The professionalization of malware
For many years, anti-malware companies have been capturing immense numbers of new, malicious code samples every day. The actual number is controversial, but it's in the hundreds of thousands. Not a typo.
These samples are generated programmatically by malware authors trying, by brute force, to create something that will slip through defenses. Most of them are garbage. Anti-malware programs don't write signatures specific to them, but recognize them by more general characteristics as part of a malware family.
Roger Thompson of ICSA Labs, a security research group owned by Verizon, calls these 'AFTs' for 'Another Freaking Trojan'. The term is meant to contrast with APT for 'Advanced Persistent Threat'; there's no standard definition of APT, but basically it's a more sophisticated malware program which can hide in a target network and perhaps even defend itself.
I spoke with Thompson, whom I have known for a long time from his pioneering work for several companies in the anti-malware industry. In a recent blog entry he notes a clear rise in the quality of malware at the very high end of the APT segment; he calls this Enterprise Malware because it is being written by enterprise-class organizations.
Security companies know from their own forensic examination of attacks that this Enterprise Malware can be traced back often to defense contractors and various branches of various governments. We know, at least since Stuxnet (although any fool knew it was going on before), that western governments were developing attack code. We know of similar activities from the PLA (People's Liberation Army) in China, and now the FBI (with the possible assistance of the NSA) is using malware to infiltrate criminal activities. For years European governments have been open about their policy to allow police to hack into the computers of suspects without a warrant.
Not to dismiss the talents of the last generation of malware writers, but governments and defense contractors have enough budget to hire professionals; I suspect the pool of such people who are willing to work for government is much larger than the pool willing to work for criminal organizations. And with enough patience and talent, we may start seeing malware techniques which heretofore haven't been worth the trouble. Thompson is concerned about the development of cross-platform malware. We saw an example of this in Stuxnet, which used Windows computers to find and attack Siemens industrial controllers.
As Thompson, who knows a thing or two about anti-malware technology, says, anti-malware software can find the AFTs a very, very high percentage of the time, but you can't expect it to find these attacks, at least not when it matters. It's for threats like these that defense-in-depth and rigorous attention to best practices is necessary. For high-value targets, there are also products and services, Solera Networks' DeepSee series for example, which specifically attempt to find threats which are laying low in a network.
After digesting this information, I was tempted to think that this is good news for those of you under the radar; if you're not the sort of operation that is going to merit a high-quality targeted attack, then following best practices — e.g. always updating all software and anti-malware, practicing least privilege, forcing strong passwords — then you should be OK. But that's nothing new. It was always true. The real news is just how essential it is for those who might be the target of a high-quality, enterprise malware attack to follow those practices. And it's discouraging to see how many organizations fall short.