Is 'malware' too lame a name for the nasty stuff out there?
What’s in a name? For one security expert, not enough when the name is “malware.”
In a recent blog post, Seculert CTO Aviv Raff argued that, especially in the security industry, being, “stuck using the same old terms to describe completely new things,” can be dangerous.
“Failing to grasp an old term’s new meaning can pose a significant danger to the stability, success and in some cases, survival of an enterprise,” he wrote. “And in my view, there is no clearer example of this than the term ‘malware.’”
Raff’s premise is that when the term was coined, malware was typically the province of “script kiddies,” and while it could be damaging, it was rarely devastating, and could be defeated by good perimeter security.
Today, he said, sophisticated criminals, hacktivists, and nation states or their surrogates have replaced the script kiddies. The attacks are no longer broad and indiscriminate, but precise and targeted. And they are not deterred or in many cases even detected by perimeter security, to the point where they can exist on a network for months or even years.
Indeed, just weeks ago, researchers discovered one of the most advanced threats to date, known as Careto, or “the mask,” which they said had gone undetected for seven years, and had compromised the data of 380 government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists in 31 countries from the Middle East and Europe to Africa and the Americas.
In short, malware is, “completely different and qualitatively more dangerous,” Raff wrote.
Beyond simple malice
His security colleagues agree with him about the evolution and danger of malware, but he doesn’t have many signing on to re-label it.
“We could call it ‘really, really bad stuff,’” said Kevin McAleavey, a malware expert and cofounder of the KNOS Project. “(Humor columnist) Dave Barry would approve.”
Lysa Myers, security researcher at ESET, said the term actually reflects the evolution Raff is talking about. “Before, ‘bad things’ were referred to as viruses and Trojans—terms that were intention-neutral but described something that was unexpected and unwanted,” she said. As those attacks began to reflect financial and/or political motivations, “malware” was coined to define, “software that is created with malicious intentions.”
Mario de Boer, research director for Security and Risk Management Strategies at Gartner for Technical Professionals, believes the term is, “still adequately describing what it is, even though delivery methods, evasion techniques and complexity have evolved.”
And Antti Tikkanen, director of security research at F-Secure, said he thinks renaming malware would just cause confusion. “The bad guys still write malicious code to do bad things on your computer,” he said. “They just do it better, with bigger budgets, and for different reasons than before. So you need to understand the attackers—the tools they use are secondary.”
Tikkanen said there have been terms created, such as Advanced Persistent Threat (APT) to describe the attacker. But he called APT an, “awful term. Rarely is it ‘Advanced,’ so it should rather be called just ‘PT.’”
Raff didn’t offer an alternative label himself in his post, and in a brief email interview said his intent was, “less about re-naming the term and more about redefining it.” But he has been advocating improved semantics for years—he wrote in a post more than three years ago that, “it’s time to start using new terms when discussing ‘Malware Evolution.’”
The main point, he said, is that, “as time goes by, we see more advanced threat actors join the fight, investing a lot of resources to create advanced attack tools.”
And on that, there is little debate. “Instead of dreaming up a funky new term, let’s instead try to explain to the average Joe and Jane that malware has evolved, has become more sophisticated and what its potential impact can be,” said Graham Cluley, an independent security blogger and former senior technology consultant at Sophos.
Aryeh Goretsky, security researcher at ESET, also agrees with the need for a much more current understanding of malware. Too many people, he said, “have been thinking of malware in terms of classic computer viruses, worms and the like, without realizing that malware is meant as an umbrella term to cover everything from the Pakistani Brain (believed to be the first PC virus) to the latest kinds of threats like bootkits.”
How's the battle?
So how is the security industry doing in “evolving” to meet the threats? If recent end-of-year reports are an indication, not so well. Besides the recent discovery of Careto, the Kaspersky Security Bulletin, issued in December, contained a lengthy list of successful exploits, ranging from cyber espionage for both political and financial purposes, hacktivism, ransomware, mobile malware, watering hole attacks, phishing, and government surveillance.
Still, experts say the anti-malware industry has made progress. Cluley notes that while the average layperson still calls it “antivirus” software, “viruses are actually the very least likely type of malware they are going to encounter these days. The solutions designed to protect against malware haven’t stood still, and have also risen to the challenge and generally do a pretty decent job of protecting users,” he said.
Fred Touchette, a security analyst at AppRiver notes that, “the security realm is a real cat-and-mouse game. At times we gain ground on the attackers and other times we’re learning of a newly-employed technique that was conceived overnight. This is the nature of the beast.”
Goretsky, noting that only about 10 percent of the threats detected by anti-malware products are viruses, said the industry has responded with much better technology, and also with, “industry cooperation for better, more rapid sharing of threat data, intelligence and telemetry, education and outreach efforts to incorporate cybersecurity literacy in elementary education.”
According to de Boer, “detection techniques, both in the network and on endpoints, have improved far beyond what some are still referring to as-signature-based virus scanners.”
Tikkanen agreed that there is continued progress, but said the news is not all good. “I don’t think anyone can say that the industry is winning the game, but for sure we’re in the game and playing hard,” he said. “I think the security industry is doing a good job at protecting against malware as a business, but nation-states with big budgets are clearly a challenge for everyone.”
McAleavey is less optimistic. He said he doesn’t see as much cooperation as Goretsky does. “They don’t share information between them like they used to. One company gets a sample and they delay getting copies to other companies for weeks, if not longer,” he said.
“Analysts used to make it a point to share, because the battle was against the bad guys, not each other. The business is cutthroat now and the victims are caught in what I refer to as the ‘crossfire of incompetence’—malware analyst is an entry level job with many of these companies now, and the quality of the work isn’t anywhere near as good as it used to be.”
Security tips and measures
Still there are things that individuals and businesses can and should do. Tikkanen suggests starting by, “looking at the attackers. What do you have that they are after? For an individual, it might seem you don’t have that much—your bank account, sure, and your credit card numbers.
“But what about all your emails? Your Facebook account? What about all the pictures on your phone—how much would you pay if someone encrypted them and tried to sell you the decryption key? It’s surprising how many valuable things even an individual has, let alone a big enterprise.”
Myers and others say the best defense starts with layers. “You protect your devices and data in multiple ways—strong passwords, plus encryption on data that you store on your machine and that you send across the Internet, and then you use a firewall and AV software as well,” she said. “That way you increase the chance that one of these things will either prevent or mitigate an attack.”
Beyond the layers is the “principal of least privilege”—limiting access to data as much as possible. “If it’s just your home machine, maybe it means you limit rights to specific files, so your kids can’t access your tax returns, for example,” she said. “In a large organization, you have the same idea but it also includes segmenting your network so that attackers can’t compromise one point and get access to your entire network.”
Jon French, a fellow analyst with Touchette at AppRiver, said businesses need to confront the human factor with, “thorough training. Users need to be aware of the dangers of unsolicited emails, installing software from the Internet, using strong passwords,” he said.
But that’s at the enterprise level. At the nation-state level, Tikkanen sees a grim future. “The lines are fuzzy,” he said. “We are looking at anything from operations by sovereign countries against other countries to countries using commercial tools like Hacking Team’s Remote Control System against their own citizens.
“On this side, I don’t really see any light at the end of the tunnel. There’s no effective regulation in sight and as far as I can see, no real initiatives to improve the situation. Things will just get worse here.”