Finally some GOOD news on the malware front

NC State Research Shows Way to Block Stealthy Malware Attacks
NCSU News (11/03/09) Shipman, Matt

North Carolina State University (NCSU) researchers have developed a way to block rootkits and prevent them from contaminating computer systems. Rootkits often work by hijacking a number of hooks, or control data, in a computer’s operating system.

“By taking control of these hooks, the rootkit can intercept and manipulate the computer system’s data at will,” says NCSU professor Xuxian Jiang. To prevent a rootkit from taking over an operating system, Jiang’s research team determined that all of an operating system’s hooks had to be protected.

“The challenging part is that an operating system may have tens of thousands of hooks–any of which could potentially be exploited for a rootkit’s purposes,” Jiang says. “Our research leads to a new way that can protect all the hooks in an efficient way, by moving them to a centralized place and thus making them easier to manage and harder to subvert.”

By placing all of the hooks in one place, the researchers were able to leverage hardware-based memory protection to prevent the hooks from being hijacked. The research will be presented at the ACM Conference on Computer and Communications Security in Chicago on November 12.

…. and

New Honeypot Mimics the Web Vulnerabilities Attackers Want to Exploit
Dark Reading (10/29/09) Higgins, Kelly Jackson

Glastopf is a new open source Web server honeypot project that enables researchers to study Internet attacks by acting as Web servers with thousands of vulnerabilities that provoke cybercriminals into attacking. Glastopf creator Lukas Rist says the program dynamically emulates vulnerabilities that attackers are looking for, so the decoy is more realistic and can gather more detailed information.

“Many attackers are checking the vulnerability of the application before they inject malicious code,” Rist says. “My project is the first Web application honeypot with a working vulnerability emulator able to respond properly to attacker requests.”

Rist built Glastopf through the Google Summer of Code program, in which student developers write code for open source projects. Glastopf uses a combination of known signatures of vulnerabilities and records the keywords an attacker uses when visiting the honeypot to ensure they are indexed in search engines, which attackers regularly use to find new targets. The project has a central database to collect Web attack data from the honeypot sensors, which are installed by participants who want to share their data with the database.

“The project will contribute real-world data and statistics about attacks against Web apps–an area where we do not have good collection tools yet,” says Rist’s project mentor Thorsten Holz. He says Glastopf tricks an attacker by returning content that is often found on vulnerable versions of Web applications, such as characteristic version numbers or similar information.