How Do They Make All That Malware?

By Larry Seltzer  |  Posted 2009-01-31 Print this article Print

Anti-virus vendors are getting more than 50,000 submissions of new malware per day now. How can the malware business be so productive? It turns out the numbers aren't really as big as all that.

I was talking to a head research guy at an anti-virus company recently, and he said that the big anti-virus firms are all getting about 50,000 new malware submissions every day. 50K! How do they, the malware authors, do it? And how is it that the AV companies actually get the malware?

Welcome to the malware generation business model. So you want to be a malware star? Well listen now to what I say. Unfortunately, I will be somewhat vague, but the fact is that anyone who's technically competent and has the will to do so can find the missing pieces of the puzzle I'll lay out.

First, very little malware is lovingly hand-crafted from scratch these days. The name of the game in defeating anti-virus software is volume. You generate huge numbers of slight variants of a malicious program, do things like use different packers on the executable, and some end up different enough that the anti-malware products can't detect them.

So you write or get someone else's malcode generator. These are programs that generate malicious code variants. (No, I won't tell you where to find them.) You can get source to lots of popular malware, make your own changes and make zillions of variants. But the overwhelming majority of these variants will be detected by any decent anti-malware program, and you can't distribute all of then, so how are you to know which are the undetectable ones?

The answer is to use one of the public malware scanning services. The first and most famous one is VirusTotal, but there are several others. You upload a file to these services, and they scan it with a collection of scanners. Here's the list of VirusTotal's scanners, ripped straight off of their site:

You get a report back saying what scanners found the malware, what they detected it as, and which didn't find it. With new malware, the detections will be overwhelmingly generic/heuristic.

The good news is you can see which variants are undetected enough to be useful. The bad news is that when a product does not detect your sample, VirusTotal and the other scanners submit it to the AV companies so that they can add a signature or adjust their heuristics. You won't go undetected for long. And of those 50,000 submissions, probably no more than a few hundred, perhaps much less than that, are ever seen in the wild. Even fewer do real damage.

This arrangement is what makes it worthwhile for the anti-malware companies to cooperate with VirusTotal. It gets them early access to new malware. It's also how the AV companies are getting 50,000 submissions a day: The malware authors are, in effect, sending the new malware directly to the companies. That they will only have a limited window of opportunity to attack protected users with the new malware is just a cost of doing business.

If you want to spend some money to avoid having to inform the industry about your new code, start your own multiproduct scanning lab. You'll need current subscriptions for as many products as you can get, but I'm not sure it would buy you much time. These companies talk to each other, and if a new, undetectable variant came out from the wild, word would spread pretty quickly; soon someone would feed it through VirusTotal or one of the other services, and the jig would be up.

None of this is news and shouldn't be surprising. The moral of it all, and this too should not be news to you, is that anti-malware should not be your only line of defense. Many people call it useless because some attacks get through, and now you know how, but no line of defense is perfect. Anti-malware needs to be combined with other forms of defense, like a firewall, an intrusion prevention product, running your system with least privileged access and not clicking on links in e-mails (or at least being very careful about doing so).

This is what is referred to as defense-in-depth, and if you're good about practicing it and careful online, you should be safe.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel