Q&A: Malware analysis
by Mirko Zorz - Monday, 1 March 2010.
Greg Hoglund is the CEO and Founder of HBGary. He has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners, he created and documented the first Windows NT-based rootkit, founding rootkit.com in the process. Greg went on to co-found Cenzic through which he orchestrated numerous innovations in the area of software fault injection. In this interview Greg discusses malware analysis.

What are the biggest challenges related to malware analysis today?

One of the greatest challenges is attribution: figuring out not only who wrote the malware, but also who bought and paid for it, and who is operating it. As a whole, the security industry needs to start focusing more on the human threat. The malware is just a tool -- the real threat is the human who operates it.

Another one of the difficult challenges when responding to an incident is the ability to quickly recover actionable intelligence from an unknown, never-before-seen malware infection. Once an organization has been compromised, every second counts. Quickly recovering accurate bits of forensic, artifact data while not overwhelming the user with too much other data is a daunting task. Last, but not least, is the fact that the malware authors are specifically trying to hide from or completely subvert most analysis tools and security countermeasures.

Based on your experience, in an ever-changing and evolving threat landscape, what problems do anti-malware vendors face? How can they overcome these issues?

Traditional signature-based, anti-virus techniques are not well suited for combating the ever-exploding list of daily new malware variants. The A/V industry needs to abandon signatures and move towards behavioral- and capability-based detection. This requires technology that can analyze software at a very low level, and it has to work automatically. Historically, signature- based systems did a pretty good job of detecting specific virus variants. This model quickly has fallen down, though, in the face of so many different malware variations.

One of the biggest and hardest problems to solve for any A/V or anti-malware company is what we call the "30 day free trial" problem. Any security vendor who offers a free trial of their security software (which is just about everyone) is at risk of having their software easily subverted. Think about it: What is the easiest way for a malware author to test if their hot new credit-card stealing malware variant is going to be detected out-of-the-box by virus scanners and other security products? The answer is easy: The attacker will go download a 30-day free trial of each of those products and tweak their malware until itís completely undetectable. It is a very difficult problem for which no really good solution exists. I don't think software as an industry could sustain not providing free evaluation copies to prospective customers. At the same time, these free trials essentially provide malware authors with 100% free, anytime access to the newest version of most if not all security products. Ultimately the free-trial problem gives malware authors a substantial edge in the cat-and-mouse battle.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th