Kaspersky has released today an excellent write-up summing up mal-ware trends so far in '05 and what the means for the second half of the year. Overall it really reinforces what we're seeing with our service line. More and more unique hits on the HTTP scanners and IPS engines…
It's really not that surprising. Traditionally e-mail has been the focus of tighter security, and its been easier to secure from a performance point of view. If you can deliver your mal-ware successfully using the web or IM, you're going to knock over a lot more systems. It's normally just too hard to protect those streams because users complain about performance hits. Its amazing how fast an HTTP AV scanner gets shutdown after the 34th user complaint along the lines of “What did y'all do?! It takes forever to download this really cute program from Gmail that my new Afghani friend sent me!”.
One of the interesting comments in the article confirms malware writers are looking to counter the “rapid-response” update architecture the AV industy has put together. It means signature update windows are going to continue to get smaller. An effective pre-scan of vulnerable systems means that a mal-ware writer can hit critical mass of infection that much more quickly. Whereas you might have had 12-24 hours to get an AV signature updated before, this could mean you've got 4 hours or less.
One thing Kaspersky doesn't talk about that we discuss a lot is the evolution of malware along biological lines. Ebola for example, is a very bad virus in terms of effectiveness. It kills the host really quickly, and limits the lifetime of the virus. Which is a primary reason Ebola never really became a global problem. You could say the same thing about Blaster or MyDoom. Everybody noticed them 'cause they knocked your system over hard. You couldn't work, and maybe even lost data as a result of the crashing. While they did infect A LOT of machines, the fact is they don't infect many machines anymore. They made a big splash and everybody raced to close the holes.
We expect to see new malware in the future that is very stealthy as a result of being tied to wanting to make money. A worm that doesn't kill your bandwidth or your system would be a silent parasite that you probably wouldn't notice. It could live a long time stealing data or whatever it was supposed to do. Or it could simply “soften” up the infected systems by disabling AV scanners. When money's the motivator its not as important to cause damage to computing infrastructure…unless of course that's the service you're selling.
Leave a reply