 | « Back to article | Print this article |
When a new virus hits the Internet there is little that an anti-virus software can do to stop the malware on the very day, but now British engineers have come up with an answer to the problem.
Engineers Simon Wiseman and Richard Oak from defence technology company Qinetiq, Worcestershire, have found a way to stop computer viruses in their tracks by intercepting every file that could possibly hide a virus and adding a string of computer code to it that will disable any virus it contains.
Their technique mainly targets emailed attachments and adds the extra code to them as they pass through a mail server.
A key feature of the scheme, which they are patenting, is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised "zero day" viruses as well as older ones, journal New Scientist reported.
Many mail servers already block attachments that will run as executable programs - such as PC files with a .exe suffix - in case they are viruses.
But virus writers have tricks up their sleeve to get round this. For example, they can disguise files as an innocent Microsoft Word (.doc) or Adobe Acrobat (.pdf) file to fool unsuspecting users into converting them into an "executable" program file that will run on their computer. Qinetiq aims to prevent this by inserting a line of machine code - the raw code that microprocessor chips understand - into the header area of incoming files.
This is the part of the file that holds the formatting data that defines such aspects as a document's layout and fonts.
If the file is simply opened by another program, the code is ignored. But if someone attempts to run it as a program in its own right, Qinetiq's code will run first - and stop the rest of the program in its tracks, either by exiting or by sending it into an infinite loop.
"This is not based on virus signature detection, so it is not something malware writers can imagine their way around," Wiseman says.
Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mail servers.
"It sounds like it might have some promise," says Ross Anderson, a software security engineer at the University of Cambridge. But he adds: "I'm not sure that injecting raw machine code into attachments will be a panacea."
Anderson doubts the wisdom of patenting the scheme, however. "Now that Qinetiq have patented this idea nobody will use it, even if it works. Patents are seen as damage: people route around them."