The Pit BLOG

December 2007

The Evolution of Malware

It was a cold day in South Dakota (circa 1990) as I entered the Gateway building. Unlike most days, the hustle and bustle of a rapidly growing computer company were missing, replaced by an eerie still and quietness. The security guard shook his head, and said, "The software download server got hit with a virus." All of production was shut down.

That was my first encounter with malware. The first generation of malware was essentially pranks written by clever kids hoping to raise worldwide mischief without getting caught. Most of the malware (viruses and worms) were benign. A person unknowingly would open an email attachment, which would propagate to people in that person's address book. Aside from clogging up all of our email, no harm was really done. Far less often, were the truly malicious malware that would shut down a PC or reformat a hard drive.

At Gateway, production purchased an anti virus product called FPROT that would keep us safe for the rest of my time at Gateway. This was the birth of the security industry and the roots of companies such as McAfee and Symantec. As each new prankster wrote a new malware, anti virus companies would quickly respond by updating signature files. The rapid virus detection blocked its ability to propogate. This approach of using signature files to detect malware is called black listing, and was quite effective at deterring malware.

Once I left Gateway, a new form of malware came onto the scene. In my view, it was far worse than the pranks of the 90's because it was being motivated by profits and money. Suddenly, our computer screens were being deluged with pop up ads. I saw computers that were getting up to 5-6 pop advertisements per minute. The PC's performance was shot, and no work was possible. Furthermore, the nascent anti virus makers didn't show up for the party.

Unfortunately, this conversation was too common.

• Rob: The problem with your PC is that you have spyware.
• Friend of Rob: How can that be? I am running (McAfee, Symantec, etc).

I personally feel that the anti virus makers dropped the ball, which gave birth to a new industry anti spyware. Companies such as Pest Patrol, Adaware and Spybot were quickly formed to help us deal with the spyware epidemic. Just like their anti virus cousins, they use black list and signature files to combat malware.

And now the teenaged pranksters had become adults. They had children and mortgage payments, and hence their malware must generate a paycheck rather than mischief. And boy did they make money! These guys were making money hand over first. Hundreds of millions of profits were being generated by companies such as Gator and Direct Revenue. Gator even had the nerve to try and go public. Thank God that got shot down.

Thanks to the efforts of the SEC and Microsoft, today spyware is on the wane. Rare are the PC's with serious spyware infections. Microsoft implemented XP SP 2, which put many of the basic anti spyware features into the operating system and Internet Explorer. Furthermore, the SEC chased down the most egregious spyware offenders. Today Gator has shut down for good.

But sadly, there is a new and far more insidious malware. BOTS. Have you ever noticed all the spam we get lately? They are being propagated through BOTS. BOTS infect a computer and lay dormant awaiting instructions. Usually to send out a new SPAM for the day, and sometimes a denial of service attack (essentially a coordinated hit on a specific web site). The new generation of malware writers is now a far cry from the mischief makers of the 90's. These guys are making a killing. Word has it that these guys are making billions of dollars. And tax free at that. If you add up the profits of all the anti virus companies (McAfee, Symantec, et al), the bad guys are winning.

And this generation is smart. The old black list techniques of the 90's are almost obsolete. Several recent reports show that leading anti virus solutions effectively block 4/10 malware. That's 40%. What kind of protection is that? Because they are making so much money PHISHING, their technology is evolving rapidly and becoming even harder to detect.

We are learning that many of the new bots live for only one day. This means, they infect the PC, do its dirty work and then perish. Now remember the black list approach. First, the malware must be detected in the wild. Second, the malware must be analyzed by the labs, and then all the signature files must be updated. Best case, this process takes 3-4 days. By that time, the malware writers have written several more bots and are laughing all the way to the bank.

It's a scary time out there. That's for sure. I hope and pray that one day soon, there will be an alternate anti malware solution. But until that time, we all must be hyper cognizant of the ever evolving face of malware.

digg stumble it! del.icio.us reddit Newsvine Slashdot Yahoo! My Web Google

Note: It may take several minutes for new posts to appear here, and only the 20 most recent posts are shown. The complete thread is available on the forums.