Cloud technology can be harnessed to make it less profitable-or at least less lucrative-to develop and distribute run-of-the-mill malware, Eugene Kaspersky, the CEO of Moscow-based Kaspersky Lab, told eWEEK.
If developers are forced to add sophisticated features to develop malware that can’t be easily thwarted, it also raises the bar on who can enter the malware business.
Of the more than 20 million pieces of malware detected by Kaspersky Lab every year, a significant portion of them are considered “typical.” They are often created using readily available tool kits or just re-skinned versions of existing malware.
Attack kits like Neosploit or Black Hole have made malware development easy to do from a technical standpoint. As a result, practically anyone can create common malware, such as those designed for banking fraud and botnet creation, according to Kaspersky. “While it’s not possible to stop all of it, there are ways to make the [malware] business less profitable,” he said.
Right now, writing malware is not only technically simple, but also low risk because national law enforcement agencies are not well-prepared to catch international criminals overseas. A change in the landscape that would require more technical know-how to operate a criminal enterprise online would weed out a lot of the low-level criminals, Kaspersky said.
Designing sophisticated malware is difficult and is possible only for “a genius,” Kaspersky said, noting that “teenagers can’t develop this kind of [sophisticated] malware.”
Motivated by Money
Building on a theme he introduced at the Infosecurity Europe event in late April, Kaspersky said cyber-criminals are primarily motivated by money. If they see profits decline in a certain type of attack, they switch to a more profitable line, he added.
For example, malware designed to steal resources and money from online games used to be common a few years ago, according to Kaspersky. However, with the glut of stolen goods on the black market, thieves are making less money.
The average prices criminals can get for characters and artifacts from online games declined by about two-thirds between 2008 and 2010, Kaspersky said. Over the same time period, the number of malware samples targeting game fraud dropped by nearly 60 percent.
When profit declines, malware of that type also decreases, according to Kaspersky. A recent Cisco report agreed with Kaspersky’s assessment, finding that cyber-criminals were abandoning large-scale mass spam operations in favor of low-volume targeted attacks with bigger financial rewards. Highlights from the report include the following:
- Returns from mass email-based attacks declined by more than 50 percent, from US$1.1 billion in June 2010 to $500 million in June 2011.
- Mass spam volumes plummeted from 300 billion daily spam messages to just 40 billion between June 2010 and June 2011.
- There is an increase in spearphishing and personalized scams and malicious attacks.
- Spearphishing attacks have increased threefold, while scams and malicious attacks have increased fourfold.
Making Sure Crime Doesnt Pay
“I have some ideas to make the cyber-crime business much less profitable,” said Kaspersky. His grand vision revolves around global cloud-based threat detection and monitoring networks operated by major security vendors, including Kaspersky Lab, Symantec, McAfee and Trend Micro, among others.
Here’s how it would work: When a piece of malware is detected somewhere in the world, cloud security systems would analyze it and push out protection immediately to all the other parts of the world. This would effectively limit the size and scope of the malware outbreak. “Just a few users can be used to protect millions,” Kaspersky explained.
There is a specific life cycle for malware, beginning with its development and placement online, such as an attack portal. Cyber-criminals then use a variety of distribution techniques, such as spam messages, forum posts and poisoned search results to direct users to click on or download the malware and get infected. Once the user is infected, the cyber-criminal can steal information or use the computer to launch other attacks.
At some point, security vendors come across the malware sample and update their products “at the peak of the infection” with the newly created definition to detect and remove the sample. As more security products get updated, it becomes harder for the criminal to infect new machines. Once it no longer can infect as many victims, the attacker moves on to the next new malware.
In a best-case scenario, it takes a few hours or a day-though it can take more than a day-to detect a malware sample and update the product, Kaspersky said.
Cloud security systems can reduce the time period during which malware is available and the security software has been updated with the latest definitions. That means cyber-criminals would have a much shorter time span in which to make money, Kaspersky said. Cloud systems can detect new malware very soon, or “just a few minutes,” after it appears on the Web, because someone on the other side of the world came across a sample through proactive scanning. The service recognizes the malware and won’t let other machines in the network get infected.
Not a Silver Bullet
Kaspersky acknowledged that his cloud vision would not provide a “silver bullet” for all types of malware. At its heart, cloud-based scanners are like traditional antivirus software in that they are signature-based. Even if a new piece of malware emerges that exhibits the exact same behavior as a previously detected one, it would need to be analyzed separately before it could be detected as malicious.
Criminals can recompile malware with slightly revised code so that it displays the exact same behavior, but looks different, Kaspersky told eWEEK. It’s not in the “nature of the cloud” to detect slightly revised malware or to stop server-side polymorphic malware, which can change sections of the code automatically at specified intervals.
Furthermore, mobile malware is evolving rapidly and the market for exploiting mobile users is growing exponentially, making that another area of serious concern, Kaspersky said.
So, while cloud antivirus services can weed out the script kiddies and amateurs who think dabbling in cyber-crime is a fun or cool way make money online, the problem of dealing with sophisticated, committed cyber-criminals will persist, Kaspersky said.
In fact, driving out the amateurs migrates a larger volume of global cyber-crime toward a more “professional group” that’s capable of more sophisticated threats. Spearphishing, in particular, will persist as a “deep threat,” Kaspersky said.
Nevertheless, once the bulk of the common malware is blocked, the IT security industry can focus on going after the “more dangerous stuff,” Kaspersky concluded.