Why malware authors don't need to try
commentary We often assume that malware writers are the sort of evil geniuses who work tirelessly to exploit unheard-of or secretly hidden backdoors in order to make a quick dollar or use your computer's resources for their own means. But recently, it feels like they haven't even been trying that hard.
On the back of Flashback, we saw another piece of malware, SabPab, that exploited the same Java vulnerability. Then, it wasn't long before a variant of SabPab was released, and Intego noted that SabPab's authors had begun to use Word documents to deliver their payloads. Strangely, the Word vulnerability that it used to spread itself was patched in 2009.
Although Kaspersky considers SabPab to be an advanced persistent threat, which usually indicates a high-level über hacker, I'm more inclined to see it as the work of someone who is relying on their victims being clueless about security. Why? Well, other than the ability to humiliate your victims for falling for such an old vulnerability, why would you pick one that is expected to have been patched?
I think the answer is that the authors are banking on users not bothering to patch, even though it's expected of them.
Take Flashback, for example; 600,000 Macs were considered to be infected. Kaspersky provided a free detection website and removal tool, F-Secure wrote instructions on how to detect and remove Flashback manually, numerous security blogs and news websites posted information and recommendations on how to disable Java, multiple companies have sink-holed the resultant botnet and Apple released its own official patches and tools. It seems unbelievable that users would find it hard to patch the vulnerability with that much help.
Yet, the latest figures from Symantec have Flashback infections currently pegged at 140,000, a number that it thinks is still far too high, given the support that people have been given. That's just under 25 per cent of the infected users.
Although Symantec, like others, provides antivirus products, and therefore has a vested interest in getting users to understand that they need protection, I'm inclined to agree with its disappointment in users. None of the patches or intermediary steps cost a single cent for a user to apply or follow, whether from Symantec or from one of its competitors. There is simply nothing for the user to lose, and there is no excuse for not patching. But around one in four can't be bothered.
Given this, malware authors could go the distance, do their research and discover threats that no organisation or individual would be prepared for — or they could just go after the one in four.
When there are so many willing victims, putting in the extra effort suddenly seems like a dumb way of operating.