RSA 2016: Industry failing to understand malware life cycle

Anti-malware designers are failing to understand the complexities of malware and are using out of date technology to combat a rapidly evolving threat, says Christopher Elisan, principal malware scientist at RSA.

Christopher Elisan, principal malware scientist at RSA
Christopher Elisan, principal malware scientist at RSA

While malware designers are constantly updating their software and adapting to beat security, anti-malware companies are failing to keep pace with them.

That's the view of Christopher Elisan, principal malware scientist at RSA. He gave a talk at RSA on Monday entitled “Demystifying a malware attack”.

To truly counter the malware, he said it is vital to understand the components of malware and how they interact otherwise you may find yourself fighting – and even declaring victory – against the wrong bit of software.

Malware is typically composed of five elements: the configuration file, the attack component, the regeneration component, the rootkit component and the bot agent. Each element either helps the malware infiltrate the system, maintains its presence on the system or executes instructions from the operator who controls the malware.

Most malware is created and distributed by people who don't write the code. They use DIY malware creation software to generate variants of an existing malware.

Figures quoted by some security companies that they have identified tens of millions of unique malware samples in a year should be taken with a grain of salt, he said. “They found 50 million unique malwares but the chances are these are the product of only half a dozen different [DIY] malware kits. You can make each malware unique just by adding an extra byte on the end.”

He added: “It means as soon as one malware is rumbled, they can generate a new one and upload it to their server.”

Speaking to SCMagazineUK.com after his presentation, Elisan said rather than simply quoting big headline numbers, it would be more helpful to be able to say how many families of malware that represented or even how many DIY kits were responsible for creating that malware.

“Let's say for 2017 we saw three DIY kits that were responsible for 20 million unique samples that we saw, then we could say that 30 million were created using old DIY kits that are still around and [here's a list] of those DIY kits,” he said.

Elisan said that in the battle against malware, too often “we fail to realise that for it to be successful, there are so many moving parts, and to really come up with a solution to stop that thing from happening again, we need to understand the infrastructure as well”.

To keep the solutions providers on their toes and force them to innovate, there is a need for CISOs and other C-suite level executives to understand the infrastructure. Many solutions will stop the email with a malicious attachment but often the malicious file will be just the first stage of the attack – the malware installer.

“Now if the installer is smart enough, it knows it's being analysed and it sometimes knows it's in a confined network, so instead of downloading the malware itself, there's a logic that says, I'm being analysed so rather than connecting to the real malware serving domain, I will connect to a different domain and download different kinds of files and bits of files that are dead.”

What's needed in the battle against malware is more data scientists, those people who create the sophisticated mathematical algorithms that enable the automatic identification of the family of malware that a sample came from.

“You quickly realise that you are wasting your time if you analyse each piece of malware – just analyse the kit so you know how it creates it,” he said.

Despite eight years of work in this area, he said companies continue to purchase the old solutions out of habit and because it makes them feel secure. “It's only about $60 [£43] per seat [for these solutions],” he said. “As long as it generates money people will continue to make it and the effort, instead of going into real research, goes into the development of existing solutions because it's still generating money.”