Fighting cyber threats with malware not ideal

Using "good" viruses to eliminate cyber threats can be effective but brings about technical issues and questionable motives, security insiders say.
Written by Ellyne Phneah, Contributor

Countries are increasingly taking up the option of fending off cyber threats with homebrewed malware but while this might prove effective, security insiders noted this might bring technical and ethical issues and, ultimately, not the best method to curb online threats.

Japan, for one, was reported last week to have commissioned IT vendor Fujitsu to develop a malware that can track, identify, and disable sources of online attacks. The Asian giant joins the ranks of the United States and China, among others, which are developing cyberweapons, according to the ZDNet Asia report.

Commenting on this development, Ang Chye Hin, regional sales director for Southeast Asia at SonicWall, pointed out that the strategy of "fighting fire with fire" is a highly effective one when used to defend against specific malware families. He explained in his e-mail that with just one "good" malware, it can reach out to the various branches as well as go straight to the root of the cyberattack.

For example, this good malware can be used during a botnet takedown to switch corrupted command-and-control (C&C) servers with clean ones. It can also be used to take over the attacker's C&C communications to disabled bots on infected computers as well as gather information on the process of how the attack was put together, he elaborated.

Questionable motives, end-results
David Harley, senior research fellow at ESET Security, agreed that there are advantages to using malware in covert operations such as intelligence, counter-intelligence and government purposes.

That said, there are also potential issues regarding maintaining control once the good malware is released into the wild, possible incompatibilities and dependency issues in systems where the malware had not been tested on, he highlighted.

Control, in particular, can be easily wrested from the hands of government agencies, he warned. This is because if the good virus is self-replicating, it is difficult to manage its spread and any collateral damage will "pour hot coals" and invite scrutiny on the agency or country that launched it should innocent parties get adversely affected, the ESET executive added.

"There is a clear suggestion here of unauthorized access and possibly modification, and that's going to be a legal disaster as it crosses borders into jurisdictions where those unauthorized actions are unequivocally illegal," Harley warned.

Furthermore, there might be technical challenges in terms of having systems differentiating between good and bad viruses, he pointed out. If the good malware uses similar techniques to "badware", it is often not possible for automated malware detections systems to tell them apart, he said.

The assumption that the malware would be able to trace cyberattacks all the way back to its source also shows a "tenuous grasp" of the realities of Internet traffic, as well as the way botnets and other malware operate, Harley argued.

"I'm concerned that people and agencies will sustain damage through unrealistic expectations of what this tool, whatever it turns out to be, can achieve," he added.

Luis Corrons, technical director of PandaLabs at Panda Security, agreed that once a malware--regardless of its intentions--is released, it is designed to replicate itself and control over it will be lost.

He then questioned the motivations behind creating such software, saying such tit-for-tat cyberdefense strategy is simply an excuse to "strike back on attackers".

"The excuse here is that it is needed to build defenses, but a virus is not a defensive weapon, it is an offensive one," Corrons said in his e-mail. "You use it to break into some place, to steal information and sabotage others."

Editorial standards