Monday, November 12, 2007

the myth of optimal malware

this is going to be an interesting myth-debunking post because the object of the myth actually exists...

there are any number of various optimal properties that a given piece of malware can have, such as novelty (new/unknown), rarity (targeted), stealth, polymorphism, anti-debugging tricks, security software termination, automatic execution through exploit code, etc...

likewise, there are any number of optimizations a malware purveyor can adopt, such as continually updating the malware, targeting the malware to a small group of people, spreading it with botnets, only using malware which is itself optimal, etc...

there really is malware using some or perhaps most of those tricks and there really are malware purveyors using some or all of those techniques so you may be wondering where the myth comes in... the myth comes in when we start considering these optimizations as being universal or at least close to it - that most if not all malware is as optimal as it can possibly be and that most if not all malware purveyors use the the most optimal deployment techniques they possibly can...

while each of those optimizations on their own seem to have become common place, few instances of malware can truly be considered optimal... for example, most malware is not targeted - sure the instances we hear about make for a great story and draws lots of readers, but they're a drop in the bucket next to the total malware population... novelty is seemingly even more popular since all malware starts out as new at some point, but as i've said before novelty is a malware advantage that wears off... polymorphism attempts to keep that novelty going indefinitely but it, along with novelty and targeting, were really only ever effective against known malware scanning - they hold no particular advantage against anti-malware techniques that don't operate by knowing what the bad thing looks like...

the same holds true for malware purveyors as well, few do what it really takes to get the most out of malware... otherwise malware would be much more successful than it is... even security conscious folks like you and i would be getting compromised left right and center because our anti-malware controls would just not be effective...

but that doesn't stop people from believing or falling into the logical trap that is optimal malware... i'm sure you've seen and perhaps even constructed arguments based on this fallacy... the anti-virus is dead argument is based in this as it posits that scanners are not effective because of new/unknown malware despite the fact that that malware doesn't stay new/unknown for long and that the effectiveness of known-malware scanning is precisely the reason the malware creators have to keep churning out new versions of their wares... the school of thought that says software firewalls are useless because malware can just shut them down or tunnel through some authorized process is likewise based on the myth of optimal malware because although some malware certainly does bypass software firewalls, not all do, and so they remain at least somewhat effective as a security control... in fact, any similar argument that says security technology X is useless because malware can just do Y to get around it is based on the myth of optimal malware as there is plenty of malware that doesn't do Y... i think i've even fallen prey to this fallacy on occasion when constructing arguments (so there's no need to point examples out to me, i know i'm not perfect)...

so keep this in mind the next time you run across a school of thought that attributes near supernatural abilities to malware - with truly optimal malware the malware purveyors would be able to get past most if not all our anti-malware controls all of the time (not unlike fooling all of the people all of the time), and since that isn't happening we can conclude that most malware is in fact not optimal...

5 comments:

Anonymous said...

you should write about virtumonde. no anti-spyware can destroy it. since virtumonde only slows down and behaves like a trojan, nobody seems to care about it.

yet norton, or Microsoft one care or vundofix can destroy the latest strains of Virtumonde or jkhff.dll.

kurt wismer said...

it seems to me that the existence of a dedicated removal tool (vundofix) indicates that someone does care about it...

as i understand it, the people who make virtumonde keep making new versions - there's little that can be done to prevent the new versions from slipping past known malware scanners since they are unknown... this is a widely recognized limitation of known malware scanning and is one of the reasons why additional preventative techniques should generally be used in addition to it...

Didier Stevens said...

It's not that optimal malware is a myth, it's just rare and deciding what is optimal is context dependent.

Malware also contains bugs like any other software. I used to believe that malware was more bug ridden than other software, but in the last years I see more professional code in malware. Like error handling.

I would like to dedicate some time to find vulnerabilities in malware and write exploits for it :-). But that would just be some project to proove a point, it wouldn't have much value.

kurt wismer said...

@didier stevens:
y'know, i can think of one area where finding ways to exploit malware would be of significance - botnet c&c...

whether it be subverting the control channel to make the bot announce itself to the affected device owner, or disrupting communication with the botmaster, or even getting the bots to use their self-defense mechanisms against their legitimate c&c... botnets should become rather impotent if communications break down...

Didier Stevens said...

Interesting idea...