Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.



Malware Detecting Router

A router that detects if a computer on your SOHO network is a zombie
  (+4, -1)
(+4, -1)
  [vote for,

An all in one SOHO router/wireless bridge/etc for technically savvy people to install for their un-savvy family members to help prevent/stop malware.

Perhaps addable to the DD-WRT firmware, this is firmware and/or a router from an established company which does the following:

periodically calls home to receive a blacklist of IP addresses/torrents/communication protocols+specifics/etc that are known malware hubs and activities.

heuristically analyzes your traffic for unusual behavior (also updatable via external interpreter).

When malware has been detected to be on a particular PC, one of a few things will happen, based on setup/prefs:

1)that PC's network connection is shut off and all web page requests are fulfilled with the router's internal warning "Grandpa, call your grandson/daughter, your computer needs to be checked out." + a cute pic of a computer with a thermometer and ice bag.

2) a warning light and/or buzzer comes on on the router

3) email is sent to a predetermined address ("go fix grandma's computer, she tried to win a million dollars again"

The router could also provide more details as to the nature of the attack, so the repairperson could determine if bank accounts need to be changed/etc (was it too late, or was the data stopped before it got out? Or was it just a DDOS that got stopped in its tracks?).

Obviously, all of the blacklists would be optional, and could come from multiple independent sources chosen by the admin.

The router's login and auth would have to be over https and initially set up from a trusted clean computer.

The utmost amount of care would have to be made when programming such that malware to disable the router's functionality/insert empty blacklists/heuristics files couldn't easily be constructed. I won't go into the myriad ways things would have to be protected, as I am not an expert and that is not what this idea is mainly about.

Grandpa also can't know the router's password. The heuristic analysis would likely only trigger option #3, for obvious(?) reasons

The obvious implications are that this could make the botnet programmers work a bit harder to obscure what they're doing (encryption to anonymizers, etc) , but in theory, given decent heuristics and up to date firmware, most activity could be detected and cut off or notified. Even if the malware is updated before detection this time, it could be caught in the next round of router updates.

Even if the data being passed couldn't be determined, the method/destination by which the data are being transferred could potentially provide enough evidence to signal someone with the capability of verifying and fixing the problem (or whitelisting/telling the router that everything is okay)

All firmware would be open source so as to allay most peoples' fears about who is getting the network data and what is happening to it.

If the programmers are really feeling proud of themselves, they could implement a secure remote administration method by which a technician could potentially check into/fix some problems. This would open up more avenues of attack, of course.

ericscottf, Feb 14 2010

Home Network Defender http://www.linksysb...-Network-Defender-4
Home Network Defender by Cisco and Trend Micro [pebrian27, Feb 16 2010, last modified Feb 17 2010]

Trend Micro URL blocking tops benchmark http://www.computer...n_really_does_count
Trend Micro URL blocking tops benchmark [pebrian27, Feb 16 2010]


       The people who fall victim to such malware are non-Geeks. As such, they deserve what they get.   

       When the Revolution comes, they will be hunted down and culled (it's the kindest way).   

       [-] for potentially encouraging the continued existence of non-Geeks.
8th of 7, Feb 14 2010

       I'll give you 3/10 for the troll and point out:   

       1) wouldn't it be nice if the internet was routing slightly less garbage? There's plenty of malware that doesn't shut down the computer or bankrupt the user, so that really only inconveniences the geeks...   

       2) It is at least partially geek fault that malware happens. It has to be someone's responsibility to take care of these things, I guess you would rather some corporate entity deals with it?   

       I don't think the revolution is going to look like what you think it will look like....
ericscottf, Feb 14 2010

       "The people who fall victim to such malware are non-Geeks. As such, they deserve what they get."
Piffle, I say, and I suggest you have no way of proving your computer isn't infested at this very moment.

       Having said that, many router/firewalls do packet inspection and DDOS detection, among other things. The problem with blacklists is that the bad guys control more machines than you can easily catalog.
phoenix, Feb 15 2010

       Beware the counterstrike, Malware Detecting Router Detecting Malware.
swimswim, Feb 15 2010

       I suppose at the core of this idea is "how do you know if your computer is a bot"? I'm not sure I could tell.
wagster, Feb 16 2010

       //I suppose at the core of this idea is "how do you know if your computer is a bot"?// It's a very good question - a good bot (from the viewpoint of some one who wants to use your computer) should be as undetectable as is feasably possible. I quite like the idea's approach, in that if you can't identify or control the bot at source, then you can try instead to limit its communication to the outside world.   

       The problem with that is they often try to use the same communication channels as a regular person would. A particularly sneaky methodology is for the bot to open a channel on IRC and sit there listening for instructions, this way, the bot controller can go onto his own IRC channel, and talk to all his bots in one go, without having to communicate directly with all of the separate hosts. Since IRC is something that's considered relatively harmless, your firewall would have to monitor the actual communication to make a judgement on whether it's malicious bot management, or a teenager swapping lolz with her contemporaries. However, lets say the firewall could determine such conversations, what's to stop the black-hatted ones from coding their bot communication protocols to mirror teenagers chatting online?
zen_tom, Feb 16 2010

       Almost all of the features you asked for has been baked. Look for Home Network Defender.   

       Four Cisco/Linsys home router models has Trend Micro installed which performs blacklisting (blocks malicious sites), activity monitor and parental controls. (see "Home Network Defender" link)   

       Also, Trend Micro has a high blocking/blacklisting rate. (see "Trend Micro URL blocking tops benchmark" link)
pebrian27, Feb 16 2010

       //encouraging the continued existence of non-Geeks//   

       Hand-to-hand combat training and competence with fire-arms?
MikeD, Feb 16 2010

       I think at the heart of my idea is the concept that since it has been proven too difficult to create software for non geeks to keep watch over their PC (either because the software is too complicated or could easily be subverted by a 0 day exploit piece of malware), one might put the checks for safety in between the computer and the target, on an appliance that would have a very limited interface to the computer/malware.   

       By limited interface, I mean that in non administrator mode, the router is only receiving ethernet packets for retransmission, the memory space of the router isn't mapped on the PC and subject to overflow attacks, etc. It makes it easier to secure the device from malware, and since it is something that the non geek user never needs to touch, can remain vigilant instead of accidentally being uninstalled/broken somehow.   

       As far as malware being changed to obscure the instructions into more common use, one must consider the goal of malware:   


       Steal personal data   

       Send Spam   

       In the case of a DDOS, heuristics could easily take care of that. "I've never visited this website before. Why am i doing it 100 times repeatedly right now? Let me check with my blacklist supplier and see if any other routers like me are being instructed to do a similar thing...   

       in the case of steal personal data, those data have to go somewhere. Ideally, after a few people fell victim to this, the destination of the data would be detected and put into the blacklist. Does the destination move based on time of day or some other unpredictable function? do DPI to find something similar to the packets and halt based on that.   

       Spam would also easily be trapped by heuristics. "i normally send 3 emails per day through gmail. why am i connecting to port 25 on 1000 different computers all of a sudden?"   

       Or, in the case of gmail accounts being subverted, "why am i sending email to everyone in my list? I never do that..." etc.   

       A quick look at Home network defender makes it look as if it is not specifically router-only based, and doesn't seem to involve all of the features i've mentioned, but its existence suggests that at some point, my idea will be baked by some company.
ericscottf, Feb 16 2010


back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle