Back to Top

Saturday, May 10, 2008

Why prevention (rather than cure) is a must for the malware problem?

Lately I have seen a movement towards the idea that you can't prevent security problems, so you should do your best to detect and eliminate them. While I agree with this in the general sense, it is clear that a very strong tendency in malware evolution nowdays is to make it both as stealth as possible and as hard to remove as possible.

Lets imagine a (nightmare) scenario:

  • malware files hosted on a fast-flux network
  • distributed through social engineering (the click here to get dancing bunnies e-mails kind for example)
  • the downloaded executable is mutated at every download slightly, and at every couple of hours in a major fashion (supposing a fixed timeperiod for the attack, this can be done by creating the required number of variations for the packer-tool in advance)
  • once run, it loads a kernel-mode driver, disables and prevents security software from running and tries to hide itself

All these components are already out there (there is malware with this behavior - so much for giving the bad guys ideas), and although as far as I know, there is no malware family using all the techniques, it's probably only a matter of (little) time.

I'm not saying that such an infestation is impossible to detect (given enough intelligence, it can be detected by specific network traffic patterns, or by the fact that the security software is no longer working) or to clean (reinstalling from a clean, read only media should work in almost all the cases), but it has the potential to wreak havok in the circle of people who think that security is an add-on that you can buy for money, put it on and never worry about it again.

Not to sound too alarmist, but such an attack has the potential to take down the root DNS servers (through a DDoS attack), making much of the Internet unusable and most certainly would have the potential to take down all but the most powerful sites (which have multiple redundancy on all continents, etc), creating enormous damage. The security industry should wake up and realize that unless something is done to curb the exponential growth of electronic crime, disaster will strike in a couple of years.

And by something I don't refer to even more fearmongering and buy our products type of messages, rather real user education (for end-users, IT professionals and C level executives) and cooperation.

1 comment:

  1. no, you don't sound alarmist at all...

    i think what you're really demonstrating here is the old axiom that an ounce of prevention is worth a pound of cure...

    on the other hand, we have to also recognize that no preventative measure (or combination of preventative measures) is perfect... so as critical as it is to prevent as much as we can, that shouldn't be at the expense of being prepared for when prevention fails...