Frequently asked questions about malware

In the post-Snowden era, computer security and privacy are becoming a growing concern for the Internet users. At the same time, the Internet of Things (IoT) is emerging, in which more and more devices become interconnected. Still, most users have little knowledge of how they could protect themselves online.

Before returning to grad school, I had the privilege of working for a few years in the labs of F-Secure, one of the top 3 data-security companies in the field of malware (malicious software) fighting. Collaborating with some of the world’s top experts in the field has certainly been very exciting. In this post, I attempt to answer some very common and basic questions regarding computer malware. The following list of questions is by no means supposed to be exhaustive. It only aims to get across a few basic and necessary facts.

Q: I do not have an anti-virus software product on my machine, but I have not observed any infection. So why would I need it in the future?

A: This approach is wrong in so many different ways. Above all, it assumes that the user would clearly be aware if the computer were infected.

A flashback in time: Up until the 90s, it was the time when malware was created for the pure amusement of its authors. Back then, the people writing and distributing malware would be either youngsters with a twisted sense of humor, or individuals who wanted to prove something or to vent their frustration. The results would be evident on the infected machines and would include either notifying the user (certain times with a very creative approach) or altering the contents of the computers filesystem. In 2003 things changed. That was the year of the first malware intended for profit.

When infected by the Ping Pong virus (1988), the users would see a ping pong ball bouncing around.
When infected by the Ping Pong virus (1988), the users would see a ping pong ball bouncing around.

Today, there are two main categories of people who may try to get your computer infected: (i) criminal gangs and (ii) government states. The objective of the criminal gangs is to either steal important information from users (such as internet banking credentials and credit card information) or to use their computer for other criminal activities. For government states, the objective is usually to spy on the users.

The common aspect in both cases is that in order to protect their activity’s livelihood, the authors of modern malware go to great lengths to make sure their malware go unnoticed.

Q: I do not use my computer for online shopping or internet banking. Hackers have no use of my personal documents and pictures. So, why should I use any security suite?

A: Stealing credit card numbers or internet-banking passwords is only one use of modern malware. Another is taking over the computer and adding it to a botnet. A botnet (roBOT NETwork) is a collection of infected computers that receive commands from a remote location, the “command & control servers.” The owners of these infected computers are unaware of the fact that their machine is infected and controlled remotely. As mentioned above, malware authors are part of criminal gangs who have found many creative ways to make profit online.

Various botnets have been uncovered, which use infected computers for a wide variety of activities. These include mining Bitcoins, or sending out spam (unwanted email). Similarly, infected machines may be used in “click fraud” campaigns. In this scenario, an infected computer is used to simulate a real user that clicks on online advertisements, without the user actually being aware. The one benefiting is the company providing the advertisement services, since the advertised entity needs to pay more. In other cases, a botnet may be used for DDoS (distributed denial of service) attacks.

DDoS attacks are the electronic equivalent of mass phone pranks to a telephone number. Think of a pizzeria receiving thousands of prank calls per second. The end result is that due to the overwhelming number of calls, the shop owner is unable to properly run the business and service the customers. In the web, targets of DDoS attacks may be individual servers or whole networks, and they may belong to individuals, corporations or even infrastructure facilities.

So, unknowingly, your computer may be used for significant criminal activities.

Q: So, how many people could possibly know how to write malware?! Why don’t they arrest them?

A: Usually the people who write the malicious code are not the ones that attempt to infect your computer. There is a huge underground criminal community. There are those who write the malware, and then, sell it to other interested parties. As a matter of fact, their behavior resembles very closely to that of typical software houses; they provide regular updates so that their software continues to work as expected. Once the malicious software is sold, the buyers set out to infect as many computers as they can. But again, oftentimes, they are not the ones who want to steal your data. Have you ever heard of the term “platform as a service,” referring to the popular paradigm of cloud computing? In the same way, one can buy a “botnet as a service.” In other words, it is possible to rent existing botnets and use them to do one’s dirty jobs.

In 2013, security researcher Dancho Danchev released a price list that he was able to retrieve for renting a botnet. One may be interested to find out that botnets consisting of infected computers located in the US go for a higher price than if the computers were elsewhere. Of course, one does not simply go online and rent a botnet. While criminal activity is carried out in dedicated web forums, often one needs first to be vouched by someone with an established reputation in order to be able to do business. So, finding the criminals is not always trivial.

A price list of botnets. Prices differ depending on size and geographical are of the botnet.
A price list of botnets, released by security researcher Dancho Danchev. Prices differ depending on size and geographical are of the botnet.

On the other hand, electronic crime is usually a cross-border crime. This makes it even more challenging. For example, Brazil has a big reputation for being the source of banking trojans (malware targeting your internet-banking transactions). During events such as the recent football World Cup, or the Olympic Games of 2016, where security personnel operates in full capacity, we doubt that the Brazilian police would prioritize to investigate, say, a few hundreds of cross-border credit-card electronic-theft cases. Similarly, we doubt that Russian authorities would go out of their way to track down, arrest and then extradite to the US any Russian who might have committed online crimes against US citizens.

Q: I used to have product-X, and I never got infected, so it was very good. Alternatively: I used to have product-Y, and it detected more cases than product-X that I had before.

A: Again, this is a possible case of an infection that goes undetected. On the other hand, anti virus products are not perfect, so false alarms should also be expected.

But why is that? Because there is no single practical way to determine whether or not a file is malicious. There is no “golden byte” whose presence inside a file would render it malicious. As a matter fact, in order to identify malicious activity, different monitoring components are working in orchestra on a user’s machine to detect abnormal behavior. In other words, there is no single “anti-virus mechanism” in any modern security software suite. Instead, there are multiple components, each one working in a very different manner than the rest.

Most importantly, we need to understand that fighting malware is a continuously-evolving process. On one side, malware authors strive to write new malware that evade existing anti-malware mechanisms. On the other side, researchers attempt to extend their existing methods or create new ones, so that they eliminate the new tricks devised by the malware authors.

Typically, once a new piece of malware is released into the wild and starts infecting computers, researchers in the Data Security company need to take a look at it. They analyze the file to see how it behaves. Then, they have to find what makes this file different than those seen before; what is the new trick. This is done so that researchers can produce what is called a “detection rule” for it. Detection rules are important and sometimes very hard to get right. The reasons are that a detection should be general enough to capture all of the existing variants of that particular malware, but not so general as to match other files, for example a critical Windows OS file. A very general rule that matches other benign files is one major reason of false alarms. The rule may involve any of the components found in the AV suite, so researchers have a wide range of tools available. When the detection rule is complete, it is propagated to the company’s customers. Even if writing a detection rule is not possible, data security companies are still able to mark individual files as being malicious. This is not done based on the file name or file size, but by identifying files via a very complex hash signature.

We must also keep in mind that there is no single definition of malware. While in some cases it is clear whether a file is malicious or not, there is a very wide “grey zone” where opinions differ. Oftentimes, companies prefer to classify some files as “potentially unwanted applications” (PUA). These are not directly malicious for the user’s system, but could potentially lead to unpleasant situations; hence the “potentially unwanted” term.

Q: I am using product-X which is free. Am I safe?

A: As most free things in life come with a “take it or leave it” guarantee, the same holds usually for computer software, including anti virus products. Here we do not discuss the business strategy of different Data Security companies and their motivations for providing their software for free. We assume, however, that in general, companies have a higher sense of accountability and provide better support when they are charging for their products.

Q: I only use my computer to read the news and exchange email, without opening email attachments. Is my computer still in risk?

A: Unfortunately, yes!

A typical way is called drive-by downloads; as in the ghetto, the user just happened to surf at the wrong place at the wrong time. Lets imagine Alice is visiting her favorite news website. Unlike previous times that she has visited the same website, this time the website has been hacked. Some very bad person (lets call him Bob) has discovered a vulnerability (a security hole) and has modified the contents of the webpage. The modifications do not affect what Alice sees in her browser when visiting the website, but they may affect the behavior of her computer in other ways. So, when Alice visits the website she sees everything that she expects to see, however, due to Bob’s actions, Alice’s computer completes a chain of actions that end up in a computer infection.

In other cases, a computer may get infected due to malvertising (malware + advertising). Legitimate websites may, for revenue purposes, display advertisements on their pages. These are provided for sale by an online advertisement service. Criminal gangs may buy advertisement space on these websites, in order to get their ads shown there. These ads may be crafted in a way that tricks the user into clicking the ad. The ad, however, has been crafted in such a way that exploits a vulnerability on the user’s computer. Thus the computer is infected.

Q: I’ve heard that anti-virus companies create malware of their own, so that their software remains relevant.

A: This is an urban legend.

But lets imagine that it were true. For this to happen, this imaginary Data Security company would have to create a new piece of malware that goes undetected by all other companies. In order for this to be a useful marketing feature, the consumers should be notified about it and consider it an important aspect when choosing their next anti virus product. For this to happen, this hypothetical piece of malware needs to infect many computers and cause some sort of problems to the user. And this needs to happen at a scale that makes headlines. So, this imaginary company has already broken the law of different countries all around the world. At the same time, this piece of malware continues to go undetected by all other similar products. As described above, what are the chances that the average consumer knows about a specific malware instance, and no other Data Security company has added a detection for it? Finally, for the scheme to work, after all this attention, it should be the case that researchers from around the world who analyze samples of this malware family are unable to trace it back to its authors, so that the company will avoid going bankrupt overnight due to damaged reputation.

It should be clear by now that this scenario is implausible. Moreover, there are many criminals who want to infect your computer more than anyone. The number of newly seen malware is growing exponentially. For a Data Security company there is not enough time to handle all of them, let alone make new ones.

The amount of new malware, per year. Source: AV-TEST
The amount of new malware, per year.
Source: AV-TEST

Q: I use a Mac/Linux computer, so it cannot be infected by malware.

A: Mac computers cannot be infected by PC malware. Only by Mac malware! And we have seen cases of very large botnets consisting only of Mac computers; interested readers may read the study by Broderick Aquilino on Flashback, PDF. Similarly, for Linux, while we have not seen any serious outbreaks of Linux PC malware, we have seen a lot of malware for mobile devices that use a Linux-based operating system. Such a case is the Android OS, which is by far the mobile platform most targeted by malware authors.

Q: So, what could I do on my part to minimize risks?

A: This list is not exhaustive, but contains the bare essentials:

First, make sure that your computer’s operating system and any additional software are always up to date and have all the necessary patches. If you are using Windows, you may also want to consider using a Data Security software suite. AV-Test just released their yearly rankings; you can check them out here. Alternatively, you could migrate to a platform such as Linux that has a better reputation in terms of security.

Second, common sense goes a long way. No stranger would give you a load of cash, neither would they share with you a secret to make big $$$ without flexing a muscle. This should prevent you from clicking on dodgy links. Keep in mind that many attacks rely on the concept of “social engineering;” these are activities that attempt to convince you to perform actions that are beneficial to the bad guys.

Finally, if you are using a mobile device you should avoid using an open wifi hotspot without additional security measures, if you plan to use a service that requires you to log-in using your personal credentials. Many VPN-based solutions allow you to be safer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s