Inside the malware war zone
by Mirko Zorz - Editor in Chief - Thursday, 29 May 2014.
Adam Kujawa is the Head of Malware Intelligence for Malwarebytes. In this interview he talks about the evolution of malware in the past decade, illustrates the differences in global malware based on the point of origin, highlights the events that changed the threat landscape, offers insight about future threats, and more.

Based on your research, are today's malware authors more sophisticated than 10 years ago?

To answer this question, you would need to ask yourself whether automobile developers were more sophisticated in the 1980’s or now? Malware 10 years ago was a different beast entirely - the antivirus industry was still young and therefore malware authors had less to worry about when it came to obfuscation or hiding their intent. At the same time, the years of malware development within the cybercrime industry has allowed authors to cut and paste code already created for use in other tried and tested projects, therefore removing the need to create most of the malware from scratch.

Sophistication is based on requirements created by obstacles and in the back-and-forth battle between the protectors and attacker of the internet, numerous obstacles and shortcuts have been created that warrants the development of more “sophisticated” malware. However, at the core levels, the very base from where malware development starts, the code is the same. Just like our cars, removing hybrids and electric cars, all cars run on the same basic principles that they did 10, 20, 30 years ago, but based on things like new safety, stabilization, fuel usage and entertainment technologies, the cars appear far more sophisticated.

The two biggest obstacles that have guided the development of malware in the last 10 years have been (a) executing on the system without detection; and (b) obtaining privileges to interact with the system at a high enough level to make a difference. These two obstacles have created things like privilege escalation code, heavy encryption for binaries and malicious code, injection into legitimate files and processes and overall subversion of administrative system protections such as the prompt that shows up in Windows 7 asking if it has permission to execute a certain program with admin rights.

To get to the point of the question, one could say that the malware we see today is more sophisticated because it comes with many more bells and whistles; however, the authors themselves, with the ability to reference the “how-to” of malware development, are less challenged than those of 10 years ago.

What are the three key malware turning points in the past five years? What events changed the threat landscape forever?

Psychological Engineering: Over the last five years, some of the worst malware that we have seen has not been specifically targeting the operating system or hardware, but the psychology of the user. Social engineering has taken a step forward in evolution when it comes to malware when you look at things like the FBI Ransomware. That kind of ransomware is distributed through numerous means, including malicious e-mail, drive-by exploit and old-fashioned fake or bundled applications that include the malware and are executed manually by the user. These methods are not unique for ransomware as most malware is propagated this way; the unique aspect of ransomware is how it pushes what I call “assumed guilt” onto the user. The ransomware only allows the user to view one screen under the guise of law enforcement. The screen claims the FBI have detected illegal activity originating from the user’s system and therefore has locked it down until the user pays a fine.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th