Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > virus
Up to Blog Posts in IT@Intel

IT@Intel Blog

3 Posts tagged with the virus tag
Matthew Rosenquist
0

Research in how bacteria communicate and cooperate may be the future lessons of how computer malware evolves.

 

Bacteria and malware evolution

I recently watched a fascinating presentation by Bonnie Bassler on how bacteria communicate.

My information security brain started thinking of the similarities between the evolution of computer malware and bacteria.  Bacteria over the course of billions of years, devised the most efficient way to communicate, survive, and even destroy large and complex systems.  This may be the most logical path for the successful evolution of computer malware and a peek in the future of information security challenges.

 

Bonnie is a passionate and articulate speaker who outlined how these simple single cell critters work as a team to coordinate activities in a perfectly synchronized manner.  Their actions are stealthy, methodical, and can accomplish incredible objectives through teamwork on the scale humans have never achieved.  They infect, quietly multiply, and wait.  Bacteria independently determine the size of their community and decide to act based upon rudimentary communication and awareness.  When conditions are right, a level of potential virulence is attained, they team up in the billions and act in a choreographed manner.  And they do it simultaneously to bring down their target.

 

In many ways, computer malware act similarly to bacteria.  Malware infects computers which are part of a large community.  Malware and bacteria want to remain stealthy until ready to strike.  Malware exists as basic lines of code with simple rules.  Bacteria are organisms which behave in simple ways.

We are seeing the malware industry evolve with more ambitious goals.  Infection of a single node in a network is no longer sufficient to achieve desired objectives.  Malware must be developed to meet new challenges.  Bacteria are the masters at infiltration, stealth and surprised coordinated attacks against behemoth adversaries.  In the future, malware may take some lessons from it biological doppelganger.

 

So how may malware evolve?

Malware design may shift to very small autonomous pieces.  Modern malware is generally a single package of standalone code which may exist as a file or attach itself to other code.  Deciphering of this complete nugget will typically reveal all its secrets.  In the future such code may be broken up like pieces to a puzzle.  Each piece means very little and appears harmless. Only when they come together does the malevolent picture come into view.

 

Code will replicate itself and seek deeper penetration to all manner of systems.  With little risk of the big-picture exposure, these pieces can be distributed and replicated much more.  Computer environments are full of innoxious code such as temp files, random packets, application remnants, and unneeded data.  Most code and data is ignored unless deemed dangerous.  These pieces can quietly infiltrate many different operating systems, applications, data, and communication traffic of clients, servers, storage, and network devices without raising alarm.

 

Malware will be very quiet, acting locally and not attempting to communicate outside of the environment.  Much of today’s malware is detected as it attempts to communicate with command and control systems outside of the target network.  Evolution of malware code will be harmless, quiet, and unnoticeable until the right success conditions are met.  Local community awareness via ‘quorum sensing’ between the pieces within a target environment would likely not be detected.  Only when the right elements are in place will the pathogenicity be realized as unified activation is initiated and virulence is rapidly achieved.  This will offer little chance for security to offer a meaningful response.

 

Malware has a lot to learn from its slimy cousin.  Maybe someday malware writers will become as smart as these microbes.  On the upside, security can learn from the same teachers.  Just don’t blame our microscopic symbiants of malice, as we exist in their world.  The battle continues.

0 Comments Permalink Tags: risk, software, strategy, security, information_security, matthew_rosenquist, malicious_software, malware, rosenquist, virus, optimal_security, model, malicious, future
Omer Ben-Shalom
0

The third and last part of the video series discussing how you can make use of the vPro system defense capabilities the easy way is out, this video shows an example of how your existing security server can implement network quarantine using system defense on provisioned devices without having to know a thing about AMT.

The video follows on the second video which showed an example of using system defense through the Microsoft SCOM GUI and shows a proof of concept implementation that only requires the security server to input an event into the local windows event log which is easily doable with almost any programming/script language. Behind the scene the SCOM agent installed on the security server intercepts this event, sends notification to the SCOM server and as a result the SCOM server implements the blocking policy on the offending host.




The beauty of this is that now you can choose any server to collect and correlate your security events and take quarantine decisions and all that without this server having to be an AMT management server. the existing AMT manager (SCOM in this example) is doing the hard work for you.


as before I hope you find this useful, I would love to hear comments and answer any questions.

Cheers


Omer.

0 Comments Permalink Tags: amt, event_manager, filtering, it@intel, management, network_quarantine, omer_ben_shalom, quarantine, ron_miller, security, system_defense, video, virus, vpro
Omer Ben-Shalom
2

I'm Omer Ben-Shalom and I am a principal engineer with Intel information technology (IT) focusing on mobility and client platforms. I have had the pleasure of working with the Intel development teams on the vPro AMT system defense and decided to share my experiences via a three part video series showing how system defense can help in active response to infected PCs.


There are many threats to the environment. the 'classical' threats originate from the outside and it is the job of the perimeter defenses such as firewalls, IPS and others to block them but the more problematic ones are those that originate from inside the perimeter, these type of attacks are mostly conducted from legitimate machines owned by the business and are quite often carried inside the perimeter unknowingly by employees especially when using mobile platforms such as notebooks which are carried outside the business and back in.


Detecting infected PCs and other malicious activity is done with the help of the various intrusion detections systems and the alerts generated can be collected and aggregated to provide a very good picture of the existing threats. A much more difficult task is the ability to quarantine the hosts carrying out the malicious activity and perform remediation. there are solutions involving both host software and network side blocking but with the host possibly compromised and the network location of the offending host subject to change with mobile platforms effective quarantine and remediation is very complex.

This is where the Intel vPro system defense capabilities come into play by allowing selective network access restrictions on a host, these restrictions can allow only the connectivity necessary to fix the problem and being implemented on the host platform itself cannot be escaped just by changing the network location.


This week we are publishing the first of a three part video series on how to use system defense for this purpose both manually and via integration to existing AMT management. I hope you will all take the time to view the introduction video below. any comments are welcome. I would love to hear your views about the problem as well as the solution.






I hope you enjoyed this video, parts two and three should post by next week, stay tuned

2 Comments Permalink Tags: it@intel, ron_miller, omer_ben_shalom, vpro, system_defense, security, event_manager, virus, network_quarantine, quarantine, management, video, filtering, amt

Popular Blog Posts