Inside the malware war zone
Adam Kujawa is the Head of Malware Intelligence for Malwarebytes. In this interview he talks about the evolution of malware in the past decade, illustrates the differences in global malware based on the point of origin, highlights the events that changed the threat landscape, offers insight about future threats, and more.
Based on your research, are today’s malware authors more sophisticated than 10 years ago?
To answer this question, you would need to ask yourself whether automobile developers were more sophisticated in the 1980’s or now? Malware 10 years ago was a different beast entirely – the antivirus industry was still young and therefore malware authors had less to worry about when it came to obfuscation or hiding their intent. At the same time, the years of malware development within the cybercrime industry has allowed authors to cut and paste code already created for use in other tried and tested projects, therefore removing the need to create most of the malware from scratch.
Sophistication is based on requirements created by obstacles and in the back-and-forth battle between the protectors and attacker of the internet, numerous obstacles and shortcuts have been created that warrants the development of more “sophisticated” malware. However, at the core levels, the very base from where malware development starts, the code is the same. Just like our cars, removing hybrids and electric cars, all cars run on the same basic principles that they did 10, 20, 30 years ago, but based on things like new safety, stabilization, fuel usage and entertainment technologies, the cars appear far more sophisticated.
The two biggest obstacles that have guided the development of malware in the last 10 years have been (a) executing on the system without detection; and (b) obtaining privileges to interact with the system at a high enough level to make a difference. These two obstacles have created things like privilege escalation code, heavy encryption for binaries and malicious code, injection into legitimate files and processes and overall subversion of administrative system protections such as the prompt that shows up in Windows 7 asking if it has permission to execute a certain program with admin rights.
To get to the point of the question, one could say that the malware we see today is more sophisticated because it comes with many more bells and whistles; however, the authors themselves, with the ability to reference the “how-to” of malware development, are less challenged than those of 10 years ago.
What are the three key malware turning points in the past five years? What events changed the threat landscape forever?
Psychological Engineering: Over the last five years, some of the worst malware that we have seen has not been specifically targeting the operating system or hardware, but the psychology of the user. Social engineering has taken a step forward in evolution when it comes to malware when you look at things like the FBI Ransomware. That kind of ransomware is distributed through numerous means, including malicious e-mail, drive-by exploit and old-fashioned fake or bundled applications that include the malware and are executed manually by the user. These methods are not unique for ransomware as most malware is propagated this way; the unique aspect of ransomware is how it pushes what I call “assumed guilt” onto the user. The ransomware only allows the user to view one screen under the guise of law enforcement. The screen claims the FBI have detected illegal activity originating from the user’s system and therefore has locked it down until the user pays a fine.
It was simple enough to inform the public that this type of malware existed, it was popping up everywhere and people were not sure whether it was true or not until they watched the news or read an article online. However, it was taken a step too far when it started not only accusing the user of possession of child pornography but also showing an image of it as part of the ransom screen. This type of attack goes beyond extortion or theft, it psychologically scars the user and forces them to consider whether they were actually guilty of something and they didn’t even know it.
Psychological engineering, or the act of messing with users’ minds for the sake of making a quick buck will no doubt exist in the future of malware. We are not dealing with a bunch of angry teenagers with computer skills anymore, these are serious criminals who have no shame and are willing to do anything to anyone to get their money.
Self-propagation using social media: The last 10 years, let alone the last 5 years have shown us the dominance social media has in our lives, everyone from your 6-year-old cousin to your grandmother uses some kind of social media to keep in contact with friends, family and current events. Of course, no greater opportunity for causing mass chaos via mass infection was ever created before.
We have seen malware that will steal login credentials for social media like Facebook or Twitter — a lot of malware does that. They also steal your bank information and e-mail login, all for the purpose of stealing information and even using the stolen accounts to propagate the malware even further via contacts.
The defensive industry fought back and now two-factor authentication is available for many social media sites. So the malware authors made a slight change and now, rather than just stealing passwords, if a user is infected and they leave their connection to Facebook or Twitter (which many of us do) open in their browser, the malware will take advantage of it and send out status updates or e-mails using the users credentials, from the user’s computer.
We have also seen malware do this with instant messaging and calling applications such as Skype or MSN Messenger. The biggest difference between this shift in malicious technology and others we have seen is that the social media sites are fighting back, making it more difficult for hackers and malware to use their services for nefarious purposes. That doesn’t mean it never happens though.
Fast deployed variation: There has been a lot of talk over the years about how the antivirus industry is unable to keep up with the changes in technology of malicious applications. What few people realize is that it is the persistence and advancement of protection software and countermeasures to cyber threats that have forced malware creators into a frenzy and almost assembly line type production of new malware.
Now to say “new” malware does not mean that an author will create a brand new type of malware every time they sit down at their computer, but rather a new “variation.” A variation or “variant” as we like to call them, are pre-existing types and families of malware that have been slightly modified from the previous version in order to get around detection and removal operations.
The Zeus Trojan is a great example of malware variation. It was first discovered in July of 2007, almost 7 years ago and is still a massive pain in the side of the security industry. Zeus still thrives because of its ability to quickly and effectively change in order to avoid detection, and it continues to upgrade its capabilities to overcome obstacles and reach new victims. Most malware families can’t keep up with how quickly the security industry deploys measures to protect users and therefore fall by the wayside. However, we have already seen certain new families pop up with the same resilience and quick-change methodology as Zeus, and as such, the security industry will compensate, variant and upgrade accordingly.
What are the differences in global malware, based on the point of origin?
The simplest answer is the target — most malware created in Russia targets Russia (and the US), most malware created in China, targets China (and the US). Beyond the actual location of the attacks, such as it being in a certain language or using a specific time zone, it comes down to the purpose.
Russian or eastern Europe malware, for example, focuses on making money, on selling illegal or fake goods and/or extorting money from people. Some malware has more of a political agenda, and was created in order to create a botnet attack surface to use against political or economic targets; we have seen malware from the Middle East with more of this goal. Some malware is used and created for the purpose of privacy invasion, like what has recently been in the news with the Remote Access Trojan (RAT), Blackshades.
There is also a subtle kind of signature left by the programmer in how they design their code. Obviously it’s impossible to pinpoint 100% the origin of a sample of malware from only looking at how the code is laid out but I’ve always thought that malware from the Asian countries is much more neat and almost artistic in its design; while malware from eastern Europe is more assembled with power and damage in mind.
What is still not a threat today, but will probably be a big issue in the near future? What should users be on the lookout for?
Smarter malware is the best answer I could give for this. As I mentioned before, sophistication depends on the requirement based on the obstacles. Obstacles can be things like antivirus detection or new methods of administrative execution in an operating system. Obstacles can also be untapped opportunities, for example a single person may put all kinds of information about themselves on the internet, and advertisement companies seek out, obtain this information, and use it in order to sell products to users that are tailored for them. Malware might do the same thing in a few years.
Spear phishing is the act of sending a fake or malicious e-mail to a specific target. The e-mail is created with that target in mind and will include things like personal details or interests that make the user more likely to trust the source of the e-mail and therefore open it and either execute the malware included or have their credentials stolen. We mainly need to worry about spear phishing in corporations or governments, where there is no easy way onto the network other than through tricking a user.
Spear phishing is only a threat to those entities and not your average user, who just deal with spam e-mails sent to a mass demographic. Imagine though, a central server that scanned social media sites like Facebook or Twitter for things like friends and family names and how often they appear on a person’s profile, what their interests are, etc. Then used that information to automatically craft a spear phishing e-mail to the target.
In addition, the malware installed on a victim system could be more aware of its surroundings by installing redundancy measures to protect it from being completely removed from a system. We have already seen malware that will close and even uninstall security software. After it ensures its continued existence, it can scan all of that personal information from the inside of the trusted system and use it to send out even more spear phishing e-mails.
Using replication, the malware can modify itself on the fly to avoid detection or act like an instance of an installed application, for example if it detected Chrome on your system, it could hide itself as Chrome and run in the background without much, if any, suspicion.
Basically, the technology and functionality available to malware now is nothing compared to what we will no doubt see in the future, and as that happens — as the attacks become more focused on exploiting the person behind the computer rather than the computer itself, it will become the job of every user to defend themselves with knowledge and caution.
10-15 years ago, the internet was the Wild West. Now it is a war zone.