New recovery system restores virus-infected computers, could be used by agencies

Massachusetts Institute of Technology researchers backed by funding from government contractor Northrop Grumman Corp. have developed a tool that serves as an undo button to restore computers after they are infected by viruses, a computer scientist leading the effort said.

The so-called intrusion recovery system is one of about a dozen research projects under way at MIT, as well as Purdue and Carnegie Mellon universities, sponsored by the Northrop Grumman Cybersecurity Research Consortium for possible deployment at government agencies. The industry-academia partnership, which was established in late 2009, shared some of its progress with reporters Wednesday.

For its part, Northrop Grumman has contributed a giant database comprised of tens of thousands of viruses and other malicious software that the researchers are using to test their work. One finding: The "Stuxnet" malware that apparently dented Iran's nuclear program by sabotaging the systems that operate reactors "was obviously written by a team of experts as opposed to a single person," said Robert Brammer, the company's information systems chief technology officer.

The worm -- about a million and a half lines of code -- is far larger and more sophisticated than the majority of viruses and reflects tremendous expertise in industrial control systems, he explained.

Computers overtaken by viruses far less vicious than Stuxnet -- or perhaps more so in the future -- can take days of wasted energy to fix. Often, employees inadvertently install such malware simply by downloading corrupted screen savers or greeting cards off the Internet.

"Many machines are compromised daily with backdoors for attackers to remotely log in to machines," said MIT computer science professor Ronald L. Rivest, adding that another big pest are botnets that hijack computers to distribute spam or inundate websites with useless traffic to halt service.

The goal of the MIT team's undo project is to automate the job of restoring systems after a breach.

"When an intrusion is detected, our system rolls back any files affected by the attack . . . and re-executes any legitimate computations -- of course skipping the attack itself," he said. "This both reverts the attack and preserves changes made by legitimate users in the meantime."

The apparatus works by, first, recording a history of all computations performed by a user and then retracing the actions to pinpoint when and where a botnet or backdoor penetrated the system, he said.

Northrop Grumman officials said some of consortium's initiatives would be ready for the federal government to use within the next two years, but the timeline for agency acquisitions is out of the consortium's control.

One concern that researchers are grappling with is the unintended consequences of their security innovations -- such as filters that oppressive regimes modify to cut off Internet access or track dissidents online.

This is not a new stressor for academics. Alfred Nobel, who invented dynamite, suffered the same cognitive dissonance and went on to found the Nobel Peace Prize, said Eugene H. Spafford, executive director of Purdue's Center for Education and Research in Information Assurance and Security. "He was horrified by some of the uses in warfare," Spafford said.

Purdue addresses the issue of nefarious applications of research by requiring students to take ethics courses. "We have deep discussions about privacy and about the appropriate use of technology and we try to ensure that as we look at how the technology is developed, there is broad discussion both of where the technologies can be used and how the people developing them should ensure that there is some attention paid" to civil liberties, he said.

On Monday, a separate group of researchers assembled by Washington think tank Center for a New American Security, issued cybersecurity recommendations -- one of which is a White House commission on the future of Internet security.

The task force, comprised of government, industry and academic experts, would grapple with how to change the underpinnings of the Internet to make the architecture more secure. Robert Kahn, who co-invented today's Internet infrastructure, devoted a chapter of the roughly 300-page report to the idea of defending systems by assigning and inserting trusted identity codes for every user and device.