Sunday, July 15, 2007

what happens when the malware stops?

not too long ago there was a post about wabisabilabi on the authentium blog that was interesting on a couple of different levels...

rjs' primary angle was ethics, and i can't really fault anything he wrote - it sounds dead-on to me, not to mention being very much in line with sentiments i've seen many other av personalities make over the years...

but there was one question that the wabisabilabi blogger asked and rjs answered that i think bears closer examination... the question is, essentially, what happens if/when everyone stops writing malware... both the asking of the question and the answer given seem to operate under the assumption that malware will cease to be a problem if/when people stop writing it...

however, as i've observed previously, old viruses never die so that assumption doesn't seem to hold... in fact, as i've suggested on more than one occasion, self-replicating malware will continue to pose a threat long after anyone associated with it's release loses interest and moves on... so long as it poses a threat there will be a need for anti-malware software so the shareholders that wabisabilabi's blogger feigned concern for shouldn't need to worry about their investment becoming completely worthless...

of course one could make the argument that without new malware the nature of what anti-malware companies do would be irrevocably changed - and while that's true it's not as big a change as one might think (at least not right away)... you see, the products detect hundreds of thousands of instances of malware but do they do so perfectly? do they do so optimally? what about removal, is that perfect or optimal in all cases? the answer is no on all counts so there is still plenty of room for malware analysts and engine designers to make improvements... even after all that gets taken care of, it's not like the lack of compelling reasons to upgrade have hurt the word processor market or stopped microsoft from regularly releasing new versions of word...

so it really doesn't seem like the end of malware writing would be all that damaging to the anti-malware business, but what i'd like to do now is take a step back and look at look at what the end of malware would mean... as i've mentioned before malware is (or at least starts out as) a proxy for the intent of a human attacker so why would such attackers stop employing this particular technique for attacking digital assets and resources? malware is a way for an attacker to benefit from automation and make their attacks easier to perform - the most likely reason (though still very unlikely) for them to give that up would be that they were giving up attacking digital assets/resources entirely... in which case, by rjs' reasoning it shouldn't just be the anti-malware folks throwing parties and getting blitzed, it should be the entire computer security industry because the giant pain in the ass that protecting those resources represents will be over...

but let's go further... attacking digital assets/resources is just one of many avenues that people use to attack each other - why give up one and not the others? either computers stop being a useful avenue of attack (which likely can only happen if computers simply stop being useful - seems like a rather apocalyptic change) or people just stop attacking each other... when man stops attacking his fellow man it will be just as much the end of the world as we know it as if it were a conventional apocalypse, only nicer... either way, the end of malware writing would signal the end many other things...

that's not to say that the end of malware writing would cause an apocalypse or that writing malware keeps the world from falling off it's axis - malware is not the cause of things, it is a symptom of the human condition and the only way for it to go away is if the human condition itself undergoes a fundamental and profound change... as such, there's really no problem with anti-malware vendors discouraging malware writing... nobody's under any illusions about whether or not it's going to stop malware from being written, but it is the ethical high road and it is the right thing for them to do...

and if anyone has an even longer view i'd love to hear it...

0 comments: