Why malware authors don't need to try

Why malware authors don't need to try

Summary: We often assume that malware writers are the sort of evil geniuses who work tirelessly to exploit unheard-of or secretly hidden backdoors in order to make a quick dollar or use your computer's resources for their own means. But recently, it feels like they haven't even been trying that hard.

SHARE:

commentary We often assume that malware writers are the sort of evil geniuses who work tirelessly to exploit unheard-of or secretly hidden backdoors in order to make a quick dollar or use your computer's resources for their own means. But recently, it feels like they haven't even been trying that hard.

On the back of Flashback, we saw another piece of malware, SabPab, that exploited the same Java vulnerability. Then, it wasn't long before a variant of SabPab was released, and Intego noted that SabPab's authors had begun to use Word documents to deliver their payloads. Strangely, the Word vulnerability that it used to spread itself was patched in 2009.

Although Kaspersky considers SabPab to be an advanced persistent threat, which usually indicates a high-level über hacker, I'm more inclined to see it as the work of someone who is relying on their victims being clueless about security. Why? Well, other than the ability to humiliate your victims for falling for such an old vulnerability, why would you pick one that is expected to have been patched?

I think the answer is that the authors are banking on users not bothering to patch, even though it's expected of them.

Take Flashback, for example; 600,000 Macs were considered to be infected. Kaspersky provided a free detection website and removal tool, F-Secure wrote instructions on how to detect and remove Flashback manually, numerous security blogs and news websites posted information and recommendations on how to disable Java, multiple companies have sink-holed the resultant botnet and Apple released its own official patches and tools. It seems unbelievable that users would find it hard to patch the vulnerability with that much help.

Yet, the latest figures from Symantec have Flashback infections currently pegged at 140,000, a number that it thinks is still far too high, given the support that people have been given. That's just under 25 per cent of the infected users.

Although Symantec, like others, provides antivirus products, and therefore has a vested interest in getting users to understand that they need protection, I'm inclined to agree with its disappointment in users. None of the patches or intermediary steps cost a single cent for a user to apply or follow, whether from Symantec or from one of its competitors. There is simply nothing for the user to lose, and there is no excuse for not patching. But around one in four can't be bothered.

Given this, malware authors could go the distance, do their research and discover threats that no organisation or individual would be prepared for — or they could just go after the one in four.

When there are so many willing victims, putting in the extra effort suddenly seems like a dumb way of operating.

Topics: Security, Apple, Malware, Operating Systems

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Let's remember - almost 30 years ago - in the USA - the "Orange Book" was about to get its first airing and it simply gave us a view of the future - yes, even in those mainframe/ minicomputer days. The basic ideas were actually quite simple - discretionary access control for those situations where trust was known, understood and prevalent so that programs only entered a system in a trusted manner from trusted sources. Then, of course, there was "mandatory access control (MAC)" - for situations when you simply could not trust a program or where it came from (the situation today!).

    All this applied to the basic computer hardware and operating system. So - where are we now - well - the industry - without any form of interest or regulation by responsible government - (oops- there was that "C2 by '92" edict for government systems in the USA that never was enforced anyway) - relentlessly unleashed those discretionary access systems onto the world of the microprocessor / PC / server and the Internet for which such operating systems were uniquely unsuited. (Actually, remember MS-DOS had no security at all! AND it was, reportedly, only that "C2 by '92" edict that put such access control into the then Windows'NT file system - an OS originally aimed at the Intel 860 RISC CPU, DEC Alpha, etc. with MS-OS/2-3 for the x86 stuff.)

    MAC style systems were designed to meet that challenge of malware - head-on, given that in very large software systems errors were considered to be part of the "scenary" anyway and so - the basic security functionality of the computer had to cater for that inevitable situation....the one we have today.

    So - where to now - too late? Richard A Clark submts that indeed it is - with national information infrastructures built around insecurity computer systems - for the environment in which they function.

    Well - we do have a few MAC style operating systems such as SELinux (see Redhat RHEL-5 or 6). BUT - how many of our critical information servers are using such systems? (10% - 20% -who knows?) I suggest - less than 1% and well less than that! and how many ICT professionals are versed in them or how many universities / TAFEs teach such environments ? (Any real numbers? I doubt it - if any at all in Australia.)

    So simple - without enforcement of enhanced security functionailty - no, not software assurance / quality, etc. - but basic security design built in, the situation will get worse and worse - and not just at the home / SME PC level. Rather, the real problem is at the enterprise server, the custodian of the "big data"!

    It is up to government - now - to be proactive!
    Server systems in the critical information infrastructure areas, including such application areas as eHealth, banking and finance, eGovernment and so on need to have hardened operating systems as a base - and that means some form of MAC / FMAC or equivalent...

    BUT - will it happen? Not really - there is no "political push".

    As we have seen in the US congress discussions - there will simply have to be some huge, national level "meltdown" of an information system for any political response - that's human nature.

    eHealth could be the one!
    Privacy once compromised cannot be regained or re-instated, unlike re-imbursement of fraudulent financial transactions, and the like.
    BUT this time - in the second decade of the 21st century - can we really afford that?
    caelli
    • Very interesting. I was listening to the views of Jacob West recently (related article: http://www.zdnet.com.au/security-mistakes-mobile-devs-make-339336103.htm) who likened security to seat belts in cars.

      Someone, somewhere, invented seat belts as a good, optional safety measure. Then, later on, someone decided that no, they should be mandatory, and regulation was put in place. The question now remains, should we do the same for information security and put regulation in place to save ourselves? Or will it be seen as overly "nanny"-ing citizens?

      If you want to make an omelette, you have to break a few eggs. I'd personally say it's time we thought about getting cracking.

      -Michael
      Michael Lee (Mukimu)
  • Apple users have this perception that they are invulnerable to viruses and malware, it's something that only happens to Windows. Heads-up: we're on the malware author's radar as well now.

    signed
    Mac and Windows user
    meski.oz@...
    • When i see the comment that 140,000+ computers have are STILL infected, i know that this is correct - only windows users get infected.
      amckern-b0f83
      • 140,000+ isn't 0.
        If 600,000 Macs got infected then I would have to say that comment you wrote is false.
        You fanboys make me want to throw my Mac in the trash. But I could never do that to my beloved lol :-P
        djlobb01@...
  • Wow! That's quite a post from someone who has clearly been around a while.

    The C2 by 92 people were also the ones that pushed GOSIP and other OSI-style market failures. Alas a lot of these initiatives do not encourage innovation. When programmers and users can only do what is explicitly permitted by security staff then a highly reliable innovation-free-wasteland will emerge.

    The current malware environment is an unavoidable byproduct of human behaviour mixed with an unconstrained ICT ecosystem.

    The problem is when people build critical systems without security controls (capability constraints) out of hastily built parts. We don't want our browsers built as slowly as Airbus fly-by-wire software, but we also don't want aircraft systems to be as unreliable as our browsers. We must engineer things correctly. Light and agile and weak where it is appropriate, heavy and rigid and strong where necessary.

    Poor eHealth is on a hiding-to-nothing. The current paper records have no security, yet eHealth security is expected to be 100% perfect without impeding access to data when required. I sit for an hour waiting for the doctor in a public area where anyone can see me, yet find it unacceptable if I leave any electronic footprints. Expectations must be managed on eHealth, lest the bar be set too high.
    Pragmatic-3e05f
  • How can anyone expect governmental control of this situation? No two governments in the world can reach agreement on most issues.

    Back in the 80s when viruses started to proliferate (pre-Internet), I never saw a single virus on one of my PCs, although I install anti-virus software for accessing BBSes. In that same time I must have seen dozens of viruses on the Mac platform.

    I did later see a virus that travelled on WinWord.

    Personally, I blame it on the OS architecture. I believe that all software should be distributed in Source Code, and your OS should compile it into an executable while simultaneously scanning for unauthorized accesses. Once the executable has been written, the file should be locked with the only "write access" being user-authorized erasure. We have too much cross-communication between programs within one platform that leaves all programs vulnerable. Look at office suites where Word can tell Access what to do and Access can tell Word what to do. Data-sharing is great, but cross-programming is just asking for problems.
    Treknology
  • MAC style systems were designed to meet that challenge of malware - head-on, given that in very large software systems errors were considered to be part of the "scenary" anyway and so - the basic security functionality of the computer had to cater for that inevitable situation....
    Naveena-d8515