Friday, November 27, 2009

Latest Virus Strategy Is to Write in Plain English

Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people's computers is to use "code-injection" attacks, in which malicious computer code is delivered to and then run on victims' machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

Josh Mason of John Hopkins University in Baltimore, Maryland, and his colleagues developed a way to search a large set of English text – mostly composed of more than 15,000 Wikipedia articles and roughly 27,000 books from the online library Project Gutenberg – for combinations of words that could be used in code.

Their program highlighted the text to be used in the instruction set in bold, while leaving the sections to be skipped in plain text, as in the following example: There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union."

CODE STANDS OUT
It's not the first time the potential weakness has been recognised, but many computer security experts thought the rules of English word and sentence construction would make the task impossible.

In machine code – the raw code that microprocessor chips understand – combinations of characters not seen in plain text, such as strings of mostly capital letters, are required.

"There was not a lot to suggest it could be done because of the restricted instruction set [of machine code]," said Mason. "A lot of people didn't think it could be done."

John Walker, managing director of UK security consultancy Secure-Bastion, said the research highlighted a basic weakness in antivirus tactics, and that hackers would undoubtedly try to exploit it. "There is no doubt in my mind that antivirus software as we know it today has gone well past its sell-by date," he said.

Nicolas Courtois, a security and cryptology researcher at University College London, said malicious code in this form would be "very hard if not impossible to detect reliably".

No comments:

Post a Comment