Malware: War without end

We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.

1 2 3 Page 2
Page 2 of 3

Either way, the end result is that anti-malware software vendors can now respond to a new (or "zero-day") exploit within two hours, although complicated exploits may require subsequent follow-up, says Haley.

In parallel, there have been efforts to make software less vulnerable to infection. For instance, Tim Rains, director of Microsoft Trustworthy Computing, says that Microsoft has revamped the code libraries used by developers to remove errors and vulnerabilities.

As a result, he notes, stack corruption was the vulnerability exploited 43% of the time in 2006, but now it's used only 7% of the time. He also cites a study conducted in 2011 by analyst Dan Kaminsky and others indicating there were 126 exploitable vulnerabilities in Microsoft Office 2003, but only seven in Office 2010.

Years of security-related software patches downloadable by users have also had a measurable effect. Rains cites statistics derived from executions of Microsoft's online Malicious Software Removal Tool, which showed that systems with up-to-date protection were 5.5 times less likely to be infected.

As of December 2012, the rate was 12.2 infections per 1,000 machines for unprotected systems vs. 2 per 1,000 for protected systems. The global average was 6 infections per 1,000.

On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.

Today's attacks: Two broad categories

Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today's most common infections into two categories: APT ("advanced persistent threat") and AFT ("another freaking Trojan.")

New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.

"Each one is different and scary," Thompson notes.

As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)

The acquisition of new Trojans appears to be limited only by a researcher's ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload -- creating a unique file -- for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.

The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.

These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.

While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers -- for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.

Meanwhile, the attackers have formed their own economy, with a division of labor. "Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data," says Zeltser.

"You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules," Murray adds.

New battlefields include XP, Android

But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.

For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.

Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.

1 2 3 Page 2
Page 2 of 3
  
Shop Tech Products at Amazon