons as to protect the user. As John Lockwood points out, techniques used to deflect viruses can also be used to deflect any form of unauthorised data -- and as digital rights management and other aggressive copyright protection schemes are adopted, the definition of unauthorised widens considerably to cover anything to which a user does not have the explicit rights.

The future of antivirus software will most probably be a mixture of all the above techniques. PC hardware is becoming more robust and more flexible -- Intel's Vanderpool virtualisation will create multiple independent virtual processors, one of which could be given over to heuristic analysis of suspicious code away from live data -- and email server providers are already using anti-spam analysis ideas to check for viral behaviour. ISPs have learned that the first sign of a successful attack can be a sudden increase in network activity on an unusual port, and have established links to antivirus software company laboratories. There are even signs that the users themselves are learning not to run suspicious email attachments, but researchers privately admit that they expect true artificial intelligence to be developed before they can inculcate the real thing in their clients.

Malware will never go away, because there is always a way to persuade legitimate software to behave in dangerous ways. The only truly safe software is that which cannot access or change anything of value, and that is truly useless. But with security finally registering as a top concern for hardware, software and network companies, the days when a twisted teenager can cripple the Internet with a few hundred bytes of Windows exploitation are numbered.