Anti-virus software has been a pillar of corporate defences against external malicious attack for over two decades. But it is an increasingly shaky-looking one: the onslaught of viruses, which are increasing at an exponential rate, threatens to overwhelm the anti-virus (AV) vendors’ ability to stay in the game.
Nowhere is this more evident than in the cold, hard figures. In December 2007, Russian anti-virus specialist Kaspersky Lab revealed that its analysts are now processing in excess of 1.5 million malware samples every year. By 2008, the company expects that figure to top 2 million. Kaspersky is seeing at least five malware samples emerge on the Internet every two minutes and 15 to 20 new Trojans released every half an hour.
Other AV vendors are reporting similar growth. In 2007, the number of malware variants tracked by security specialists McAfee and F-Secure nearly doubled.
Packing heat
But volumes are not the chief, or indeed most alarming, development in the flourishing malware landscape. At the heart of the explosion in malware variants lies remarkable innovation in malware production techniques, in particular the phenomenon known as ‘packing’.
Packing is a technique that embeds the malware with a self-mutating mechanism, meaning that each malware sample spawns a slightly different and ultimately unique variant. “This makes it quite difficult for AV companies,” concedes Eugene Kaspersky, CEO of Kaspersky Lab.
AV vendor Panda Security estimates that 78% of new malware uses some kind of packing technique in order to evade detection. Elsewhere, in 2006, the Australian Computer Emergency Response Team reported that, as a result of such techniques, 80% of new malware variants defeat AV software.
“There is no uniformity in the behaviour of malware samples,” says Yury Mashevsky, a senior virus analyst at Kaspersky. “Some have a special architecture which allows criminals to deploy different components. Technology like this is very clever, complicated and consumes a lot of resources for us.”
Criminal networks
Dig a little deeper and it becomes evident that such technical innovations are underpinned by the emergence of sophisticated criminal-to-criminal distribution networks. “There is no one group that does everything,” explains Mashevsky. Many criminals do not distribute malware directly but trade in it instead, he says.
According to Kaspersky Lab’s investigations, there are advanced virus writers that sell their code on to clients. For example, the Trojan that infamously allowed fraudsters to steal SEK8 million (£575,000) from Swedish bank Nordea’s account-holders in January 2007 is believed to have been custom-written on a contract basis.
Other gangs sell vulnerabilities in online auctions, like a malware version of eBay; some prefer to rent out their network of millions of compromised computers.
Evidently, a near fully developed shadow economy has emerged in which cyber gangs assume the form, habits and voices of legitimate businesses. Many virus-writing gangs, for example, now attempt to mark themselves out by providing competitive customer-service models. The notorious Russian Business Network (RBN), thought to have a hand in nearly 60% of all Internet-based crime, offers its customers service level agreements and a one-year software support agreement – free of charge. “In some cases,” marvels Paul Henry, vice president of technology evangelism at appliance provider Secure Computing, “the criminals are offering better software support than most software vendors.”
Like many such groups, the RBN is able to offer such compelling customer service because its overheads are fractional compared to that of the AV software industry. The costs of establishing a global network of hijacked PCs are minimal: the hardware and running costs are, of course, met by the victims.
Evidence of the growing sophistication and pseudo-professionalism of these operations is found in the audacious promotion of such criminal services. Several companies have their own PR and ad campaigns, and Kaspersky Lab analysts have even seen ‘content editor’ job vacancies publicised on these sites.
In an especially worrying development, Kaspersky Lab has revealed that virus writers are also now attempting to infiltrate AV vendors and co-opt AV analysts into their organised cyber-crime syndicates. Stanislav Shevchenko, head of the AV lab at Kaspersky, told journalists at a recent briefing that a leading operative in a major virus-writing gang attempted to infiltrate his company.
Shevchenko, who has been trained in psychological profiling, was able to identify the criminal during the recruitment process. “We asked him to write some code and we saw something familiar in it. So we asked the analysts to look at it and we found malware examples in our collection that were almost identical to the code he showed us,” says Shevchenko. Kaspersky reported the virus writer to the police and within days the virus-writing group counter attacked, targeting the company.
AV employees are also being individually approached by virus writers hoping to suppress signatures for particular – highly profitable – Trojans.
Tactics of this kind have only emerged during the past year, says Secure Computing’s Henry. The development marks the involvement of traditional organised crime syndicates in the virus-writing world. Such criminals tend to operate multi-pronged attack strategies and have the human resources, financial muscle and expertise to support successful long-term infiltration operations, he explains.
Mismatch
Infiltration forms part of a broader surveillance strategy, in which the virus-writing gangs intensively monitor and scrutinise the activities of AV vendors, with the aim of reverse engineering their updates and signatures. Some gangs, for example, have now developed malware that will prompt the user’s PC to skip updates, says Eugene Kaspersky.
As the malware writers and the AV vendors pore over the minutiae of each other’s strategies, the situation is approaching a stalemate, says Greg Day, analyst at McAfee: “Every time we make a move they make a move, and every time they make a move we make a move.”
In the financial stakes, the cyber gangs certainly appear to enjoy a significant advantage. Kaspersky Lab calculates that 1,000 infected PCs will, on average, net a criminal gang £40. With nearly 1 billion PCs currently online, the market potential is huge. Indeed, Kaspersky Lab believes that the profitability of the cyber-crime industry now outstrips that of the $4 billion-plus AV industry.
Perhaps more worrying – given the paucity of IT skills in the major Western markets – virus-writing gangs are now sucking up some of the world’s most talented IT workers, often from the outset. Mashevsky believes there are now as many virus writers as there are analysts, many of them still students. The former, however, concedes McAfee’s Day, are likely to earn a great deal more money than the latter.
Meanwhile, as the virus writers continue to scale up their operations with minimum cost, the AV industry becomes ever more constrained – both in terms of financial and human resources. To an extent, malware analysis can be automated at the low end, but it remains a predominantly manual and highly skilled task. Throwing more bodies at the problem is not a sustainable long-term strategy. As such, says Day, the AV vendors will have to learn to “work smarter rather than harder”.
But Professor John Walker, formerly the chief security officer at Experian and now director of research consultancy Secure Bastion, suggests that recent developments in the virus-writing landscape underline a truism that has, for too long, been wilfully obscured by the security industry: “The virus writers are now so good at beating the AV products that the game is falling to the side of the criminals.”
If this declaration seems gloomy, the virus analysts themselves are no more positive. Even Roel Schouwenberg, a senior technical consultant at Kaspersky, conscious of the inequality of the virus writer and vendor relationship, and frustrated by the poor capture and conviction rates of cyber criminals, is willing to voice an uncomfortable conclusion: “It doesn’t look like we’re on the winning side.”