Infection Markers as Vaccines against Malware

Though a merge of biology and computer science has for a long time been a constant presence in fan fiction, certain areas of research do consider crossover theories and concepts to help solve problems in the counterparts domain. In this post we look at one such example in the research paper: “Using Infection Markers as Vaccines against Malware”.[1]

First let’s look at the biological concept of vaccination. Vaccination is the most effective way known to man to date to prevent infection. Vaccination basically involves introducing the rouge agent to the body’s immune system in a weakened state so as to allow the immune system to develop a defence to the agent. This is prevented in normal infection cases due to the speed at which the infection spreads through out the body, affecting the immune system before it can perform it’s duties. Vaccines are thus weakened antigens with either their active part removed or put in a state of rest. The idea is that once the immune system learns to identify the particular antigens it creates the required anti-bodies to combat the antigen in future recurring infections. This is why biological forensic experts can predict most infections that a person has had just from a little amount of blood by looking at the antibodies present.

In the above context the authors Wichmann and Padilla  use the infection markers created by malware to prevent infections from malware. First let’s look at what infection markers are.It is certainly plausible that a computer that has already been infected could become the target of infection again. Now consider the situation where the infected computer is again attacked by the same version of the malware. What then? Do two copies of the same malware attack the computer? As it turns out , one of the main functions of most malicious software is to stay undetected for as long as possible. Having multiple presences just increases the probability of discovery. If the malware is also a complex one including rootkits and such, multiple presences may be down right negative for the malware. It may also be used by the malware itself to reinstall necessary components if it finds that some of its components have been erased. Hence it becomes advantageous for malware to first check for signs to infer whether the computer has already been infected. This means that on infecting a machine, a malware must leave out some signs that it is present. This sign may take the form of anything in the form of a file at a specific location, a pipe, a blocked socket , etc. But if we identify the factor that the malware is looking for, there is nothing stopping us from replicating the same to fool malware into thinking the host has already been infected and leaving the host without causing harm . This is exactly the concept that has been explored in the mentioned research paper.

The authors also design and implement a preliminary system to automatically detect such infection markers from the malware by dynamic analysis and give detailed accounts of the results. Some of the drawbacks of their methods as they diligently note are the the concerns pertaining to VM aware malware (which is an issue as with any dynamic analysis process on a virtual environment) and the fact that their frameworks decides on possible infection markers by comparing the differences in logs of the malware in an uninfected environment and then in an infected environment over a span of two minutes. The time span of two minuted may be an easily by-passable hurdle. The third problem is that to detect dynamic infection markets ,markers whose values are not hard-coded but obtained as a function of some local environment variables such a as MAC address or such , all possible factors may not be covered during the test phase for dynamic infection markers and advanced infection markers such as those that use hashing functions still require human experts to recreate the marker manually. Though the aforementioned problems exist against this method, it is an interesting application of biological science and techniques in computer science.

[1] “Using Infection markers as Vaccines against Malware Attacks” by Andre Wichmann and Elmar Gerhards-Padilla


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s