Cloud Security Action Can Ruin Malware Economics
Speedy cloud-based security protection can hobble small profiteers and rein in online cyber-criminals, claims Eugene Kaspersky
Continued from page 1
Cloud-Based Security Scanning
Here is how it would work: when a piece of malware is detected somewhere in the world, cloud security systems would analyse it and push out protection immediately to all the other parts of the world. This would effectively limit the size and scope of the malware outbreak. “Just a few users can be used to protect millions,” Kaspersky explained.
There is a specific life cycle for malware, beginning with its development and placement online, such as an attack portal. Cyber-criminals then use a variety of distribution techniques, such as spam messages, forum posts and poisoned search results to direct users to click on or download the malware and get infected. Once the user is infected, the cyber-criminal can steal information or use the computer to launch other attacks.
At some point, security vendors come across the malware sample and update their products “at the peak of the infection” with the newly created definition to detect and remove the sample. As more security products get updated, it becomes harder for the criminal to infect new machines. Once it no longer can infect as many victims, the attacker moves on to the next new malware.
In a best-case scenario, it takes a few hours or a day – though it can take more than a day – to detect a malware sample and update the product, Kaspersky said.
Reducing The Zero Day Advantage
Cloud security systems can reduce the time period during which malware is available and the security software has been updated with the latest definitions. That means cyber-criminals would have a much shorter time span in which to make money, Kaspersky said. Cloud systems can detect new malware very soon, or “just a few minutes”, after it appears on the Web, because someone on the other side of the world came across a sample through proactive scanning. The service recognises the malware and will not let other machines in the network get infected.
Kaspersky acknowledged that his cloud vision would not provide a “silver bullet” for all types of malware. At its heart, cloud-based scanners are like traditional antivirus software in that they are signature-based. Even if a new piece of malware emerges that exhibits the exact same behaviour as a previously detected one, it would need to be analysed separately before it could be detected as malicious.
Criminals can recompile malware with slightly revised code so that it displays the exact same behaviour, but looks different, Kaspersky told eWEEK. It is not in the “nature of the cloud” to detect slightly revised malware or to stop server-side polymorphic malware, which can change sections of the code automatically at specified intervals.
Furthermore, mobile malware is evolving rapidly and the market for exploiting mobile users is growing exponentially, making that another area of serious concern, Kaspersky said.
No Shield From Spear Fishing
So, while cloud antivirus services can weed out the script kiddies and amateurs who think dabbling in cyber-crime is a fun or cool way make money online, the problem of dealing with sophisticated, committed cyber-criminals will persist, Kaspersky said.
In fact, driving out the amateurs migrates a larger volume of global cyber-crime toward a more “professional group” that is capable of more sophisticated threats. Spear phishing, in particular, will persist as a “deep threat”, Kaspersky said.
Nevertheless, once the bulk of the common malware is blocked, the IT security industry can focus on going after the “more dangerous stuff”, Kaspersky concluded.