I’ve been saying it for several years now, but it looks like one of the traditional anti-virus companies have finally admitted to the problem. Most new viruses released by cyber-criminals are only “useful” for a single day – within 24 hours they’ve created a new batch of viruses and released them, and so continues the cycle. Panda Security issued their press notification concerning their latest threat findings – in particular, “52 Percent of New Viruses Last Only 24 Hours, According to PandaLabs“.
This particular tactic really came to the fore due to the success of the Storm “worm” and the efficiencies of the serial variant virus creation process. The tactic itself is very simple – issue new virus variants faster than anti-virus vendors can release customer protection updates. Anti-virus companies need samples in order to develop signatures to identify the virus elsewhere. Once they have a sample, a mix of automated and manual processes dissect the virus sample and create a signature (and maybe a clean up process too), which then needs to pass through a QA process, bundled in to an software update, posted to distribution servers and (automatically) pulled down by customers. This process typically takes several days (once a sample has been captured of course). As Luis Corrons, Technical Director of PandaLabs, says “This is a never-ending race which, unfortunately, the hackers are still winning.”
Of course, all this plays in to the bot masters hands. (Below is a slide I’ve been using for quite some time talking to the topic).
The whole serial variant approach has been adopted and made more efficient by bot masters and the professional cyber-criminal overlords. While it’s an unfortunate legacy that bot agents are often labeled with the tag “malware” (since their virus roots only really appear as features nowadays), to lump these professional crime-ware bot agents in with viruses is a bit like bundling a Shetland Pony with a F-22 Raptor and calling them collectively “transport devices”.
Bot masters have turned the old serial variant processes in to well-oiled mechanized crime-ware production machine – a machine that is now also supported by a cottage industry of specialized suppliers. Serial variants of each bot agent are churned out in an automated fashion – often on a one-for-one basis. A couple of years ago I produced a whitepaper for on the topic – titled X-morphic Attack Engines – which explains how this type of production system has evolved and who its suppliers are.
So, whats the impact of all this? Why should it matter?
Bot masters can produce brand new, undetectable, variants of bot agents on a daily (or hourly) basis and constantly stay ahead of anti-virus detection systems indefinitely (which annoys anti-virus researchers no end. See my blog from earlier this week discussing the “ethics” of anti-virus evasion). Not only that, but once a host has been compromised, the bot agent itself can be updated with new versions as often as the bot master wishes to – thereby continuously evading host-based detection systems.
This continuous infection cycle is designed to evade existing virus detection technologies and its adoption can be observed by the exponential growth in new malware samples. Of the 37,000 new virus samples that PandaLabs receive daily, 52% are only ever encountered on a single day.
As such, many traditional anti-virus vendors are moving to the “cloud” in an attempt to speed up their development and delivery of new signature updates. Personally, I think that this approach is a lost cause and is doomed to failure. Sure, they’ll probably be able to speed up their reaction times and get updates out faster. But there are two critical problems – the anti-virus provider still needs the sample virus first, and the cyber-criminal just needs to release new varients quicker than new signatures can be released.
Perhaps next year we’ll read that half of new viruses are only useful for 12 hours?
I’ll let other folks focus on the Shetland Pony viruses while I focus on those F-22 bot agents out there. The secret to detecting these botsĀ and preventing them from developing in to corporate data breaches lies with the detection (and enumeration) of their command and control (CnC). Regardless of how many variants the bot master produces and how fast they can pump them out, they still need to “bind” with a botnet in order to be useful to the cyber-criminal organization – and that is dependent upon their CnC.
Roll on hourly serial variants of bot agents. It doesn’t make any difference to me.
– Gunter Ollmann, VP Research