Where Does Malware Come From?
Anti-virus vendors are getting more than 50,000 submissions of new malware per day now. How can the malware business be so productive? It turns out the numbers aren’t really as big as all that.
I was talking to a head research guy at an anti-virus company recently, and he said that the big anti-virus firms are all getting about 50,000 new malware submissions every day. 50K! How do they, the malware authors, do it? And how is it that the AV companies actually get the malware?
Welcome to the malware generation business model. So you want to be a malware star? Well listen now to what I say. Unfortunately, I will be somewhat vague, but the fact is that anyone who’s technically competent and has the will to do so can find the missing pieces of the puzzle I’ll lay out.
First, very little malware is lovingly hand-crafted from scratch these days. The name of the game in defeating anti-virus software is volume. You generate huge numbers of slight variants of a malicious program, do things like use different packers on the executable, and some end up different enough that the anti-malware products can’t detect them.
So you write or get someone else’s malcode generator. These are programs that generate malicious code variants. (No, I won’t tell you where to find them.) You can get source to lots of popular malware, make your own changes and make zillions of variants. But the overwhelming majority of these variants will be detected by any decent anti-malware program, and you can’t distribute all of them, so how are you to know which are the undetectable ones?
The answer is to use one of the public malware scanning services. The first and most famous one is VirusTotal, but there are several others. You upload a file to these services, and they scan it with a collection of scanners. Here’s the list of VirusTotal’s scanners, ripped straight off of their site:
- AhnLab (V3)
- Aladdin (eSafe)
- ALWIL (Avast! Antivirus)
- Authentium (Command Antivirus)
- AVG Technologies (AVG)
- Avira (AntiVir)
- Cat Computer Services (Quick Heal)
- ClamAV (ClamAV)
- Comodo (Comodo)
- CA Inc. (Vet)
- Doctor Web, Ltd. (DrWeb)
- Emsi Software GmbH (a-squared)
- Eset Software (ESET NOD32)
- Fortinet (Fortinet)
- FRISK Software (F-Prot)
- F-Secure (F-Secure)
- G DATA Software (GData)
- Hacksoft (The Hacker)
- Hauri (ViRobot)
- Ikarus Software (Ikarus)
- INCA Internet (nProtect)
- K7 Computing (K7AntiVirus)
- Kaspersky Lab (AVP)
- McAfee (VirusScan)
- Microsoft (Malware Protection)
- Norman (Norman Antivirus)
- Panda Security (Panda Platinum)
- PC Tools (PCTools)
- Prevx (Prevx1)
- Rising Antivirus (Rising)
- Secure Computing (SecureWeb)
- BitDefender GmbH (BitDefender)
- Sophos (SAV)
- Sunbelt Software (Antivirus)
- Symantec (Norton Antivirus)
- VirusBlokAda (VBA32)
- Trend Micro (TrendMicro)
- VirusBuster (VirusBuster)
You get a report back saying what scanners found the malware, what they detected it as, and which didn’t find it. With new malware, the detections will be overwhelmingly generic/heuristic.
The good news is you can see which variants are undetected enough to be useful. The bad news is that when a product does not detect your sample, VirusTotal and the other scanners submit it to the AV companies so that they can add a signature or adjust their heuristics. You won’t go undetected for long. And of those 50,000 submissions, probably no more than a few hundred, perhaps much less than that, are ever seen in the wild. Even fewer do real damage.
This arrangement is what makes it worthwhile for the anti-malware companies to cooperate with VirusTotal. It gets them early access to new malware. It’s also how the AV companies are getting 50,000 submissions a day: The malware authors are, in effect, sending the new malware directly to the companies. That they will only have a limited window of opportunity to attack protected users with the new malware is just a cost of doing business.
If you want to spend some money to avoid having to inform the industry about your new code, start your own multiproduct scanning lab. You’ll need current subscriptions for as many products as you can get, but I’m not sure it would buy you much time. These companies talk to each other, and if a new, undetectable variant came out from the wild, word would spread pretty quickly; soon someone would feed it through VirusTotal or one of the other services, and the jig would be up.
None of this is news and shouldn’t be surprising. The moral of it all, and this too should not be news to you, is that anti-malware should not be your only line of defense. Many people call it useless because some attacks get through, and now you know how, but no line of defense is perfect. Anti-malware needs to be combined with other forms of defense, like a firewall, an intrusion prevention product, running your system with least privileged access and not clicking on links in e-mails (or at least being very careful about doing so).
This is what is referred to as defense-in-depth, and if you’re good about practicing it and careful online, you should be safe.