Keeping up with the bad guys
Malware writing has undergone many changes over the years - from hobbyists to a criminal business - with mobile and social now the hot targets, Rob Buckley reports.
Russian trojan spotted attacking Middle Eastern banks
“Even 10 years ago, malware was mostly about fun," says Ondřej Vlček, CTO at Avast!, a Prague-based anti-virus company. Virus writers, he says, were after bragging rights. But now it's very professional, organised and very profitable. Malware writing changed with the realisation that people could make a lot of money from it.
Now, rather than trying to grab the headlines with another appeal to a worldwide love of Anna Kournikova, malware developers aim to stay below the radar. “If you're trying to do something nefarious, you don't want publicity, you want it to be quiet,” says Vince Steckler, CEO at Avast! “You want it to be much smaller scale so you can get some money. They don't want to be on the news for the same reason bank robbers don't want to – that's when they failed.”
And that means developing ways to not only avoid detection, but to ‘follow the money', whichever platform that might be on. That's meant the shape-changing polymorphism of the likes of Zeus, designed to evade the signatures of AV software; the targeting of lucrative PC-uses, such as online banking; and the migration of malware onto other platforms, such as mobile phones, that can offer similar, as well as their own unique sources of revenue.
For both Vlček and Steckler, the key to catching up with the malware writers is Big Data. “Our mantra is not to go after individual cases, but look at it as a statistical problem,” says Vlček. He argues that by collecting data from all the computers and devices on which AV software is installed and then feeding it all into their systems, AV companies can crunch the numbers to work out the nature of the threat and how to defeat it. The more users and systems each company has, the better the quality of the protection provided.
That's why, for Steckler, free consumer versions of products shouldn't just be adverts for the premium versions. These software offerings are a vital component of AV protection, a ‘sensor net' gathering data that will protect not just them but everyone who pays for the products, whether they're consumers or users of the corporate products. “Without this sensor net, the technology wouldn't be where it is today.”
This Big Data-approach also helps to keep up with the constantly mutating families of malware that criminals are producing, Vlček says. “The polymorphism is still usually machine-generated, so there are ways of detecting it, although it's more difficult."
Part of Vlček's research in the company's virus lab is related to how to match these representations of the same family so as to provide more generic protections to the same thing. "We see many samples coming in and they may not look alike from the first sight or the second sight, but they either have a similar behaviour or they have some similar characteristics that we uncover," he says. They then find a more generic description to the whole family. "I still believe it is extremely important to have as much data as possible for that. The more samples or the more metadata you have – not only of the sample but the URLs they came from – the more you can match them and provide a generic description even for samples you have not seen yet.”
As technologies evolve or gain popularity, the criminals are not far behind. Mobile is looking more and more appealing to the malware writer. “Especially on Android, the KPIs are exploding, because its openness and design make it a logical choice for the attacker, and it has reached a critical mass in terms of penetration and market share,” Vlček says. And, he adds, with the smartphone's ability to send premium SMS and spam SMS messages offering new channels for malware writers to make money, it's only going to get worse.
On desktops, many of the browsers and the operating systems have become secure, so attackers are searching for new ways to find exploits and vulnerabilities that are not so obvious or directly addressable from the network," he says. Adobe, for example, was a huge target in the last couple of years. Java became a huge target as well. He believes similar opportunities will only grow with all the other add-ons that come installed on PCs which didn't go through scrutiny by security researchers. "I think the shift to mobile hasn't really happened yet," he says. "We are going to see that in the next couple of years. There's an obvious appetite for that from the bad guys. It's a new platform, just a couple of years old." These criminals are not yet so proficient with it, he explains, but that will change. "Commercialisation is clearly set to continue. The more money there is, the better they will get and the harder it will be to keep up.”
With both iOS and Windows Phone likely to open up more of their APIs to developers to provide additional functionality, they will become as viable as Android as targets, Steckler says, so no platform will be safe in the long run. In the meantime, these systems will be as vulnerable as Android because of other malware techniques. “The iOS isn't protected from phishing attacks, which is a favourite of the bad guys anyway.”
The next aspect of security that needs consideration is privacy, Steckler says. Both consumers and corporates are going to need social media protection capabilities, including checking of links for malware, better control of privacy settings, and control over apps. That goes for tracking in browsers as well.