Writing malware, as with writing any other type of software, involves costs and benefits. Like any software developer, malware authors want to reach as many users as they can, usually by creating a program that is easy and fast to deploy and can be written with minimum effort. But with malware, these costs and benefits aren’t as obvious as many observers think.
Here at Dasient, we have a unique opportunity to detect and analyze much of the malware that is currently being distributed on the Web. What we've found is that some of the “conventional wisdom” about writing malware has proven to be myth. Let’s take a look at some of these myths -- and how they differ from the realities we have found in our own analysis.
Myth #1: Systems running MacOS are safer from malware than those running other operating systems.
For years, some Mac aficionados thought their systems were inherently more secure than those using Windows, for the simple reason that there were so many more exploits and malware variants turning up on Windows – and so many more Windows machines were getting infected. However, while MacOS has perhaps been less frequently targeted, there is no inherent reason that it is safer from malware. As MacOS market share continues to increase – not only on the desktop and laptop but also on the iPhone and iPad – cybercriminals have been investing more time into not only social engineering MacOS, but also finding exploits targeting Apple devices.
The rash of "Mac Defender" infections earlier this month is one example. The Mac Defender scareware, which attempts to fool users into downloading bogus security software that is simply a wrapper for malware, is targeted specifically at Apple users. Another attack, IncognitoRAT, uses Java in an attempt to convert both Macs and PCs into botnet zombies. These new attacks, and a number of other recent exploits, help to prove that the Mac operating environment is indeed an attractive target, and we expect this trend to continue.
Myth #2: The wide variety of mobile operating systems makes portable devices a less attractive target than traditional PCs.
Because mobile devices use so many operating system platforms – Windows CE, MacOS, Symbian, Android, and others – mobile devices would seem to be an unattractive environment for malware authors who are seeking to reach many users with a single exploit. But in fact, there is much more commonality among these devices and operating systems than one might expect. For instance, many of these devices have pre-installed browsers that either are WebKit or are based on WebKit, an open source browser engine that serves as the basis for Apple’s Safari and Google’s Chrome.
By targeting WebKit, malware authors can develop attacks that work on multiple mobile operating systems, including Android and iPhone, two of the most popular mobile operating systems. A closer look at WebKit may lead many malware authors to go after the mobile and portable space, proving the exact opposite of conventional wisdom. We expect malware authors will invest more heavily in targeting WebKit, and the resulting exploits could reach a surprising number of mobile platforms.
Myth #3: Social engineering is the preferred tactic for delivering malware to its destination.
Social engineering is a very popular first step in malware deployment – think emails with infected attachments, “scareware” that frightens users into downloading fake security software, websites with infected videos or images. Tactics such as these are often attractive ways to spread malware.
Over time, however, we’ve seen that malware authors prefer more automated attacks that don’t require the user to do anything. Drive-by downloads on popular websites have replaced email attachments, as the attackers get a higher "conversion rate" of user machines that get infected since the user simply has to visit the infected page and not even click on anything. Drive-by-downloads also typically occur silently, within just a few hundred milliseconds, and don't give the user any signal that their machine is infected. Even once infected, cybercriminals can keep the malware that they download and run on users' machines running in stealth, starting up only one or two processes, and keep a low footprint of activity by limiting how much email spam or network traffic they incur so that they can use the compromised machine for longer. In addition, malware variants that are sent via drive-by-downloads are generated by automated processes that also run the variants through all traditional anti-virus engines to ensure they are not detectable on "day zero" prior to deployment. Such automated malware variant generation has replaced the manual construction of malware.
Myth #4: Malware authors would like to develop their code on cross-platform frameworks that enable a single exploit to work on multiple operating environments.
Recent attacks leveraging Java or other cross-platform technologies are interesting, but we don’t see them taking over the world. The fact is that applications run better when they are written for the operating environment they are going to run on. If you were a software developer and you wanted your code to run most efficiently on a PC, would you write to the Windows APIs or Java? Just as cross-platform development tools don't give the most efficient implementations for legitimate software packages, we also don’t see many malware authors looking to build their exploits using cross-platform techniques. This is not to say that we won't see more exploits built on Java -- but it is unlikely that cross-platform exploit development will be the wave of the future.
The above are just a few examples of the malware myths and trends we are seeing at Dasient. The key in analyzing these trends -- as well as the malware that may be infecting your own enterprise environment -- is to identify what's actually happening, rather than what various pundits might say is happening. With our ability to detect and analyze malware in real time and on a large scale, we are finding that some of the conventional wisdom about malware development isn't so wise after all. If you are supporting environments that contain a growing number of Apple and/or mobile devices, it might be worth taking a fresh look at the new wave of exploits -- and whether your current security tools are able to cope with them.