Malware: War without end
We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.
Ceaselessly, with no end in sight despite outlays that amount to a tax on doing business, the decades-long struggle against malware drags on.
Today, around 5% of the average IT budget is devoted to security, estimates John Pescatore, a director at the SANS Technology Institute. Cybercrime (including malicious insider attacks and theft of devices) costs U.S. corporations an average of $11.6 million yearly, according to an October 2013 study by the Ponemon Institute that was sponsored by HP Enterprise Security. This cost represents a 23% increase over last year’s average of $8.9 million per company.
Asked why malware is the war without end, experts commonly embrace either a military or an ecological metaphor. Those with the military viewpoint say flawed defenses have led to a stalemate. The ecology-minded don’t see it as a war to be won or lost — they see an eternal cycle between prey and predator, and the goal is not victory but equilibrium.
Around 5% of the average IT budget is devoted to security, says John Pescatore, a director at the SANS Technology Institute.
One who favors the military metaphor is David Hoelzer, director of research for Enclave Forensics in Henderson, Nev. “We are essentially going in circles,” he says. “We improve only after our adversaries defeat our defenses. Most software is still riddled with vulnerabilities, but the vendors typically make no move to fix one until it becomes publicly disclosed. Coders are not trained in security, and ‘well written’ means ‘under budget.’”
Security consultant Lenny Zeltser chooses the ecology metaphor. “Attackers take advantage of the defenders, and the defenders respond. It’s part of the cycle,” he says. “If attackers get in too easily, they are spending too much to attack us. If we are blocking 100% of the attacks, we are probably spending too much on defense. We have been in a state of equilibrium for some time and always will be. But being complacent is dangerous, as we must constantly apply energy to maintain the equilibrium.”
Developments in the financial sector offer an example of why it’s important to constantly apply energy to maintain the equilibrium. A new report from Trend Micro points out that attacks aimed at stealing online banking credentials recently surged to a level not seen since 2002.
Nevertheless, experts agree that progress has been made — even if only toward the maintenance of ecological equilibrium or a military stalemate.
The wins so far
At this point, “there are no types of malware for which there are no defenses that we are currently aware of,” says Roel Schouwenberg, a researcher at anti-malware software vendor Kaspersky Lab.
“We no longer see the kinds of big spreading malware that we saw three or four years ago, [such as] the ILOVEYOU virus of 2000,” adds William Hugh Murray, a security consultant and a professor at the Naval Postgraduate School.
Interviews with analysts and executives at security vendors McAfee, AVG and Kaspersky Lab suggest that the following are the four principal weapons that make this possible:
• Signature detection. This approach gives you the ability to spot malicious code, among other things.
• Behavior monitoring. By adopting this technique, you can do things like spot malicious activity in a computer or determine if a suspicious file will respond to virtual bait
• Blacklisting. This is a mechanism for blocking access to sites and files that are included on a list of undesirable entities.
• Whitelisting. With this approach, essentially the opposite blacklisting, users are only allowed access to sites and files on a list of entities known to be harmless; access is denied to sites and files that aren’t on the list.
Each of the four has its supporters and detractors, and all the anti-malware software vendors queried for this article said they use some form of all four weapons, in combination.
Other defenses include firewalls, which can prevent intrusions and — with Windows at least — are part of the operating system, and periodic vendor patches to address vulnerabilities.
Frequency of cyberattacks
The frequency of different types of attacks experienced during a four-week period in 60 companies benchmarked.
Viruses, worms, trojans 100%
Web-based attacks 63%
Denial of service 50%
Malicious code 48%
Malicious insiders 42%
Phishing/social engineering 42%
Stolen devices 33%
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
A question sometimes raised is whether there are more advanced weapons that we haven’t yet learned about. “I’ve heard that [the anti-malware vendors] have better defenses up their sleeve that they choose not to release since they are not necessary yet, and they don’t want to tip their hand,” says Zeltser.
The vendors deny this. “Our secret weapons are in force every day — it’s a daily battle,” says Tony Anscombe, an executive at anti-malware software vendor AVG Technologies. Indeed, if vendors had something that can stop all viruses “it would be foolish to wait to use it,” says Kevin Haley, spokesman for anti-malware software vendor Symantec. “It would be a competitive advantage” to help sell more software, he points out.
Either way, the end result is that anti-malware software vendors can now respond to a new (or “zero-day”) exploit within two hours, although complicated exploits may require subsequent follow-up, says Haley.
In parallel, there have been efforts to make software less vulnerable to infection. For instance, Tim Rains, director of Microsoft Trustworthy Computing, says that Microsoft has revamped the code libraries used by developers to remove errors and vulnerabilities.
There are no types of malware for which there are no defenses that we are currently aware of.
Roel Schouwenberg, researcher, Kaspersky Lab
As a result, he notes, stack corruption was the vulnerability exploited 43% of the time in 2006, but now it’s used only 7% of the time. He also cites a study conducted in 2011 by analyst Dan Kaminsky and others indicating there were 126 exploitable vulnerabilities in Microsoft Office 2003, but only seven in Office 2010.
Years of security-related software patches downloadable by users have also had a measurable effect. Rains cites statistics derived from executions of Microsoft’s online Malicious Software Removal Tool, which showed that systems with up-to-date protection were 5.5 times less likely to be infected.
As of December 2012, the rate was 12.2 infections per 1,000 machines for unprotected systems vs. 2 per 1,000 for protected systems. The global average was 6 infections per 1,000.
On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.
Today’s attacks: Two broad categories
Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today’s most common infections into two categories: APT (“advanced persistent threat”) and AFT (“another freaking Trojan.”)
New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.
“Each one is different and scary,” Thompson notes.
As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)
Average annualized cybercrime cost
These costs are weighted by attack frequency in 60 companies benchmarked.
Denial of service – $243,913
Malicious insiders – $198,769
Web-based attacks – $125,101
Malicious code – $102,216
Phishing/social engineering – $21,094
Stolen devices – $20,070
Botnets – $2,088
Viruses, worms, trojans – $1,324
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
The acquisition of new Trojans appears to be limited only by a researcher’s ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload — creating a unique file — for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.
The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.
These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.
While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers — for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.
Meanwhile, the attackers have formed their own economy, with a division of labor. “Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data,” says Zeltser.
“You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules,” Murray adds.
New battlefields include XP, Android
But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.
For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.
Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.
“They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it,” Rains says. “Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP.”
“People should not be running XP,” agrees Schouwenberg. “When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable.”
Android, meanwhile, is going like gangbusters on smartphones — outselling Apple’s iOS phones in the third quarter of this year, according to Gartner — making it a huge target for crackers.
Experts see many parallels between Android’s development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.
Average days to resolve attack in 60 companies benchmarked
Malicious insiders include employees, temporary employees, contractors and, possibly, business partners.
Malicious insiders – 65.5
Malicious code – 49.8
Web-based attacks – 45.1
Denial of service – 19.9
Phishing/social engineering – 14.3
Stolen devices – $10.2
Malware – 6.7
Viruses, worms, trojans – 3
Botnets – 2
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
“It is not like the case with Apple, which can push security updates to every iPhone in the world in one day,” says Schouwenberg. “With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop.”
“Android is in a position that Windows was in a few years ago; there is not enough protection,” adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.
Is there hope?
Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.
Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.
The success rate for social engineering is phenomenal.
John Strand, network penetration tester, Black Hills Information Security
“But there is no extinction-level-event in sight to wipe out the current Trojans,” Thompson says.
Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as “social engineering.”
“The success rate for social engineering is phenomenal,” says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.
People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.
And then there’s software that tells the user to disable the system’s malware protection “to ensure compatibility.” “I don’t think there is any legitimate software that needs you to disable security protection for compatibility reasons,” says Schouwenberg. “But some software does ask you to disable it during installation, creating a precedent, so they think it’s all right when they get email from a website telling them to turn it off.”
Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext — and they’ll probably be allowed in, says Strand.
Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords — and those sites were later compromised, Strand adds.
“The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords,” Rains says. “These techniques can block the major attacks used today and probably for years to come.”
“The best practices I was telling people about 10 years ago I still have to tell people about today,” Haley adds. “Have good security software, update the system and use good common sense. Don’t link to email that doesn’t seem right.”
Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. “We have learned to wash our hands and keep the cesspool a certain distance from the drinking water,” he notes. “We still have the common cold, and we still have occasional epidemics — but if we react quickly we can limit the number who are killed.”
Comments are closed.