The Malware Landscape
Security professionals all know that there are more malware samples infecting users than ever before. Malware writers have become more sophisticated and have realized they can obtain large amounts of money from distributing malicious software. The shift in motivation for creating malware, combined with the use of advanced scripting techniques, has resulted in an exponential growth of criminally professional malware being created for the sole purpose of infecting unsuspecting users.
This new malware dynamic has become the next big plague for users and companies alike. Gartner estimates that by the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that has evaded their traditional perimeter and host defenses1. In July of 2007, Panda Security conducted a research study2 to analyze the effectiveness of current antimalware solutions. The two-part study scanned the PCs of 1.4 million users in over 80 countries. These PCs were utilizing security solutions from over 40 different vendors. Results indicated that even though many consumer PCs tested had protection installed with up-to-date signature databases, nearly 23% of the PCs scanned were infected with malware loaded into memory3. The study also examined more than 1,200 firms with security solutions installed. Results showed that nearly 72% percent of companies with more than 100 computers had active malware on their networks.
Antivirus Laboratories Are Under Attack
Today’s antivirus laboratories are under constant and increasingly frequent attacks. Security industry labs are being saturated with thousands of new malware samples every day. Each one of these new samples needs to be looked at by an analyst trained in reverse engineering in order to create a signature, which is costly and resource-intensive process from a corporate and business perspective.
Some antivirus solution vendors are trying to deal with the proliferation of malware by increasing the number of analysts at their labs. But malware writers are getting more sophisticated and reverse engineering some of the latest common threats requires a higher level of knowledge and a larger amount of time dedicated to each sample than before. Because of this situation, antivirus engineers can no longer be employed simply “by the numbers” to create hundreds of thousands of new signatures every month.
The security industry is advocating for stronger intervention by law enforcement agencies to convict the most active malware creators. Initiatives to get law enforcement more involved—although definitely a step in the right direction—unfortunately present an insufficient solution, as the number of variants is increasing incrementally and most of the time only the less sophisticated “mules” and “script kiddies” are convicted.
The more advanced malware writers who are selling their code to spammers, mafias, and criminals are more evasive and harder to catch. In addition, the lack of resources at most law enforcement agencies around the world – tied to insufficient international cooperation and coordination among them – make for a difficult task when trying to arrest a suspect or known cyber criminal. In the long run, both a technological and a social approach are needed to battle the proliferation of malware.
Malware Techniques and Design
The main differences between earlier computer viruses and today’s malware is that the lifecycle has been significantly shortened and the objectives have been refined to steal identities, use computers as spam bots, steal online banking credentials, credit card information, Web logins, etc. The following sections will review some of the current approaches to malware, including targeted attacks, malware QA testing, rootkits and sandbox detection techniques, runtime-packers, botnets, staged infection vectors, and malware “2.0” techniques.
Targeted Attacks: Staying Below the Radar
Today’s malware is designed to not raise any alarms. Unlike in the past – where viruses and worms were designed to spread to as many computers as possible without user intervention, generating a lot of noise and media awareness – today’s criminal malware is designed to be as inconspicuous as possible. Malware creators now use advanced techniques to evade detection and to “fly low.” One of the main strategies used for staying below the radar is to distribute just a few copies of many variants. In the past, a single virus or worm was responsible for infecting hundreds of thousands and even millions of computers. Visibility of these situations was very obvious for the antivirus labs.
