Hunting for U-boats
I was surfing the internet a while back when Microsoft’s AntiSpyware popped up to say that something had got through two firewalls, my anti-virus software and managed to get itself into my machine.
I had arrived at the page in question via my search engine (Google in this case). I reviewed what had happened and it seemed I had picked up a malicious JavaScript attack.
That got me thinking. With all the technology pieces I had in place this thing still got through. What about those who don’t have security in depth. The battle against these vandals is flawed. It relies on me being constantly on my guard and always being up to date. Anti-virus doesn’t stop me getting the code, it just checks it before it runs. AntiSpyware works in a similar way. I would prefer is not to have the stuff come down to my PC in the first place.
Is there a way to leverage the experience of people like me to help protect the rest of the internet population? Why does anyone else have to experience the pain of undetected code getting onto their machine?
There must be a better way. I was thinking this was beatable. I recalled when I first read Robert Harris’ 1995 book Enigma about their attempt to break the German Naval code of that name.
[WARNING: PLOT SPOILER]
An American convoy is being stalked by U-boats and the British cannot break the naval code (Enigma) to give advance warning. Once the 1st U-boat finds the convoy it sends its coded location and the course of the convoy to the other U‑boats. These are picked up by the British as “cribs” – partial solutions to the cipher. As each U-boat starts to tail the convoy they also broadcast their location and course. This collection of “cribs” is eventually enough for the British to crack the code.
[END OF PLOT SPOILER]
What’s this got to do with virus hunting? Well there are 2 main ways to get viruses today – by email and by the internet. Email viruses, by their nature, come in randomly and hide their source location. But normal anti-virus software should address this. But what if you find it off the internet? Here we could use triangulation and logic.
Fact: Most sites are found from search engines. Therefore removing dubious sites from the search results should reduce the risk for all internet users.
But how to identify them? Well software like Microsoft’s AntiSpyware and other anti-virus vendors could help. As each type of protection triggered an event, it could anonymously alert a central point with details of (say) the last dozen URLs visited. Perhaps derived from the browser or a plug-in.
Each of these alerts gives us a "crib" into the location of the bad site. As more people tripped over this site more data would be collected. Eventually a pattern would emerge. Once a threshold had been reached the site would be blocked from the search results. Maybe even referring sites would be blocked.
There would need to be an opt-in stage to ensure that users explicitly permitted the forwarding of anonymous data. To manage data quality, there would need to be guarantees that only real users are submitting data; if this wasn’t done then malicious people could submit sites to be blacklisted. So there would need to be some form of certificate (GUID, public key etc) to encode the posting. There might also be a throttle on the number of posts from a client per 24 hours to ensure there was no rogue code abusing the system.
I could imagine the central agency would need to process many different file types and have a library of known exploits and a method for addressing them.
Or perhaps the agency just aggregates the data and circulates the list of sites that have exceeded the threshold. The search engine company could either confirm the presence of malicious code themselves or partner with another software company to provide this service. Anti-virus and AntiSpyware software manufacturers would obviously have such expertise.
Of course a company that has a search engine, AV skills and has browser technology would be in a strong position to lead this.
In this way we establish a feedback loop to ensure that only low-risk sites are presented to us.
[I need to think about how to manage false-positives - valid sites that got caught up in this collection and review process]