It’s more than a little disappointing that the anti-malware industry is still fixated upon measuring a threat by the quantity of malware being distributed. Despite the fact that you could learn within an hour or two’s study (e.g. watching YouTube) how to generate a million brand spanking new, unique and “undetectable” malware by the end of the week, many people end up doing their best impressions of a stranded carp gasping for air as they attempt to digest the latest round of hefty malware statistics from security vendors.
But, for precisely the same reason you can generate your own personalized million malware samples, smarter analysis and threat mitigation techniques make the number counting largely irrelevant. Sure, signature-based detection systems have gone the way of the dinosaur and so too have hash matching black-list processes – both defeated by serial variant production systems – but smarter systems can peer deeper in to the binary file and automatically peel back the layers of armoring and obfuscation to get to the malicious core. Once you have your fingers wrapped around the heart of the badness contained within the binary, it becomes much easier to ascertain and understand the true nature of the threat.
Why is this important? Well, in the first instance, the criminals who pump out the most malware aren’t necessarily the biggest threat. For example, a criminal operator may be distributing their latest piece of uber-malware through a massive spam campaign. Even though they may have sent out 5 million spam emails containing the malicious file as an attachment, very few of the messages will probably make it their intended victims – largely due to anti-spam technologies that utilize a heuristic based upon observing the same binary destined for multiple mail-boxes (regardless of the message’s text content) – and every anti-malware security vendor will have been alerted and have analyzed a copy of it within a few hours. So, despite the malware’s “uber” status and the “millions of samples observed worldwide”, the threat is minimal in reality.
Meanwhile let’s say a different malware author creates a million serial variants of the same uber-malware, but because each sample binary “looks” different it falls under dozens of different generic malware names (should it ever be “detected”), it becomes practically impossible to cluster all the different samples in to a single threat – so the single attack is attributed to dozens of lesser attacks. All this of course is assuming that the malware author didn’t first QA each of their serial variant malware samples before release – and only a few thousand were subsequently caught with heuristic or behavioral analysis engines that happened to get updated during the authors release cycle or while the malware was waiting patiently in the victims inbox prior to be opened.
Because the first attack makes it so easy to count the captured malware and the second attack is evasive, only the first will get much public attention – even though, by actually being in a position to count the distributed malware’s volume, the threat to the targets has already been neutered. Consequently, the “smaller” threat (and the criminal operator) slips under the radar once again. If the malware from the second attack had been analyzed correctly (i.e. peeling back the onion), the size and sophistication of the attack would have been evident and organizations would have been able to correctly prioritize that threat.
Meanwhile, as far as “counting the malware” goes, both attacks consisted of the same – single – piece of malware. 6 million, 5 million, 1 million or one single piece of malware? Which number do you think makes sense to worry about? Where does the threat really lie – in the number sent, the number captured and counted, or the sophistication of delivery?
Greater care needs to be taken by the industry in evaluating the malware threat. Big numbers always sound great and garner a lot of public and media interest, but it’s rarely an indicator of where the real threat lies for those tasked with protecting the enterprise network.
– Gunter Ollmann, VP Research
Tags: counting, malware, serial variants