91av

Dumb code could stop computer viruses in their tracks

Machine code inserted into all email attachments could prevent even the newest viruses from delivering their payloads

ON THE day a new computer virus hits the internet there is little that antivirus software can do to stop it until security firms get round to writing and distributing a patch that recognises and kills the virus. Now engineers Simon Wiseman and Richard Oak at the defence technology company ‘s security lab in Malvern, Worcestershire, UK, have come up with an answer to the problem.

Their idea, , is to intercept every file that could possibly hide a virus and add a string of computer code to it that will disable any virus it contains. Their system chiefly targets emailed attachments and adds the extra code to them as they pass through a mailserver. A key feature of the scheme is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised “zero day” viruses as well as older ones.

Many mailservers already block attachments that will run as executable programs – such as PC files with a .exe suffix – in case they are viruses. But virus writers have tricks up their sleeve to get round this. For example, they can disguise files as an innocent Microsoft Word (.doc) or Adobe Acrobat (.pdf) file, and then fool unsuspecting users into converting them into an “executable” program file that will run on their computer.

Qinetiq aims to prevent this by inserting a line of machine code – the raw code that microprocessor chips understand – into the header area of incoming files. This is the part of the file that holds the formatting data that defines such aspects as a document’s layout and fonts.

If the file is simply opened by another program, the code is ignored. But if someone attempts to run it as a program in its own right, Qinetiq’s code will run first – and stop the rest of the program in its tracks, either by exiting or by sending it into an infinite loop.

“This is not based on virus signature detection, so it is not something malware writers can imagine their way around,” Wiseman says. Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mailservers.

“This is not based on virus signatures, so it is not something malware writers can get around”

“It sounds like it might have some promise,” says , a software security engineer at the University of Cambridge. But he adds: “I’m not sure that injecting raw machine code into attachments will be a panacea.”

Anderson doubts the wisdom of patenting the scheme, however. “Now that Qinetiq have patented this idea nobody will use it, even if it works. Patents are seen as damage: people route around them.”

Topics: Computer crime