150 likes | 242 Views
Delve into the enigmatic world of malware authors, exploring their motivations, stereotypes, and impact on cybersecurity. Learn about the evolving landscape of malware creation and the challenges faced by the antivirus community.
E N D
Malware Authors • “... [virus writers] have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes.” --- Jan Hruska, Sophos • Little is known about malware writers • Why?
Malware Authors: Who? • Stereotype: 16 year old male living in his parents’ basement in Norway • Also college students, professionals,… • “gender differences in moral development may partially explain the lack of females” • Many virus writers “grow out of it” • Among malware writers • General distaste for destructive code
Malware Authors: Who? • Technical skill of virus writers? • AV community think little of virus writers skills • Skill level has probably improved since book written • Why?
Malware Authors: Why? • Many possible reasons • Fascination with technology --- create software to outwit AV people (game) • Fame --- among malware writers • Graffiti --- “form of expression” • Revenge --- disgruntled employee, etc. • Ideology --- hard to assess, but perhaps Code Red is an example
Malware Authors: Why? • Commercial sabotage --- e.g., attack to reduce company’s stock price • Extortion --- e.g., cryptovirology • Warfare and espionage --- info warfare, cyberterrorism • Malware battles --- for example, Mydoom/Netsky/Bagle in 2004 • 60 variants in 3 months, “attacked” each other • Commercial gain --- writers paid for their work, e.g., botnets for spam
Malware Authors: Why? • Authorsays graffitiangle“interesting … deserves further research” • What do you think? • Virus writing as a glorified prank? • Maybe true in the past • Probably not so much today • Now there is more of a profit motive
AV Community • Like virus writers, not a lot written about AV people either • Seems to me… • They’re just ordinary geeks • Like everybody else you know
Perceptions • Conspiracy theory • AV people write/plant malware • No evidence to support this and… • …lots of evidence to contrary • Effort spent on “unknown” malware • Way more malware than “necessary”, etc. • AV people do need to keep up • Research, study VX sites, etc.
Another Day in Paradise • AV workday is long • “80 hour work week is not uncommon” • Sounds like Silicon Valley to me… • AV company maintains • Databases of malware and goodware • Suspicious file arrives from honeypot, customer, or other source • File first compared to both databases • If not in either, analyze it
Another Day in Paradise • If file is malware… • Update signatures, AV software, databases • Distribute updates • AV employee workday is long • AV company workday is endless • Around-the-clock coverage • Offices in different time zones, continuous threat monitoring, etc., etc.
Customer Demands • What do customers want? • 100% detection with no false positives • What to detect? Malware and what? • Gray area detection --- “delicate issue” • Jokes and games • Cracking tools • Adware/Spyware • Remote administration tools (RATs) • Legal concerns wrt false positives
Engineering • Malware can be classified as: • In the wild --- active in real world • In the zoo --- not active • WildList Organization • Much easier to only detect malware that is “in the wild”, i.e., active • Orders of magnitude less malware • So, is this a good idea for AV company?
Open Questions • Should AV software also: • Provide a firewall? • Provide content filtering? • Perform spam detection? • Apply software patches? • Other?
Open Questions • AV people reverse engineer software • Is this legal? • Users may look at quarantined files • Could this violate privacy laws? • What about false positives? • AV software is almost universally used • So, if you don’t use it, could you be held legally negligent?