Monday, April 07, 2008

enough with the financially motivated malware

i've mentioned before that the notion that malware purveyors are now looking for money as opposed to fame gets far too much attention... well enough is enough...

stop droning on about it... stop putting me to sleep with this tired old refrain... stop trying to impress me by saying exactly the same thing everyone else has been saying for the past couple of years now...

if you really want to impress me, don't tell tell me malware purveyors have become money-grubbing scumbags, tell me how you're using their new behaviour patterns against them...

show me, not that you understand the playing field is changing, but rather how you're changing with it... that or admit you aren't and are therefore unimpressive... you're supposed to be fighting the bad guys, after all, not simply observing them... i want to know that you're interfering with their criminal enterprise... i want to know that you possess info that's actually actionable, because the fact that they've switched motivations by itself isn't...

4 comments:

Andy, ITGuy said...

Kurt, I heard that malware writers were motivated by money. What do you think? :)

kurt wismer said...

ha ha...

and considering how i feel about the topic, it's kind of ironic that the comment notification email for your comment went into my spam folder...

Didier Stevens said...

Financially motivated malware wants to stay under your radar, one of the tactics is to stop executing as soon as it detects it's running inside a virtual machine (the programmer assumes that running inside a VM is a sign that the malware is being analyzed). This is one of the reasons why I do online banking inside a virtual machine. Even if my VM gets infected, I've a chance that the malware will not execute.

kurt wismer said...

@didier stevens:
while it's entirely true that some financially motivated malware wants to stay under the radar and will use vm detection to that end, the malware from yester-year also wants to stay under the radar and will use vm detection and/or any number of other anti-debugging techniques to make analysis more difficult...

that particular class of behaviours is not unique to financially motivated malware...

as vm's become more ubiquitous, however, malware authors may have to abandon that technique because environments like yours become too popular to give up on...

i do something similar in that i always browse from within a sandbox, but my aim is not to trick the malware into not operating... instead i'm just interested in having an environment which i can flush easily - that way i can have a fresh sandboxed environment to do online banking in...