Why does old malware refuse to die? ...and is the IT security industry doing enough to kill it?

News by Davey Winder

Old malware is the zombie apocalypse of the cyber -ecurity world. So why is that and why can't we fix it?

The latest Check Point Threat Index reveals that Conficker is responsible for one in six malware attacks, yet Conficker first hit the scene in 2008 and should have well and truly been dealt with you might think. Think again; old malware is the zombie apocalypse of the cyber security world. So why is that and why can't we fix it?

The Threat Index for April (https://www.threat-cloud.com/ThreatPortal/#/map) reveals that the top three malware variants observed were Conficker (17 percent), Sality (12 percent) and Zeroaccess (6 percent); all old threats. This doesn't surprise Adam Tyler, Chief Innovation Officer at CSID, who told SCMagazineUK.com that "around 90 percent, if not more, of malware campaigns are based on historic and old malware samples."

Perhaps the most relevant reason is the wide availability of free cracked and easily usable malware builders (using Zeus, Citadel or Spyeye for example) coupled with there being so many out of date and unpatched systems out there.

Javvad Malik, security advocate at AlienVault, didn't have the figures to hand but we reckon he's probably right when he says that XP is the second most used OS across the Windows userbase. "While newer OS's may defend against older malware, unless endpoints are upgraded or patched they will remain vulnerable" Malik points out.

Rich Barger, chief intelligence officer at ThreatConnect, ran a quick look on Shodan.io and told us, "there are more than 147,000 obsolete Windows XP hosts exposed on the internet" and that's like "those people who still cough and sneeze in public without covering their mouth."

Malik reckons the main victims will tend to be "home users and small businesses which don't have the knowledge, resources or ability to upgrade or protect themselves by other means." A particular problem, of course, in countries where piracy is rife and endpoints aren't powerful enough to meet the needs of newer OS's.

The patching problem is certainly front and centre with most security professionals we spoke to about this issue. Take Greg Day, EMEA CSO at Palo Alto Networks, who told SCMagagzineUK.com that while it's easy enough to get 90 percent of the business updated "the last tenth of the mile can be extremely challenging for businesses, as there can be systems they don't know exist due to issues such as a lack of visibility."

There can also be systems they don't have the rights to change that belong to partners or contractors. Lastly, there can be systems that are much harder to maintain, due to their sensitive business nature restricting when they can be accessed, or legacy systems they are struggling to support. "These challenges apply to all sizes of companies" Day continues "but at the smaller end of the scale, companies' ability to identify and mop up these outlying systems typically becomes weaker."

So should we be worried? Well, as Adrian Sanabria, senior security analyst at 451 Research told us, Conficker is hardly the most dangerous of malware. "The first four variants never did anything beyond spreading themselves and upgrading to the next variant" he says "finally, Conficker E did something nasty: installed the Waledac spambot and SpyProtect " As far as anyone knows, Conficker E only did that for a month and after 3rd May 2009, downgraded itself to Conficker D… doing nothing aside from spreading itself.

So why does it persist? That's easy according to Sanabria "It's really well-written code." That said, Sanabria says Conficker only seemed to ever use one vulnerability to initially get into systems: the infamous MS08-067 RCE bug. "Every pentester knows about it" he concludes "and every pentester has probably exploited it at one time or another."

But is the security industry doing enough to combat old malware infections, and why hasn't it been more successful to date? Milton Kandias, cyber security consultant at Auriga, insists that the IT security industry defeated Conficker from day zero since Conficker spread via a vulnerability which was resolved and a patch already issued. "What we failed to anticipate was the reincarnation of Conficker and that requires a fundamental shift in perspective" Kandias concludes "away from a purely technical bent to a more strategic one."

In other words, IT security keeps failing against old threats either because attackers evolve or because defenders don't. "Cyber security is not a one-dimension issue" Kandias says "it requires both technical and organisational counter-measures; policies, hands-on testing, proactive thinking, a systematic approach, talent and devotion."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews