Malware today? Same as it ever was
Posted by Dylan Sachs on Mon, Oct 04, 2010
Much talk has come about lately about how many new malware variants are being created on a daily basis. McAfee’s mid-year report states that 54,800 unique malware samples are created daily, and PandaLabs recently reported that 57,000 new malware sites are created every day to host them. While these numbers are the highest in history, there is a caveat that most people overlook: “There are lies, damned lies, and statistics”. While statistics often help illustrate scope or scale, they need to be considered in context.
Malware code has evolved over time from a benign self-replicating file (which was more a proof-of-concept than malicious intent) to infections which can block anti-virus software, ruin hard drives, steal keystrokes, or even allow complete remote control by third-parties. This evolution was driven by authors on all sides of the fence: white-hat (the good guys) authors writing code to expose 
weaknesses in existing software and infrastructure; black-hat (the bad guys) authors writing code to steal data or bandwidth, and; grey-hat authors who were in it for a little bit of both. One thing that they all had in common was their ingenuity and persistence.
In the past few weeks, the “Here You Have” malware has been the subject of many articles in the media. Somewhat unsurprisingly, the functionality of this malware is one of the oldest forms – once infected, the malware replicates by sending an email to everyone in the user’s address book, trying to entice them to click the link and be infected. This functionality – typically referred to as a “worm” – was also the basis for one of the first attacks to gain widespread media attention, known as the Morris worm. VirusTotal, an online malware repository which checks the efficacy of anti-virus products against the provided sample, found that (as of September 13) only about 30% of anti-virus software was able to detect the payload as malicious. But how could the detection rate be so low, when the functionality has been seen on the internet since before Tiananmen Square and the fall of the Berlin Wall?
The reason for this low detection rate is due to the aforementioned ingenuity on the part of the authors. They have taken an existing malware framework, and modified it just enough so that anti-virus software will not detect the file as malicious. This is how McAfee finds 54,800 new variants per day. Even though you may have the latest and greatest anti-virus software, the AV companies can’t keep up with over 1 million new versions per month, which leaves the end user at risk.
Another trait the “Here You Have” malware shares with now-of-legal-drinking-age worms is how it infects systems. The weak link can be summed up with the common IT acronym PEBKAC – Problem Exists Between Keyboard And Chair. “Here You Have” requires user interaction to infect the system, as do a large portion of all malware types seen in the wild. Much like with phishing attacks, social engineering techniques are used to entice the user to perform an action – in this case, clicking a link or executing a program – and they have remained fairly static for years.
“Here You Have
” is titled as such as that (or a slight variation) is the subject line of the email containing the link to the malware. Even this is not unique – it was also used back in 2001 when the now-infamous VBS/SST-A virus (better known as Anna Kournikova) was spreading around the series of tubes. Almost all malware campaigns use social engineering – “Here’s something that you are interested in, check it out!” – to get users to infect their systems, and this tactic is unlikely to change anytime soon (if it ain’t broke, don’t fix it).
The next time the media announces the newest, shiniest malware is running rampant, consider that, like they say in car commercials, it’s not “all-new”, but more likely “newly redesigned”. And of course, exercise caution when clicking links or running attachments in emails, even if you know the sender.