The professionalization of malware

The professionalization of malware

Summary: The high-end of malware is reaching a new level quality that comes from it being written by professional organizations with real budgets and high standards. Be afraid.

TOPICS: Security, Malware

For many years, anti-malware companies have been capturing immense numbers of new, malicious code samples every day. The actual number is controversial, but it's in the hundreds of thousands. Not a typo.

These samples are generated programmatically by malware authors trying, by brute force, to create something that will slip through defenses. Most of them are garbage. Anti-malware programs don't write signatures specific to them, but recognize them by more general characteristics as part of a malware family.

Roger Thompson of ICSA Labs, a security research group owned by Verizon, calls these 'AFTs' for 'Another Freaking Trojan'. The term is meant to contrast with APT for 'Advanced Persistent Threat'; there's no standard definition of APT, but basically it's a more sophisticated malware program which can hide in a target network and perhaps even defend itself.

I spoke with Thompson, whom I have known for a long time from his pioneering work for several companies in the anti-malware industry. In a recent blog entry he notes a clear rise in the quality of malware at the very high end of the APT segment; he calls this Enterprise Malware because it is being written by enterprise-class organizations.

Security companies know from their own forensic examination of attacks that this Enterprise Malware can be traced back often to defense contractors and various branches of various governments. We know, at least since Stuxnet (although any fool knew it was going on before), that western governments were developing attack code. We know of similar activities from the PLA (People's Liberation Army) in China, and now the FBI (with the possible assistance of the NSA) is using malware to infiltrate criminal activities. For years European governments have been open about their policy to allow police to hack into the computers of suspects without a warrant.

Not to dismiss the talents of the last generation of malware writers, but governments and defense contractors have enough budget to hire professionals; I suspect the pool of such people who are willing to work for government is much larger than the pool willing to work for criminal organizations. And with enough patience and talent, we may start seeing malware techniques which heretofore haven't been worth the trouble. Thompson is concerned about the development of cross-platform malware. We saw an example of this in Stuxnet, which used Windows computers to find and attack Siemens industrial controllers.

As Thompson, who knows a thing or two about anti-malware technology, says, anti-malware software can find the AFTs a very, very high percentage of the time, but you can't expect it to find these attacks, at least not when it matters. It's for threats like these that defense-in-depth and rigorous attention to best practices is necessary. For high-value targets, there are also products and services, Solera Networks' DeepSee series for example, which specifically attempt to find threats which are laying low in a network.

After digesting this information, I was tempted to think that this is good news for those of you under the radar; if you're not the sort of operation that is going to merit a high-quality targeted attack, then following best practices — e.g. always updating all software and anti-malware, practicing least privilege, forcing strong passwords — then you should be OK. But that's nothing new. It was always true. The real news is just how essential it is for those who might be the target of a high-quality, enterprise malware attack to follow those practices. And it's discouraging to see how many organizations fall short.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Grammar!

    > Thompson, who I have known

    should be

    > Thompson, whom I have known
    • I concede

      I remember the rule about whom following a preposition, but I'm never right about the other cases. I would argue generally that whom is a useless word though and speech would be just as clear if 'who' were used wherever 'whom' was appropriate.
    • "Whom" is becoming archaic.

      It's unfortunate, but it is a fact: Seltzer's usage would be acceptable to the editors of most major publications to whom it was submitted, or, as is also now accepted, "to the editors of most major publications it was submitted TO."

  • Cavalier attitude to security

    I think Larry's conclusion is depressingly accurate. Too many people too complacent ("we have nothing of value")... let us hope the rising generations of top managers (which includes people of all all sorts of backgrounds) have a better appreciation of IT and the potential threats, and the need to invest in security as an economically sensible thing to do.

    But what about individual users? Not knowing how the internal combustion and gear boxes work and yet safely driving cars is one thing, but using the internet and not knowing/caring about security is quite another.

    If I recall correctly, Bill Gates once said, years ago at the time of the launch of MS's free antimalware programme, that once of the biggest security threats came from unprotected computers. The idea of a free, easy-to-use, automated antimalware app was to try to reduce the volume of malware circulating round the internet.
    I am sure some people might want to argue about Bill Gates's motives, but he had an extremely valid point.
    • Too bad it doesn't work.

      So far there has been no defense against malware except education.

      For the basic malware, fix the bugs that allow them to exist. Papering over the bugs is not a fix - it just hides the problem, and permits the bugs to continue to exist and cause problems in other places.
  • The fight against malware

    Jesse, "fix the bugs that allow them to exist."

    And how long do you think the fix would work? It is a never-ending battle.

    Of course education is important (e.g. to stop people opening phising messages) but the the malware producers are always on the lookout for more challenges.

    Did you read the article (can't recall on which forum, but articles pop up in several places) about what might happen the day support for Win XP ends?

    MS pushes out fixes for all its current OSs at the same time. Many apparently apply to all of them. So all a hacker has to do is to 'reverse-engineer' a vulnerability fix to determine the vulnerabilty and attack XP accordingly. If market share of XP still significant in April 2014 it might be worth doing.
  • The browser must be changed

    Sadly, this article is pretty much on point. There definitely is an evolution of malware that makes it much harder to detect. Having a standard library or codebase to use in detecting malware is losing its efficacy and remaining in a reactive state to malware attacks is dangerous, whether you're part of an enterprise or an individual user.

    There have been some innovations to proactively combat malware, and I recommend for those who are interested to learn about some of these new innovations to check out an air gap browser (such as the one by Spikes), which physically separates the browser from the client computers. This really is the only way to keep malware off the client computer- by not having the source(browser) of over 94% of malware on the local machine. Thoughts?
  • Definition of APT

    Hi Larry & readers, this is a good article about the plague of malware and is a good call to action to start re-thinking the use of those ineffective anti-malware solutions. It's time to fundamentally change the way we use the web, so check out what we're doing at to prevent malware at the source. We've taken the browser off your computer :)

    By the way, the definition of APT is pretty well described over at Wikipedia ( and defines it as the people or group with the skills and intent to write advanced malware, not the malware itself. A common misudnerstanding.
    • I have better luck using HIPS...

      that work near the kernel layer, and are mostly behavioral in heuristic nature. The good ones are resistant to attack as well. The blended defense is always the goal though. Keeping all applications and operating systems fully up to date, using tools to alert the IT staff, or users, can keep the attack surface low and "bugs" from compromising limited rights and taking possession of the host operating system. Of course the best software firewalls and anti-malware can block attempts at suspicious connections to call in their minions, and help prevent the spread of the attack inside the LAN or end point.

      Using these blended defenses can point to an interesting fact while testing this defense in a honeypot lab - by just cleaning up the file structure of the limited rights account, occasionally, to dump temporary files that tend to couch attack packages, one can wholly prevent almost all attempts at malware intrusion. Piriform's CCleaner can help prevent startup injections by Zeus type variants in an attempt to survive the next reboot.

      For those that do sneak under the radar - using tools that can operate in the infected environment that can prevent screen capture, key-logging, and real time video/remote surveillance can be realized. I use AKLT as just one of the many tools to test these solutions. As we all know, it is deploy the defense, then test and verify, and maintain interior surveillance, and that old tired phrase "best-practices".