Malware Secrets Revealed
A Q&A with Jacques Erasmus of Prevx

It’s comforting to think of malware — computer viruses, worms, Trojans, spyware and adware — as a nuisance, or better yet, something that happens to somebody else.

But according to Jacques Erasmus, director of malware research at Prevx (www.prevx.com), the truth is malware is personal.

Gone are the days of massive worm outbreaks infecting millions of machines using a remote exploit technique. Now the order of the day is low-volume attacks that are widespread but take longer to build momentum, thus going undetected until critical mass is reached. This shift in distribution makes malware much harder to detect. Additionally, according to Erasmus, new malware has the potential to develop unique strains on each individual computer — further confounding traditional signature-based detection and protection methods.

We’ve asked Erasmus to give us a look behind the scenes and reveal some malware secrets (including a few most anti-virus and anti-spyware vendors don’t want you to know).

ITSS: Are malware attacks specific or random?
Erasmus: Today’s malware attacks are targeted and customized. They aren’t necessarily targeted to individual users — yet — but they are targeted toward user behaviors and customized for specific computer environments. For example, users who might visit certain types of Web sites are targeted. When they visit a specific Web site, they might inadvertently download a malware program. The program is customized to work in a certain environment, say Windows XP without a spyware application running. Using this approach makes malware much harder to detect using conventional honey pots and malware collection techniques.

ITSS: Is it true that malware changes its code or are new malware attacks just happening faster?
Erasmus: One of the most interesting and effective malware techniques we’ve witnessed over the last 6 months uses on the fly code generation and repacking on a Web server. With this technique, a malware author or distributor sets up and advertises a Web site, enabling him to distribute a malware program. The latest twist here is the ability for the malware on the Web server to be dynamically repackaged and recompiled in some instances, thus yielding a unique signature on each recompile. Additionally, some malware authors use various “packers,” an encryption algorithm that enables malware to escape detection by traditional security software. The best example of this threat is the flood of various codecs for decoding videos available on the Internet. By developing malware that masquerades as a viable codec, malware authors con unsuspecting users into installing them. Once installed the malware behaves as a file downloader, installing additional malware objects on the user’s computer.

ITSS: What has driven this malware explosion in the past year?
Erasmus: It’s all about money. The main shift in the malware scene is to generate profit from malicious activities. One example of profit-making in the malware world is the sale of “Proxy Agents” to spammers.

A Proxy Agent is a rogue application that becomes installed on a computer using various methods. Once installed, the Agent opens a backdoor to other malware and sends information about the computer’s IP address and the TCP/UDP port it uses for communication to a remote Web server database. Spammers then purchase proxies in order to relay spam. Spammers can often purchase 2,000 quality proxies for around $300.
We have also witnessed these proxies become more aggressive, attempting to download and install as many objects as possible onto each computer they infect. This often cripples individual computers, but that doesn’t matter to the malware distributors, as they have already activated the installation and received their payment fees, often from many “affiliates” at once.

We see a close correlation between phishers, spammers and malware authors – an online crime eco-system.

ITSS: Does malware ever masquerade as something safe on your computer?
Erasmus: Absolutely, we’ve seen a growing problem during the last 6 months, where software claiming to be anti-spyware, registry fixers or some other type of systems utility, is in fact malware. One of the most high profile examples is a family of rogue antispyware products, such as SpyAxe, SpywareStrike, SpyFalcon and SpywareQuake. These rogues use various exploits to infect users’ computers. Once the software is executing on a computer, it tells the user he or she is infected and must pay around $50 in order to remove the malware.

ITSS: Why are the typical antivirus programs not catching all the bad stuff that’s out there right now?
Erasmus: Malware has evolved to a state where it has become virtually impossible to detect by the conventional generic signature techniques used by most security software vendors. The best method to detect a polymorphic entity — one that changes itself and exhibits many virus traits — for example, is by using a heuristic behavioral-based approach, which recognizes the behavior or the genetic make-up of the malware. Unfortunately, our research indicates that next-generation malware of this type often evades standard antivirus software.

ITSS: What should people do to ensure total safety?
Erasmus: Some things are obvious — like keeping your antivirus software current. But our research has demonstrated that even the most up-to-date software from the top security vendors is not able to stop all types of malware. Our software increases users’ ability to catch malware, viruses and spyware at the door to their computers by watching for behaviors, rather than specific signatures, of malware. This way we are able see more malware, faster, to better protect users.

<< Previous Page