[Update: Michael St Nietzel also pointed out that there's an issue with installers that verify a checksum before installation. In fact, this is a special case of an issue I may not have made completely clear before: unless this approach is combined with some form of whitelisting, there has to be some way of reversing the modification somewhere in the process for files that turn out to be legitimate. That will provide interesting implementation challenges.]
I was rather scathing recently in a blog for AVIEN (the Anti-Virus Information Exchange Network) about a New Scientist report that described a pending patent from Qinetiq: since that blog was picked up by the Register, perhaps I'll qualify my "sarcastic" comments here.
Notes to New Scientist:
In fact, checking the actual patent application, the idea dreamed up by Qinetiq isn't as dumb as New Scientist make it sound, and it would be unfair to assess the value of the idea purely on a journalist's interpretation. Clearly Qinetiq has done some thinking around the issue, and some research into prior art. I particularly like the repackaging of the EICAR test file (with a new text string displayed) in "BACKGROUND TO THE INVENTION" . Let's hope that EICAR (http://www.eicar.org) didn't patent it. ;-)
But it hasn't solved the virus problem (let alone the malware problem). Well, of course, that's not what patents actually do. They summarize an approach to solving a problem: they don't generally provide a map of the implementation of the solution.
Nonetheless, this approach seems less straightforward than the New Scientist report claims..
It isn't really a catch-all generic solution: it relies on the insertion of "strings of arbitrary length" within computer files of known type". In other words, while it offers a possible approach to preventing certain known types of threat from executing, it doesn't seem to offer blocking of all potentially executable files. Actually, this is a positive, if it means that code won't be inserted randomly into a file of unknown type, though I'm by no means sure that this is what it means.
So, an interesting idea, but based on a number of assumptions that had already crashed and burned before the end of the last century. One more issue: in the New Scientist article, Ross Anderson was quoted as saying "Now that Qinetiq have patented this idea nobody will use it, even if it works. Patents are seen as damage: people route around them." True. And, as John Leyden remarked in that Register article, "Patents are designed to allow developers to stake out areas of technical innovation. However, in the fiercely competitive anti-virus market, they've more often been used as legal and marketing weapons." Unfortunately, though, misuse of the patenting process in certain cases has resulted in security companies feeling obliged to get their patents in first. I don't know if Qinetiq are hoping to keep what they see as an innovation to themselves, or simply trying to forestall having it taken away from them by someone with a sharper set of lawyers….
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security