Zoom out for a view of malware, say boffins One of the reasons malware gets past corporate defences is that a single HTTP request can look perfectly innocent. However, according to research to be presented at a security conference next week, those requests reveal themselves if the defender takes a “big picture” view. According to research to be presented at the Internet …
This more ambitious approach, of looking for characteristic patterns in requests and data, has been used by top-end firewall manufacturers for at least 15 years and possibly longer. After all, it's the logical thing to do if you want to identify more attacks and thus have a chance of shutting them out, rather than having to clean up the damage afterwards.
However, like all "smart" software, I suspect it will turn out to have distinct limitations. The idea is somewhat similar, in the broadest terms, to that behind Web content filtering - and we know how well that works in practice. It always looks fairly straightforward, at first glance, to make software behave "intelligently" by making it carry out a set of rules. Trouble is, life tends to be a lot more complicated than any simple set of rules we can devise. There are exceptions, and the exceptions also have exceptions... and so on.
... saying that it does not inspect content but takes MD5 hashes of the first few Ks is like saying that one does not watch adult movies but takes a look at the first five minutes... you know, just to see if they are one of these.
And by the way, doing this only makes malware writers to pad its malicious content with a few kilobytes of cat pictures at the beginning.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
