“It is hard for criminals to rely on the same old method they did in the past to infect systems with malware.”
Adam Kujawa is the Head of Malware Intelligence at Malwarebytes, the provider of anti-malware and internet security technology. CBR’s Alex Sword spoke to him to find out what the big malware threats are and how the landscape is changing.
AS: There have been huge increases in the number of malware variants according to many reports. What is changing in the malware world in terms of long-term trends?
AK: There are three main reasons for an increase in variants/families creation: pay-off for the criminal, difficulty in attribution and an increase in availability of malware technology to non-technical criminals.
These three things, which represent super easy to customise malware, the ongoing difficulty law enforcement has in tracking down the bad guys as well as an entire cybercrime marketplace/economy are the perfect conditions for a flood of interest into cyber-crime by otherwise non-technical criminals. Now in the real world, if two or more stores are setup near each other, they are going to compete with prices, offerings, etc. The same works in the cybercrime world, where you’ve got a handful of bad guys developing malware and the more customers there are, the more demand there is, which means more players entering the market to meet the demand and the competition between those players makes more powerful, more dangerous malware as well as just an increase in overall malware availability.
So while it might seem like some kind of deep technical reason as to the increase in malware, the reality is that it works similarly to any other industry. Take for instance when the iPhone came out. Lots of people bought the iPhone and the demand grew, so other companies started making their own smartphones to give the customers more options, in turn many of those new players competed with each other and now we have rapidly advancing smartphones showing up over the last couple of years. There are phones that do very special things and there are phones that don’t do as many things, for the low-budget user. There are even rip-off phones that don’t really work very well (same happens in Malware).
AS: What are the main sources of income for malware authors?
AK: For malware authors, it’s one of two things: taking a cut (or all) of the money earned from the malware attack or selling the malware itself to other criminals.
This all depends on the business model used by the criminal, whether or not they want to keep their source code secret for a particular gang or if they don’t mind if lots of copycats show up. It also depends on the kind of malware, ransomware gets its money directly from the user by encrypting and ransoming personal files, while malware that steals things like personal financial information, emails addresses, passwords, etc. will be sold in bulk on cybercrime forums to either other criminals or shady business people.
AS: New malware can be programmed very easily – is a blacklisting approach sufficient or is a more proactive anti-malware solution needed?
AK: Blacklisting isn’t really a viable option anymore because of the sheer amount of malware out there and how fast it evolves. Utilizing a heuristic anomaly scanning method to look for stuff that seems malicious is a better approach, however such approaches initially result in a lot of false positives. So they need to be fined tuned and its only really been recently over the last few years that we’ve had the kind of technical power to utilize things like machine learning to help us identify unknown malware. I expect that 5-10 years from now the blacklist approach will be completely dead in favor of only looking for anomalies.
AS: Ransomware has been the big malware of 2016. How do you see ransomware evolving in the future?
AK: Ransomware heavily relies on social engineering, what I mean by that is that ever version of Ransomware ever made was not an effort to extract money from the victim system but rather the victim themselves, so it requires users to feel helpless and willing to pay the ransom. As security increases, new technology makes ransomware less effective and users become more aware of the threat and protect themselves, the bad guys are going to look for another loophole in the security of the user. This might be going after cloud data, this might be threats to publish personal things to social media, etc. There is still a lot of areas which ransomware is moving toward, like a bigger focus on mobile devices, Macs and Linux systems.
AS: What do you think the big threat in terms of malware will be in the future? What classes of malware do you see emerging now that could become the next big thing in malware?
AK: Ransomware showed a significant trend to not only the defenders but also the bad guys, never before have we seen such a fast and widespread adoption of a malware threat than ransomware. But it isn’t necessarily the fact that files are being encrypted that is the vulnerability, its more about the fact that your average person (especially in the West) lives their whole lives online, with relationships, careers, etc. and we hold those things very close to our hearts.
Over the years, the amount of security employed by application developers (like Microsoft) has made it very hard for criminals to rely on the same old method they did in the past to infect systems with malware and as that continues, the attacks will become more user facing and less about exploiting a hole in your systems security. This is why I feel the single greatest effort that needs to be done by the defenders of users, is to educate them about the threats in a way that sinks in and doing things like being able to identify a phishing e-mail become just as normal a part of a person’s security precautions as looking both ways before crossing the street.