While antivirus software struggles with the onslaught of the recent “worm wars”, two New Zealand developers are advocating clever solutions — but from radically different ends of the spectrum.
One is proposing a “whitelist” approach to security in which only approved traffic is allowed in, while the other is pushing for a partnership of sorts between spam and virus fighters.
Antivirus specialists suggest a “war” between rival virus writers may be to blame for the rash of outbreaks in recent weeks. New variants of Mydoom, Netsky and Bagle have been launched, five in three hours, each containing entertaining messages from the authors. Netsky also attempts to remove Mydoom and Bagle when it encounters an infected PC.
Christchurch-based virus specialist Nick FitzGerald (pictured) proposes a simple approach to the problem of viruses.
“Most companies use a blacklist approach, which is arse-about-face. The correct way to provide security is with a whitelist approach.”
FitzGerald likens network security to trying to enter a top secret research facility.
“Blacklists work like this: you bowl up to the gate, show the guards your ID and have them check against a list of known villains. If your name isn’t there you get admitted.”
FitzGerald says you should have to prove you’re supposed to be there — a whitelist approach.
“There are very, very few users who would need to receive executable files via email, and for those astronomically few you would configure separate rules that allow them to receive only a very limited, secured, password-protected attachment.”
But because people are used to having complete freedom to receive email and attachments, they see any curb on that as a loss, FitzGerald says.
Richard Jowsey, of Auckland-based anti-spam developer Death2Spam, is taking quite a different approach.
“We discovered, quite by accident, that the spam filtering engine was picking up viruses as well as spam.”
With a little training, the filter is able to work out the likelihood of an email containing a virus even if the virus is a new one that hasn’t been picked up by the security vendors, Jowsey says.
“There’s a lag between the virus being released, it being seen by the vendors, taken apart and a signature file being sent out to end users. That’s fine in a world where you get one or two viruses a month, but this virus war has seen new versions of viruses every other day.”
Jowsey hopes Death2Spam will be one of the leaders in a new generation of antivirus filters that rely not on signature files being sent out but instead on the software’s own intelligent assessment of the situation using heuristic filtering.
“We’re not talking about spam or virus filtering any more. It’s email filtering.”
But Jowsey says products like his won’t replace traditional signature-based antivirus solutions. “Once the signature’s in place it’s hard to beat such a system.”
His plan is to complement them. “What we do is fill in that gap before the signature is ready. They would train each other. The filter would learn from the signatures what makes a virus and when it spots what it thinks has a high probability of being a virus it can let the signature writers know.”