150 likes | 239 Views
Chapter 10 People and Communities. Malware Authors. “... [virus writers] have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes.” --- Jan Hruska , Sophos Little is known about malware writers Why?. Malware Authors: Who?.
E N D
Malware Authors • “... [virus writers] have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes.” --- Jan Hruska, Sophos • Little is known about malware writers • Why?
Malware Authors: Who? • Stereotype: 16 year old male living in his parents’ basement in Norway • Also college students, professionals,… • “gender differences in moral development may partially explain the lack of females” • Many virus writers “grow out of it” • Among malware writers • General distaste for destructive code
Malware Authors: Who? • Technical skill of virus writers? • AV community think little of virus writers skills • Skill level has probably improved since book written • Why?
Malware Authors: Why? • Many possible reasons • Fascination with technology --- create software to outwit AV people (game) • Fame --- among malware writers • Graffiti --- “form of expression” • Revenge --- disgruntled employee, etc. • Ideology --- hard to assess, but perhaps Code Red is an example
Malware Authors: Why? • Commercial sabotage --- e.g., attack to reduce company’s stock price • Extortion --- e.g., cryptovirology • Warfare and espionage --- info warfare, cyberterrorism • Malware battles --- for example, Mydoom/Netsky/Bagle in 2004 • 60 variants in 3 months, “attacked” each other • Commercial gain --- writers paid for their work, e.g., botnets for spam
Malware Authors: Why? • Authorsays graffitiangle“interesting … deserves further research” • What do you think? • Virus writing as a glorified prank? • Maybe true in the past • Probably not so much today • Now there is more of a profit motive
AV Community • Like virus writers, not a lot written about AV people either • Seems to me… • They’re just ordinary geeks • Like everybody else you know
Perceptions • Conspiracy theory • AV people write/plant malware • No evidence to support this and… • …lots of evidence to contrary • Effort spent on “unknown” malware • Way more malware than “necessary”, etc. • AV people do need to keep up • Research, study VX sites, etc.
Another Day in Paradise • AV workday is long • “80 hour work week is not uncommon” • Sounds like Silicon Valley to me… • AV company maintains • Databases of malware and goodware • Suspicious file arrives from honeypot, customer, or other source • File first compared to both databases • If not in either, analyze it
Another Day in Paradise • If file is malware… • Update signatures, AV software, databases • Distribute updates • AV employee workday is long • AV company workday is endless • Around-the-clock coverage • Offices in different time zones, continuous threat monitoring, etc., etc.
Customer Demands • What do customers want? • 100% detection with no false positives • What to detect? Malware and what? • Gray area detection --- “delicate issue” • Jokes and games • Cracking tools • Adware/Spyware • Remote administration tools (RATs) • Legal concerns wrt false positives
Engineering • Malware can be classified as: • In the wild --- active in real world • In the zoo --- not active • WildList Organization • Much easier to only detect malware that is “in the wild”, i.e., active • Orders of magnitude less malware • So, is this a good idea for AV company?
Open Questions • Should AV software also: • Provide a firewall? • Provide content filtering? • Perform spam detection? • Apply software patches? • Other?
Open Questions • AV people reverse engineer software • Is this legal? • Users may look at quarantined files • Could this violate privacy laws? • What about false positives? • AV software is almost universally used • So, if you don’t use it, could you be held legally negligent?