University Researchers Develop Bad Code With Good Intentions

University of Calgary computer scientists develop 'Typhoid' adware to study how malicious content can be stopped proactively.

by / May 31, 2010

Fighting viruses and malware often is a reactive process. A pesky strain of shifty code debuts and spreads across the Internet, and security professionals develop software and policies to deal with it after the fact.

But it doesn't necessarily have to be that way. Computer scientists at the University of Calgary in Alberta, Canada, are taking a proactive approach to cyber-security by developing their own malware -- and strategies to understand and stop it -- so the world is ready when something similar develops "in the wild."

They call it "Typhoid" adware after the unfortunate woman Mary Mallon who infected nearly 50 people in the early 20th century after she contracted typhoid fever. Mallon didn't know she had the disease until it was too late -- which is similar to how the Typhoid adware would do its dirty work today.

"Adware usually shows ads on the computer where it's installed, and the difference between that and the Typhoid adware is that Typhoid adware is a lot sneakier -- the computer that has Typhoid adware doesn't see any ads," said University of Calgary associate professor John Aycock.

Aycock has worked on Typhoid with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin since last year, and they've developed a pernicious threat as Aycock describes it.

"It's only the computers around it that see the advertisements, and the reason that this is interesting -- and in fact, somewhat of a premonition of things to come -- is that you have lots of people now who are bringing their laptops or electronic devices to public places, Internet cafes and restaurants, and so I think we're going to be seeing a lot more of these proximity-based attacks in the future," Aycock said.

The researchers published a paper in March 2010 outlining their creation and its dangers, presenting the information at the European Institute for Computer Anti-Virus Research conference, a Paris gathering of anti-virus researchers. Typhoid is similar to a man-in-the-middle attack that intercepts communication between two endpoints and hijacks the communication. Users at both endpoints have no idea their connection is being controlled by a third party.

But Typhoid adware is just that -- adware -- which means that all one would expect it to do is generate annoying pop-ups and toolbar add-ons, not destroy a whole system or steal information. Yet Aycock said it can do much more than that. "They're not directly menacing, but really, the underlying attack mechanism could be used to do a number of things," he said.

The ads could be injecting malicious code into systems or prompting people to download fake anti-virus software onto their systems. If the Calgary researchers can provide data on something like Typhoid now, then people will know how to deal with a program like it later. That's the plan.

"A lot of our computer security defenses are based on reactive technologies -- the bad guys come up with something, and then we have this big window of vulnerability while the security researchers in the security industry try and figure out a defense for it," he said. "We're trying to get ahead of the game and get out of this vicious cycle."

The researchers have performed experiments with the software and defenses against it. One defense recommendation is configuring endpoints to be more aware of their surroundings, like when in Internet cafes, so they can be more suspicious of communications from other machines.

"When you're at home, you know you're safe, and when you go outside, you know to be more cautious. Our computers don't have that same sense," Aycock said.


Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs