|
|
|
How Do They Make All That Malware?
By: Larry Seltzer
2009-01-31
Article Rating: / 13
There are 3 user comments on this Network Security & Hardware story.
Anti-virus vendors are getting more than 50,000 submissions of new malware per day now. How can the malware business be so productive? It turns out the numbers aren't really as big as all that.I was talking to a head research guy at an anti-virus company recently, and
he said that the big anti-virus firms are all getting about 50,000 new malware
submissions every day. 50K! How do they, the malware authors, do it? And how is
it that the AV companies actually get the malware?
Welcome to the malware generation business model. So you want to be a
malware star? Well listen now to what I say. Unfortunately, I will be somewhat
vague, but the fact is that anyone who's technically competent and has the will
to do so can find the missing pieces of the puzzle I'll lay out.
First, very little malware is lovingly hand-crafted from scratch these days.
The name of the game in defeating anti-virus software is volume. You generate
huge numbers of slight variants of a malicious program, do things like use
different packers on the executable, and some end up different enough that the
anti-malware products can't detect them.
So you write or get someone else's malcode generator. These are
programs that generate malicious code variants. (No, I won't tell you where to
find them.) You can get source to lots of popular malware, make your own
changes and make zillions of variants. But the overwhelming majority of these
variants will be detected by any decent anti-malware program, and you can't
distribute all of then, so how are you to know which are the undetectable ones?
The answer is to use one of the public malware scanning services. The first
and most famous one is VirusTotal, but
there are several others. You upload a file to these services, and they scan it
with a collection of scanners. Here's the list of VirusTotal's scanners, ripped
straight off of their site:
You get a report back saying what scanners found the
malware, what they detected it as, and which didn't find it. With new malware,
the detections will be overwhelmingly generic/heuristic.
The good news is you can see which variants are undetected enough to be
useful. The bad news is that when a product does not detect your sample,
VirusTotal and the other scanners submit it to the AV companies so that they
can add a signature or adjust their heuristics. You won't go undetected for
long. And of those 50,000 submissions, probably no more than a few hundred,
perhaps much less than that, are ever seen in the wild. Even fewer do real
damage.
This arrangement is what makes it worthwhile for the anti-malware companies
to cooperate with VirusTotal. It gets them early access to new malware. It's
also how the AV companies are getting 50,000 submissions a day: The malware
authors are, in effect, sending the new malware directly to the companies. That
they will only have a limited window of opportunity to attack protected users
with the new malware is just a cost of doing business.
If you want to spend some money to avoid having to inform the industry about
your new code, start your own multiproduct scanning lab. You'll need current
subscriptions for as many products as you can get, but I'm not sure it would
buy you much time. These companies talk to each other, and if a new,
undetectable variant came out from the wild, word would spread pretty quickly;
soon someone would feed it through VirusTotal or one of the other services, and
the jig would be up.
None of this is news and shouldn't be surprising. The moral of it all, and
this too should not be news to you, is that anti-malware should not be your
only line of defense. Many people call it useless because some attacks get
through, and now you know how, but no line of defense is perfect. Anti-malware
needs to be combined with other forms of defense, like a firewall, an intrusion
prevention product, running your system with least privileged access and not
clicking on links in e-mails (or at least being very careful about doing so).
This is what is referred to as defense-in-depth, and if you're good about
practicing it and careful online, you should be safe.
Security Center
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack.
|
|
�������x}ks۸q�f89�Ei;RJX'c)Vi)�8H�?q?q��%xƩ��
th4��Iȹ�="�1(ٝ8FߧGM�Ijû@�@i�zN)�#�3W�rD廚�f�w2Gv=S;^��> \?g#;Y|��� tjGt0.�Ss4�j9��뻲9Fԗoˏne0��-ZAa6)V�N�0�,Z P8 �ˡh]
�\(�~!c! [t���:v T|�� p&"qy#f_R��THUb&{�By8��%��;^6�;�0k�>�BaUw0vK]K�w@SѠ(v�2%v>6^�;�s9ȹ�3�z$nPrFN7w#205AR�#[
�dTj���Ӂc�)�e8r�
x08JeJ-jfML�yf�_%z�(u�w_�ɠi!Zda=}9e��f42M�Y�U\WkaZ�J{Q!`چ[=bTyݙۏv��EU�e*G��,;��VжD^Ԣ�Cq>t;=rٹi�[�r m�+ N6Rߙ+0Q\�&*+Jx8I2�A�>r�jw{g`�rM7JzQ߹p~i�CX@v�Ina�>E�4dEQ
,GQD~2.{vEz㳣v�;l,Oa�ZUU
2Z*],ȏN}yҹ59iݴ[]d#t2�+?fV'_Z-կj�6O{:$Xz>54�0���V+KJ=2O'���Py$Y-�IwqN��y훨-4K[9K
}1x#w-AX
V�� Q3o�F5
tA��%�4ȄS�Hu��t9��~}I'}6kiL5��f�!0FD=5cf�M�s,e��gy0A�M)��61p�k
�3!RBʼZ(o��r@@�jR~nV(�ErdoF"���<#�r!DKI��88�쁉1SUҽTVws^�[�|48>]7Du..*s5ͷwfx�aZ*;�{8m5{['{չvEm~h�Nj�g9",$��ꨤV+�_[�%K�T,+*&�rϏ
f[Ԗ-Pò˔A
~y?
&}���aM6q�1}B
s:�4N8�>hH2胆6ml�-ƙ�h$�
,70}HG:QI�4wX0x<�c�S�a��K��W�ԇP߭}0C5m�|�&6��l�d�$4)s�yp;LM σ�.-�H��ˋ�0���P�=�� �2/?6�a�9N@tmSȀ�r`�9ڽfZc@�xFvOWM'�91mX0M}L"+H5L6�LhH�io<`3Yu-�yA\#uM��f�aM�r"�Wv�6P�0ʇSMrJ9;ewS��K77UBgsNPB/W2 \_&AB5
6d:ɤPlͳ�rt+[Z2nR>ra�*{j
+)d�r~�#J�}^`��3h{q#%IAg��=�E梳�xOt*X�nURue"$l�=°ε�R.��X�!d[�00^�Ԣ,(/P|U$"!�t��sqɰC�/0<:Bb&^ddhQ?iÍ>*cc�,�|sö���/E\?>2ei�FNbZP$ڬY;wl d
�A q�!z?r(�SXSqF}��`+\s�.Kt�āFhͰ�h8`]zqF�$�\ޭS,�* xH1�kMxg��٧呯1ۊ��h0@q�_8R"X @�4��
y
| "��L1�9��J�+b*�8
Utn)
FvjIMx�-"P/?�ˇ%$m�4X6D.է�PÍ{c�?4�]E�f�4A�@{BR֊Z5&�jEQÒRVq*0Oo燼N]�}g8�8k>yw쾿'z4M~Rz냽|[C�O..V+1c�Z$ c?`W��_VAY�s;W*RL�[�'��ȂX�&
,$
2tXܙ 0�>A,C{a&:D�f0&����LVѦ9
�!y@{�y:ԴG����B�f?6q~e�@Lsz0d�^W�D�?uPݯ��ʚO ��Q3�b�QX��hα�t;bG gIY�œ
~rq㉉Z{XD"lڊ6͐*8e$Lb����R'ڽ[dWNjWT�rD橛>�7.½�oj�[ȓSԵpse)s�@B>RZA�-H�yV_'qd���F&>ϣ�+ZNa0&3(�ʃzbs�uyUs
t¬.n>�~�
=o U�:1A��|/�D m~§kc�c�~�KfqH ��Yf�Ad<6WarO0(��N�K�a-�0/\P�.l6c�
z47D.�S��ȈDrzfZB*>�=#Xo\X�߭
BR��$Rq�
{259p\Semi{}֏�A-g�/2��b
8d�X0٩*
~s���kbT� pz�(�rM5�E�;4OM5�VWJl"I�{(},%ɥ:m2R�KbU)��j>*��Ur2j�,j��.��/ <6"0�טޔsb=�
�l;
y|砲_),��r?"0Ȍg��<|�p~�Ny�z�Ħ,H+]s,tCyp0ݎ�Sk�QlY:Uqmtc�?Ԁ�h�k0�a�Y�H05I-֊R{��
�=2b#��$¾�-ӧ+�}3݀�����L~|<��-~.�9z˾�HU�$ȅ��X�p�4qߵ�O'^Y {{<9i_~y�mv:Q
�2lO"�V9z��y})}9\f}ْ:Wփ ��R]A�CֈȰ��RW �Z_ĥs}Һ̂s$�"Z*M3dn
*~�m�_aZ�XȬy`�|CL($���0�¡�=`=����` 鈓v9:v�\b;͞-g��!�,�:��}ES)Q\(�OY"uܹnrssl�}F�/JN�nV�R-[I7c+t,C=^/8�ʊ��=�?�.��N:iߐ�!��/��.4|㿜i݇$�!rz e�n1�KP -MunZ�dl��#N M5�W"Rv
{tϣt1a�
�q�;�
�4iQf%uyj�tJ)SBt�~ 2H PUW,O$e=lI2 KBh%#bbVH�o�{ռܜ4<1ަmƙWxvImc%y�~ςRpt�85(^y�N�H��mQJiIw
3DJ^MjpVK�
ɏE�~xo�';�$��^i��r@~A=?VW%Mݙf0�iz3��Ɲ`'#
�eީӊyLaZ�vu�+w
./}v6}`Nȣ&k{��>fdĎi�{`ֳ�s8CלM(|siE3c<�l�]}��`�<�%Ԫ9G�qܚx0e�u?�y{h�o&�<09Qz ACvopFΛ��ٽ[o�|O0�7+��tNinmǡ8�-��`*Y$�Hh�HN
d_,"+2�NIʅNt9>r�X!��,Fu��d3D�Ӽ0hApjl��O�C]~d]s!���Ú7w42]awmB!e\�Kܲȥ�K\�-"PnǸ(Z8�|>ӫ��g@< bY_��IKwvz,+YX�hdQ�Wɞg�o
?:�&�'K-;79wB#A�VާA3�GTOWN0.�t�_#*��IHv/���=v&�-�aԳIo�i$A��w��kSOW*O^u]-p�����ŗiӣ/?��Tۥ�WEƧQ5q-gF)A�'ܺ0�b�j6��5=�2~P&MsAB��w)oxu}�ˆip'Ya1@ܞ�L��}9�Y;.5шs�!;��
L`�O'r!�LĎ�INa�rƗ$&|M8¼Dɂ.6�4��yzb�Մ�g[�6r8MyiXi겎~b@�P;
X;ˌ\VT==͢q=��%o*qLIyfhoL\PIUI?ydGe�])=W Rf9e8Tm|OVTFghmf�`~p+�GKw ;R LáGS�)&�_�FQ_,�}�8ڣBby=sCDZ^-'�W-GYhY�oޠ\�?C�ȮZZ� �D�_%P7O}VMn�%vR@�R|Xf#TTLk.U��S!�텍x6�P
��͇��]L�4ϖ�g�H��%`�E��*��"�>���/���0xӍ� Qr>nJB�}3Zd�v��]�μx')M�`+
p�(L�t�>�e3`#OD}"ꓨ>�_�lrf�66*�oT$`BqS(�or
�D �ҭM�q(���X@7KJ2,�+2�՚T,l:g�UMܣkB
��KHK|�qz
1D#��p8u8�@�7+-�)1���4[b7Y/u�`�o8euC��!���� I癀g�c�zsd�[�ޒopڜo*/2�3Q2�rW@�Vx}2���ӷ�ЂV@=|(���@8ԝM�&�S˒ص]~X3X!sX+�,�`{RD�5捭<�N;Vǜ+|A�y.�}R�<��tŗC�0#5 dknVx���V��tgc`ԯ۞K~/�|Ιl@=f2DY)�a5�
�&"cX͜c����H�ZSK+`�X %eh�<�b|7�pHbBA�WE2xh+�.x/�,HEF�0¢(k^�⊯�h3s-fE^%3m�84/G
˲p∈Pt�U$sX4�V:|k�cY,�0s͟��mriX\VnE^-g/j�_\ȑ{��MK�6|şYL4�PڮjM�yM�\ ū}$I,ŗA}8rW|k�vS9lhu՜>���M�l�o-AS+E1]^i�Iɽ��Cl�(I#x�ۀű�k_xVtN=i��Ȋkٵ�G'=]�mV.
P3L�n�?1}6wo�zln�J�i��f%2ĊpV$���L?��X��'L4sK�3e���j�\\k��y�c�Av|woױw��>&;�/Gh��s],R7���ͷo�`2/�fWӲ˿$�d�1f)C�C &p6P]?�z�Ucx9��sqy��D�i~6ĸz:��:ތ1.eC^aO��,�
�~V�xrڜOv�EQ0J��t�#QiH��:-FR�ﯔ>!�1aS�06$o�,Vx]J#M}).b�?@y��uM|u�#oی?'0%ce,,!@�N2�ɜ�hvpNvC:�&�>ybu�J�ɸ�)?|� q��7{oA@=i ��ƞO�)�|=��K�vךRN|l:�.§BJmo�/?2DŢW<и�#)U@,va썆�qa��BX���?D��m�84DrP�>Mr@Yi�2�+A#C!5z��ado$ƽqt�yy`L��l�ʰ:_�bZ���aZ�_�[Ԓ#r�d!���es[��ɣ.�j"�*z*��jD:�-~0WS״�|Z.wxm;�3#6J=!vӚ pzm;�bk��mLP8Ow|
tg�O�%YѱI3�X}l#�T�;2��n�r':Ʈq#+��#��;[�xkH惔K�p-Cף�:�yHܑT�^+V+s��eR��Z`L�F5ƿJ< E��($��S/� L5&�H!4�w#\��P�|¸)C7�Wp+X
o��[ɺexxiJ"�rKLmf�Z˫Gt�M$0���)<]С��
��{Ꞣߒ�i?�}A6�ڈy�빟i�$�Yc
r/�\IxC#�UՔkgt -sF@:-Őz'SWld""@ш��>�_�Ѻm>"?4u=oz.zxX�2g�LG)�XțhQ@S�
o�L}| c�f '͏8�.*+ra �|��o0}�-Ō��C�5Z()I]+`jPs]��+J9qּ<>^"fEU�Em VH2+�^@0��3��uO�SIS��kow�bм:LN;פIN[-t=n_ڝKr:$lkIQQqiuuݾ��31F;��6ϵM&E`4�e�jE)SC9ѾX�qm.4�/"Gd;πW�}VX�m8{�{�J"Q^e9DU@
8��{�CuU�p�ڽkJ8ٙ%K�#CE@ЦkJ�c~窜4]V0�8���SDnu#V�ԼV(<�v<��3_3!zuq�8߁NF>rzou क�ǫO>��� vq^>5'�пvF?Ӿȇ3k|fϫ�y�|���s�_d�/�}/2{�Ƞ��E�^�^d'e�7�g�d_@EF>e^\f%euw@t2O�K'C\�\e�Կʨ
s?]�f�e__>e
d�~7��n2w�Y�{�f�wɹN2!ofY
�NOo\�8G�\(_��Y OY<߇�}V)@~�J
,c2\)��f{�9;[?�;'u
CFWTVD=՞bM�dGE⬏G\%�f1�&w#��|,y�
|e8�Ntw{b�AZ-}�#}~�L��=�P.�v;)n7ϹpK�*ů`
�}qy�緶xvY.-�5l�NA6Kߋ}{}³2cپGh��ߒD+�-ʺ� ÈC?�s
H7�xi�Vjf�z:t}fW�;u}<_5?X=ԋ쓥͂>�'A7'nV�)pF �F�^-R�|c ,~q)�7a45D�-B9}54]NW�n8Wo�ď;#���}21Nrt UJZR[TJ���æ�{DD����QTY)ȅ��[��V
R�`"8�
�T:�QȀFuozUJ�91C~{�k8�a�oJ�C Dk(� |L@L|6v�+-6offp�-y;Wi%�@)8��?,�(�s0��ؙ_F�lO��B����3O hc2iR�
� =g-+D҃ihp�䓿
Šq8SsL�� ?n
3+g�M�ԛ�tSU�ݣQ�G1B�~�S�f@'+ՅoBK=х�.LySz~�; 8��(��ŲjvO!�f�Nؒ1b�QURۨ*
ur$~z1K-�;=�I�\#u{Ȋ��|6D�}�Q!5|'_ٹ�q��pUR� `=+�i:F�trIMq]ޞf�^e�n3A ��^|'3&m���@�'�5~�ɑd�(� �kEF(�t#bÝPnlDm (~%6,wl9SC@i<�T#�0�?fu|q&K6�cﲮnǝ)Zw�DEs5 D 9bχ1LCZ�$2͍�~1'~-�pI\+1�/tA>7�&`��wyCIw惙�&�G�� oLIZcm]GJEAH
�94I
0Ny �0p;'�cr�=ͧ�~K|�"�,D*�9��o�]:[�1U1֜�6gз��d&%�}YQ d�v.ymhF*v\z|�$tnP/��sD�7�A)�ܠ?��T|�
5�\6v��B�`Nڽm�jV0y �'�L�읚f�e.Lc(ŬBCd��=�)Oo-[ @<}kc'p�
&�
|�n=ձ]w~�9z��nG}��3�1$+e`7g#�~
'7>��6'YB6�`0AFS`�܀}oے[0���?FuoY W�)6x,-����`⍈Me��eR8DR�*El'f
,����~sf㿞�Qso<�9���BeY^|:y-.�E��h�Ӂex�< ׁ]"�b��+C>`mR>Ŕ��
]'[ڧ3�й?-{�o{���y[�^�_�X��(Fb�f=A9N�Rlã5,cgvC{%�z1�o�aX0�~vr8fDM0�#�v1^1Gx�yLX�B��LV�I��S�y6:|���>�GYELMvv88)ҡCAؚBJ>eS1�'@n0\�r|��=hL%g�#�3��|�,/�A-r*r*]�D4;Nb�biRf�\B�/0,G��+^:�'�nyka�`!˞tڼh>!zfk{`�ggøFk+,O�{(F18p;X}9\`g`i�=j�pty"�-�EKB\ ��}U}!Y���uM+_O1dF[Wy�&F�{5Vj"<&_�(FҢΰ
\岞�JF0�1{l~r�)��Es̥D5^JB\bh6
|
Network Security & Hardware 
