Bo Olsen is a malware Researcher at Kaspersky Lab Americas. In this interview he discusses new malware threats, the problems the anti-malware industry faces today, Windows 7 and organized crime.
The last few years have seen an explosion of new malware threats. What new malware analysis tools and techniques have appeared and what do you expect to be using more in the next few years?
In the last few years there haven’t really been any new or groundbreaking techniques in general, and in anti-malware tools specifically. Instead, we have focused mostly on improvements to existing tools to enable them to scale better. If you look at some of the tools available to the public, take IDA for example, it simply doesn’t scale to 30,000 samples a day. Also, malware analysis has evolved to better accommodate the volume of threats we see. As the threats become more sophisticated we are finding new ways to apply conventional methods to analyze complex malware. One area the anti-virus industry really needs to devote some research cycles is how to combat virtual machine based obfuscators, such as Code Virtualizer or VMProtect. Detecting malware protected with these obfuscators is generally not the problem, the real issue becomes understanding what the malware actually does, such as with Clampi/Ilomo.
Writing malware for bragging rights seems dead. Nowadays cyber criminals chase the money and have a lot of it to invest in developing new areas of attack. How can the anti-malware industry keep pace with them?
The criminals are indeed investing money into their business, but so far the results are mainly a huge increase in the number of threats. So the question for the security industry is how to protect users from as much malware as possible. I am not sure if the anti-malware industry can keep pace with regards to signature creation, or if it is even worth keeping pace. We receive about 30,000 new malware samples a day and we create around 3,500 signatures daily, an astronomical figure. If the industry were to try and write manual signatures for each of these infections it would be impossible to keep up. Therefore, instead of depending on signatures, the best approach is to make good use of heuristic detections and leverage other forms of behavior based protections.
With that being said the 30,000 new malware we see daily is just those we find. NO company out there can honestly say that they find everything on the internet daily. This creates the problem of needing to protect against the threats we haven’t seen which is possible, just more difficult. It means our most effective weapon is to innovate faster than the bad guys. One of the ways we do that is to write signatures that can detect more than one threat; these signatures will detect whole malware families. Also using protection methods in addition to pure anti-virus techniques, such as firewalls, HIPS, anti-phishing, etc will become vital for overall safety.
What’s your take on news reports that organized crime is employing cyber criminals and expanding into the digital world. What kind of problems will this bring in the long run?
First I would like to say cyber criminals are organized even if they aren’t associated with the traditional “organized crime”. The idea that they are involved brings a more sophisticated approach to the old school crimes. If you look at the life cycle of exploit development to compromised machine, organizations are willing to pay upwards of $50,000 USD for the exploit alone. There are teams of people creating malicious programs to steal thousands of dollars with money mules to collect it. The internet has made it very easy to stay hidden and at the same time making it more difficult to be tracked down and prosecuted for the crime. This poses issues for everyone, as threats become more sophisticated, there is more of a chance they will work. For businesses this can and has been creating huge issues, they not only need to secure their physical network on site, but also all of the users of all their resources; otherwise there is a chance of entire networks being compromised.
Itfacts.biz reports that in 2008, 275,000 cyber crimes were reported in the US alone. From the reported incidents it is estimated there was a loss of 265 million dollars. That is a more than a 32% increase from 2007, and considering there is a large amount of cyber crimes that are not reported; chances are that this figure would increase dramatically if we knew of all the cyber crimes that were committed.
The bad part is that there isn’t an end in sight as long there is something of value to be stolen and money to be made there will be someone attempting to find a way to steal it. The bottom line is that human nature doesn’t change.
Anti-malware software has generally been expanding and now we mainly have suites with tons of features that hog a lot of resources. To top it all, testing usually put several competitors head-to-head with exceedingly similar results. What can the end user do in order to make sure they are making the right decision in selecting an anti-malware solution?
No one vendor is perfect, however, the best thing a user can do is look at a couple of trusted reviewer results not only for the detection rate but reviews of the programs as well. Detection of course is one of the most important factors, but the important thing with the suites is that you want to make sure there is a good detection rate for all of the features. In these in-depth reviews the reviewers do the leg work for users so they don’t have to install each program to find the pros and cons.
Once users have gone over the reviews they should download and install the trial version of the software to make sure they like it before purchasing the suite. The last thing a user can check is the number of machines the program is allowed to be installed on. Most of the larger vendors have moved to allow the program to be installed on 3 computers and considering the average person has more than one computer in their home this lets them secure up to three of the computers.
One of the problems with several of the reviews however, is that they generally do not recreate an accurate testing environment. The majority of testers/reviewers generally test detection rates of non-active malware, and the ones that do test live malware only use a small number of samples. There is a huge debate in the industry over this and hopefully the work of the AMTSO will address these issues in a way that ultimately allows consumers to choose the best product for their protection.
How are you gearing up for Windows 7? Are you expecting any new threats?
Here at Kaspersky, all of our products are compatible with Windows 7. With that being said Microsoft also improves security with each new OS. We saw a decrease of infections in Windows Vista compared to Windows XP and expect to also see a decrease with Windows 7. Considering that we just had our first patches for Windows 7 even though it hasn’t been released yet, I think it is safe to say Windows 7 will also have its share of threats. The truth is that nothing will ever be 100% secure. A recent example of this is the SMBv2 remote exploit that affected Windows Vista and Windows 7.
As has been evidenced in the past, a more secure OS hasn’t always equated to more secure users. We’ll continue to see other attack vectors gain popularity such as Office and PDF based exploits, along with an increase in social networking/web 2.0 based attacks.
What kind of threats are emerging recently? What will we probably have to worry about in the near future that’s still not much of a problem today?
Threats are becoming more and more sophisticated at using combination of various techniques. For example, some of the recent threats we have seen have built in self protection. This makes it them more difficult to analyze and detect. I think moving forward we will see more threats of this type along with more social networking threats. The more people that are willing to share information online, the more opportunities cyber criminal will have to use social engineering in addition to sophisticated malware combos.
People are known to act on impulse and curiosity, which makes social engineering a very effective method. In addition, with the large-scale sales of iPhones and other smart phones and mobile devices projected to outsell desktop computers by 2011, I can see the mobile threat increasing as a major area for social engineering. To date, this hasn’t been as big in the US as in other countries, but with these phones sales numbers, there is a growing opportunity and the chance for infections to harvest critical information from unprepared and unsuspecting users.
A lot of users of mobile devices feel safe and secure with their phones and store work and personal information on them with no type of security. What they don’t realize is that their phone is a mobile computer so it has a risk attached to it and can be exploited like any other computer. Users should keep safety in mind with these devices like anything else they would need to protect.