Q&A: Malware and Research

Roel Schouwenberg is the Senior Antivirus Researcher at Kaspersky Lab. Roel has nearly a decade of malware research and analysis experience. He monitors the state of malware in North America, providing advanced analysis of malware.

Roel focuses on classic virus techniques that are used in today’s malware and improving proactive detection capabilities and conducts research into file format vulnerabilities such as malicious PDFs.

In your opinion, what is the real menace posed by cyber-crime groups?
It’s hard to single out one particular aspect of all the dangers posed by cyber criminals. However I would have to say the ID theft that’s going on, on such a large scale. One aspect of that threat is that of the many, many trojan horses out there, many go after personal identifiable information.

However the large-scale database breaches we’ve seen over the last year may pose an even bigger risk. The recent Heartland breach has compromised the data of up to 100 million people. That shows that there are a couple of criminal groups out there not afraid to go for such high profile targets.
In the US there is mandatory disclosure, but in many other countries in the world this is not the case. So it’s very likely there have been other mass-ID breaches that have never been disclosed.

Going along with ID theft is the fact that it may be a very painful process to get all this damage undone. In cases it can take up to a year or longer before bad guys are actually using the stolen data, so it may even take a long while to find out that something was wrong and track it all back.

How has the malware “game” changed in the past 5 years?
It has changed tremendously. Five years ago we were still seeing big email worm epidemics on a very regular basis. These days, with the exception of Conficker, we don’t see high profile epidemics anymore. This is because criminals generally don’t want to draw any attention from anti-malware companies and/or law enforcement. What also adds to this is that today about 90% of the malware we see is not self-replicating.

The volumes of malware has also changed. In 2008 we saw ten times as much malware as in 2007. In 2007 we saw the same amount of malware as in the whole twenty years before that combined. Right now we see up to 40,000 new threats per day, even two years ago that would have been very hard to imagine.

There has also been a shift in how people are writing malware. In 2004 we were already seeing the change from people writing malware for fun to writing malware for profit. These days over 98% of all the malware we see is created with profit in mind. So we’re fighting professional cyber criminals rather than teenage kids trying to prove themselves like five years ago.

Is the rising skill level of malicious virus creators becoming a problem when developing antivirus software?
Ever since the anti-malware industry started some twenty years ago threats have been getting more complex. We’ve always managed to cope. On the other hand we can see that the motives for writing malware have changed. And, what’s probably more important, is that the very good coders are selling their stuff. This means that advanced malware has become more and more common over time. However we are constantly improving our technologies as well. These days anti-malware products are no longer just the standard signature scanners from five years ago. We have lots of different technologies to fight malware and signatures are just a part of that.

What do you see as the biggest online security threats today?
As referenced before the ID stealing malware is a great threat. The other major malware threat that is currently out there is called rogue anti-malware. This rogueware pretends to be an anti-malware product and produces all sorts of fake detections. If you want to remove the threats you need to pay up. This approach seems extremely effective and a lot of unsuspecting users, thinking they are doing the right thing, are falling for it.

Social networks also need to be mentioned here. There is a lot of danger in these networks. People are giving out a lot of information which can (indirectly) lead to spear phishing attacks on them or their friends. Social networks are already being used for the spread of malware and it’s been reasonably successful. We can pretty easily warn user for this type of threat. But when it comes to the information disclosure issue it’s very hard to educate people as there is not a lot of direct public proof of these attacks. This means that many people feel that the threat is overblown.

Based on statistics you collect, what countries stand out in malware production?
Before I can answer this question I need to clarify something. We can normally tell if malware has been created by a Chinese malware author. But as many of the malware authors are selling their creations we can’t really say for sure who’s responsible. The same goes for malware hosting. So we may see a malware sample originally authored by a Russian on a Chinese hosting server while the buyer of the trojan is German.

With that said we definitely see China as the main source at about 60% of the malware samples. This is followed by Russia/Ukraine and Latin America. From Latin America we are mostly seeing banker Trojans and phishing. China has gone from producing password stealers for online games such as World of Warcraft to a more generic offering. Russia has always been quite generic, with a focus on spam. It also still looks like the most advanced malware comes from Russia, but the Chinese malware authors are definitely working on that area.

As worms like Conficker steal headlines and get picked up by mainstream media, do you see organizations getting smarter and protecting their networks?
What we see first of all is that the cyber criminals are getting better at protecting their botnets. That’s a logical development which is providing new challenges for the security community. However I’m not that sure that legitimate businesses are learning at the same pace. A lot of the Conficker epidemic could have been prevented if ISPs had taken better care to protect the consumer networks.

Also the current economic situation is not helping, with businesses trying to cut costs. However in that regard I think that most businesses will have reconsidered any security budget cut after getting hit by Conficker. Overall it may have improved things a bit in the bigger companies, but not so much in the smaller. I think it’s regular business. Businesses getting hit with malware will try to improve, businesses not hit will think they are doing alright. For businesses it doesn’t matter if a threat is called Conficker or Agent, they simply don’t want to get infected.

Where do you see the current security threats your products are guarding against in 5 years from now? What kind of evolution do you expect?
That is actually extremely hard to predict. To make an accurate statement about it you need to factor in a lot of different things. Where will the internet be by then? Will there be involvement and responsiveness from law enforcement and if so, how much? And so on.

In any case the threats will go where the money is. In five years mobile banking will be very standard and therefore we will see a lot of malware for mobile devices. If Apple’s market share continues to grow the same will apply to Apple operating system. Online games will still be big so there will still be a lot of malware targeting those games and gamers. Overall a lot will depend on how well law enforcement will be able to track down cyber criminals all across the world.