How malware vaccines could stop ransomware's rampage What's better, prevention or cure? For a long time the global cybersecurity industry has operated by reacting to attacks and computer viruses. But given that ransomware has continued to escalate, more proactive action is needed. Malware vaccines were a hot topic of discussion at the recent ONE Conference in The Hague, where …
> Typically, when ransomware gets into a Windows machine ..
Because windows can't tell the difference between OPEN or RUN!
> Malware vaccines were a hot topic of discussion ..
No malware vaccines can't stop ransomware. Because it's made of the same stuff as the underlying platform. A fundamentally defective consumer product. They need to bin it and start all over from scratch.
"Because windows can't tell the difference between OPEN or RUN!"
How does that work? Because Windows does seem to understand that executables can be risky and warns when running new ones. The problem comes when you run executables you shouldn't or you have a vulnerability allowing someone else to. I'm not sure what problem you're alleging, but from the words you're using, you're not alleging it very clearly. Maybe that's because you don't actually have one you can refer to clearly?
No, by default, and only some of it can be turned off, and doing that much is complicated. You require one click through to run something signed, two to run something unsigned for the first time. But since that might not have been their complaint, maybe it's not necessary to belabor this point if they can explain what their objection is.
“ As a result of this almost incidental research, which is not part of any commercial solutions Recorded Future is working on, the Massachusetts-headquartered firm is now keen to explore creating an open source community where researchers trade information to help create and deliver malware vaccines to combat families of ransomware.”
Cooperative game theory attempts to understand when coalitions can form in terms of economic benefits. If an open source community made significant progress combatting malware, less money would flow to the industry and security researchers would lose their jobs. Real progress would require external support, e.g., government, so more likely to occur in authoritarian regimes than current populist governments that are cutting existing support for security efforts.
That's a lot of assumptions. There are a lot of open source communities that achieved something even when it meant that companies that used to charge for that got less money, sometimes so significantly that they went out of business. Depending on what it is, it can be so much more efficient that it still moves faster or so helpful across sectors that companies end up teaming up, often when it would be harder for them not to than to suffer the indignity of having to give something to a competitor. Authoritarian countries have, surprisingly enough, not been dramatically helpful in this. They tend not to be dramatically helpful in much of anything. Government support would certainly help, but you will have a hard time proving either that the project won't succeed if they don't get it or that authoritarian countries will help over populist ones* or democratic ones, which you didn't bother to list even though they do exist.
* For example, the US is populist and has been cutting things. It still funds the CVE database, though who knows whether it will still do so next year. The EU funds a database, a lot more now than they used to. China funds a vuln database. Which one is the odd one out? China's, because it's the one that keeps people from getting all the details but sends all of them to the Chinese government privately first. The history isn't going in your suggested direction.
I run a ransomware research system. We make no effort at all to cloak that we are running samples in a virtual machine. For certain _some_ do refuse to run when they detect the virtual machine... But we get healthy malicious activity from at least 30% of them. This is mostly payload execution, so in the real world the bits you want to hide from anti-virus and avoid analysis have already come and done their thing. So, while running vmware tools does prevent some infections... it's not a sure thing. It's cheap insurance though, so why not?
For several decades the established AV vendors have been distributing “signatures”.
User downloads a file, accesses a webpage, plugs in a storage drive and the AV will scan for signatures, if found the relevant download will be blocked, the file deleted or access blocked. Thus preventing the malware from ever running and attempting to infect the system. My understanding is this is how biological vaccines work.
A second layer scans known places for activity, if the activity fits the profile, its potential malware and gets blocked, whilst relevant components are uploaded for analysis.
This seems to match how the immune system operates with “new” stuff.
I can see the benefit of setting “honeypots”, “tank traps” and “camouflage” to either expose, block or cause known malware to fail. However, given the changes some AV software make to systems, I’m not certain that some don’t already implement some of these preventative measures.(*)
>” Microsoft has put a kibosh on the antivirus industry because it is now built into Windows. You can get antivirus, but in many cases you don't really need it now," ”
Whilst Mishaps extended the reach of its AV tools in Windows, Edge and Outlook (full standalone desktop client), there is still much they miss that quality cloud-integrated AV tools intercept. Plus, the third-party tools tend to have better controls; too many times with Windows it’s all or nothing, a third-party tool will tend to permit more granular protections.
One of the best Personal AV tools I’ve used is Agnitum’s Outpost Security Suite, which profiled your applications, so it learnt “valid” behaviour. Whilst the early releases were not for the non-technical, v7.5 and later were more user friendly, with known applications getting prebuilt behaviour profiles, removing much of the need for local usage / behaviour learning and the risks associated with having lower security.
However, AV software for servers, VM’s and network appliances is another ball park (who runs AV on their router?)
(*) I have seen unused mailboxes, if they receive a message it is automatically flagged and investigated, with delivery to all other mailboxes blocked.
The vaccine metaphor doesn't work very well with either of those things. Signatures only work for known malware, and these things are also designed for known malware with the hope that other malware will similarly decide not to bother running if they see it. A vaccine is a less direct method which is necessary because our immune systems are in that gloopy biological space where you can't just tell them what to do, but in both cases, it will react to things it hasn't seen before and, if it gets a vaccine, that response will be faster and more reliable, not instantaneous and before any effect. We either have to reject the metaphor entirely or work with the generic "it prevents some things and that prevents some things" and call it good. Arguing the minutiae won't get us anywhere.
Agree, but what was being described was very different to a vaccine, I used "signatures" as the simplest (ie. generation 1) only matched specific files, so simple changes/adaptations worked around them, later more sophisticated signatures refined this so that similar malware (typically simple variants) that used the same access vector could be detected. The comparison here would be with the various Covid vaccines that took slightly different approaches to make the recipient more sensitive to particular proteins that seemed to be common across differing strains, potentially also giving protection from unknown strains (I'm ignoring the longevity of the protection given here, just focusing on the principle).
The cloud-connection enabled the faster identification of potential malware and the distribution of signatures to block whilst analysis took place.
>We either have to reject the metaphor entirely or work with the generic "it prevents some things and that prevents some things" and call it good.
This is probably where I'm at, rather than use a poor metaphor for something that so clearly doesn't have any vaccine characteristics, then call it something else which brings up more appropriate imagery, I suggest what is being talked about is probably closer in metaphor terms to a shield and/or armour, which are both passive forms of protection from certain styles/types of attack.
If it is "good" I expect the quality independent AV/security vendors to be among the first to bundle it into their security suites, particularly as it does mean they don't have to worry so much about the post-attack/infection clean-up. (This was an area where Agnitum were poor, if malware did get through their security, you often had to go looking on other AV vendor sites for the tools and procedures to clean up the mess...)
Well... that sounds about as useful as "virus definitions" in this day and age. You going to need different fake files and tomfoolery for every trojan? Moreover, it's only going to work against specific ones that do that kind of "scanning".
Then, if usage of this becomes widespread, what do you think is going to happen when the malware authors change their behaviour to combat it? A cat and mouse game, worse than current solutions.
This is probably just spinning wheels.
I think it's an interesting concept to develop malware vaccines at an enterprise level, but I wonder how readily adoptable it would be at a consumer level. What differentiates this solution from regular antimalware software? There definitely needs to be more funding, training, and especially public awareness for these types of solutions if it's an end-user solution. An open-source community could be beneficial for furthering development of these vaccines, but I think it's important to prevent bad actors from being able to mess with it or alter their malware based on those developments. If vaccine files have the possibility of interfering with legitimate software or system behavior, I wonder how likely software providers, like Windows, would be willing to integrate these vaccines.
Spybot has had an "immunize" feature for about 20 years. Though I think it's mostly limited to putting known malware servers in the hosts file as 127.0.0.1.
When are we going to start blocking traffic to/from known malware sites at the ISP level, and notifying account holders that a machine on that connection is likely infected?
Spybot has had an "immunize" feature for about 20 years. Though I think it's mostly limited to putting known malware servers into the hosts file as 127.0.0.1.
When are we going to start blocking traffic to/from known malware sites at the ISP level (the infected side's ISP), and notifying account holders that a machine on that connection is likely infected?
This post has been deleted by its author
This gets me to thinking... what if windows ONLY runs in a VM?
If sandboxing all windows OSs by ALWAYS running as a VBox VM under Linux or *BSD (a setup that could easily do whole disk backups and restores by saving the VM "whenever") wouldn't THAT be a really good way to protect a windows computer/VM from infection?
You would just set it all up to boot directly into the windows VM and go full screen with it. THEN if you needed to you could reboot it into Linux (etc.) with a grub menu choice.
Well, looks like I fixed the planet. You're welcome!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
