Evolution and genomics in anti-malware software

While most “normal” people look forward to the cinnamon spices, roasted turkey, and holiday cheer typical of this time of year, starting just before Thanksgiving, I start my mad annual scramble to get posters and/or talks completed, and proposals perfected for early January deadlines. This year has been no different, as I planned in September to have a proposal written by November, and drafts circulating with knowledgeable colleagues throughout December so that I could kick back and enjoy the holidays. Yet now I find myself still drafting the first section with only one month remaining, leaping out of bed early in the morning to catch a few hours of writing before heading to work, and then rushing home in the evenings to continue the mental onslaught on my computer…

I returned last night, ready to spend an evening typing away ferociously; but upon opening my computer, I was greeted with a series of error messages and the following window:

A screenshot of the window created by malware HDDTools, meant to scare users into purchasing software.

Needless to say, this sent me into a flurry of activity. For once, I was actually relieved to discover that my hard drive was not indeed about to implode, and that this was instead the spawn of a rogue app spread by a trojan (the fact that the malware then launches into a system scan is a clue… since if my hard drive was indeed failing, it certainly wouldn’t be able to execute a scan!).

In the hours that ensued as I tried to manually remove all components of this app from my computer and then protect it against further breaches, I discovered Ad-Aware’s Genotype detection system. Here is what CNET (6 December 2010) says about Genotype:

Lavasoft first started changing Ad-Aware’s protection engine more than a year ago in version 8.1, when it introduced Genotype. This heuristics-based technology identified identical snippets of code across multiple threat mutations. In version 9, Genotype receives support from what Lavasoft calls “Dedicated Detection.” This tech looks inside files, analyzes the code, and creates a loose pattern for finding families of related malware. The company touts that a single dedicated detection signature can detect hundreds of thousands of threats. More importantly, Lavasoft expects that dedicated detection will lower false positive rates by creating more points of comparison.

So while traditional detection software worked by matching a threat to a list in a database which needed to be repeatedly updated, Genotype looks for commonalities among the components of an app to determine threat level. What this permits is a sort of almost predictive detection capability that works by evolution of known threats, permitting dynamic detection over the old, static methods. Pretty cool, no?

To read more about this, click here.