Economy fuels malware, spamDate: Mar 27, 2009
McAfee's Dave Marcus shares his thoughts on the threat landscape, spam's resurgence since the demise of McColo and an anticipated increase in malware as a result of the global economic slump. He also gives his take on the BBC botnet story and the flaw disclosure debate. Marcus was interviewed at the SecureWorld Boston Expo by SearchSecurity.com News Editor Robert Westervelt.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Economy fuels malware, spam
Dave Marcus: There are so many things that are tied together in that very simple statement of, ‘what are the biggest threats out there.’ Certainly the amount of malware that we're seeing today is 500% more than last year. So, on an average day, we see anywhere from 3,500 to 4,000 new pieces of malware every single day of the week. It actually comes out to a new piece of malware every twelve seconds is written. And it's all targeted at data, so probably my number one thing for customers is, if you have valuable data somewhere, you need to make sure you have an appropriate security technology in place, whether it's AV, data loss prevention, whatever. They need to start thinking in terms of 'is there valuable data on an endpoint and how do I protect that?' Because it really is so much about money today, that all the malware is financially motivated, they really need to consider where their data is, if it's valuable, and if it is, that's what they have to look to protect.
Rob Westervelt: Is the malware getting more sophisticated or is this the same malware that's been around for the last five, ten years?
Dave Marcus: In some ways it's very similar to a lot of the malware that we've seen in the past. Password stealing trojans are kind of password stealing trojans, right? But where the sophistication comes in, is in their evasion techniques they use, commonly called stealth, or in their ability to be encrypted as a method of evading security software. So a lot of the functionality tends to be very much the same. The sophistication actually comes in in their ability to evade detection and things like that. So they're more concerned with just getting onto the machine for a couple of hours, finding the data, and getting off there. But it's really a lot of the same stuff. The sophistication is in the evasion.
Rob Westervelt: We saw spam reduced dramatically with the demise of McColo. ICANN's cracked down on domain abuse. Yet is seems that spam has climbed right back up to the levels previous to McColo's demise.
Dave Marcus: It's about there. We had said exactly when McColo was taken down and Atrivo and the other one, when they were taken down, we always knew it was going to be a short-term win. Literally it dropped 60% by volume overnight, and we always knew it would not stay there. But we could enjoy it while the volume was low. It's come back about 50% of the way, so it's about half way back, so the volume is certainly going to come back because the bad guys who got taken offline have just ended up relocating their services to other service-friendly ISPs. And quite honestly, it will always be with us because people still click spam. People still click phish. So we know for a fact that the volume will come back because they're being successful in making their money through spam. So, it's unfortunate, but it's certainly the truth.
Rob Westervelt: Does anything else need to be done on the coordination level? You know, coordinating people to different vendors, and what happened with McColo?
Dave Marcus: Oh, I absolutely think that. That's actually what we should learn from the whole McColo incident, because it was a combination of people not just in security working together. It was a journalist working kid together with ICANN, working together with investigators, working together with security vendors, that actually got them taken offline. They were finally able to pressure ICANN and actually have their ranges blacklisted. I think that's a role model. I think that absolutely is the way it needs to be. We all need to really embrace the greater good, share more information so we can actually effect change. I think that is the one big piece to learn from the whole McColo incident is working together works.
Rob Westervelt: Speaking of working together, that's what happened with the Conficker worm. What's your take thus far on what these organizations have been able to do to track the domain algorithm of Conficker? And do you think we're going to get more sophisticated worms where it would be more difficult for these organizations to track the algorithm for the domains?
Dave Marcus: I honestly don't think they'll ever get to the point where we can't decompile a worm and reverse-engineer it and figure out what it's doing. It will always be a cat and mouse game. We will always find a counter-measure. We will always decode their malware. And then they will always learn from what it is we've done and try some new sophistication technique. But again, I think there was a really great lesson in the whole Conficker incident because you had a lot of people working together. You had certain people looking at the routing tables, certain people looking at the addresses and the domain registrations, so again I think that's the real thing we need to learn here is to communicate better because the bad guys do a very good job of communicating with each other. We as good guys need to get out of our silos and our little castles, and communicate better to embrace the greater good.
Rob Westervelt: You commented in the past about hackers reverse-engineering patches put out by Microsoft and other vendors as well. Are there more hackers out there reverse-engineering patches? Has that changed; has it evolved?
Dave Marcus: You know, it's always difficult to say exactly how many people are out there doing, or engaged in a certain behavior. I certainly think the community is a large community. There's just so much to be gained from being the one who reverses a patch or finds a vulnerability and gets credit for the vulnerability. You know there's a lot of money that can be made from doing it even as a good guy, there's a lot of credit to be garnered and there's a lot of kudos that you get from the security industry and the computer community. So I think it is a very large community, but exactly how many there are is always difficult to say. But there's probably more now than there have ever been before.
Rob Westervelt: At CanSecWest, two researchers held up a sign declaring no more free bugs. It brings up the whole vulnerability disclosure debate. What's your take on that debate and what are these researchers really saying?
Dave Marcus: It's kind of, it's kind of difficult to say where they're exactly going with that. But speaking from a vendors perspective here, any person who writes software is going to have bugs. There's always going to be code flaws in software. It just comes down to, we have to patch it in our QA cycle, you know? We have to, it's not like we don't want to give a person who discovers a vulnerability credit, it's just the timeline has to take into account we have QA, we have product features that we have to resolve, and everything else. So, I have a hard time understanding where they're completely going, but there's always been tension between people who are advocates of full disclosure, meaning the day you find the vulnerability is the day you release the vulnerability information. And people who advocate responsible disclosure, which is give the vendor time to actually issue a patch to make sure no one assumes risk. And I tend toward the responsible disclosure side of the house just because in this day and age, people don't need more risk. Give the vendor time to actually do a patch, to get a release out, before you let the wrong people know, a lot of people may be potentially vulnerable. So I always go towards the responsible disclosure side of the house. But I understand both sides of it. You know, the full disclosure guys have certainly pushed security forward. They've made vendors responsible for patches under timelines. So I can understand it from both sides, but just don't put people at risk. Charge what you want to charge, but don't put users at risk.
Rob Westervelt: Is the economy going to change, you know, the down economy going to change the way that this has been working?
Dave Marcus: It's hard to say. I think there'll definitely be more malware as a result of a down economy. We'll see a lot of messages about the economy used in malware and used as the social lure in spam. You know, go here for new jobs, you know, do you need to make money, are you worried about paying bills, go here and look at this job. So I think it will be used as a lure, and I also think it will result in more malware. Because it's easier to be a cybercriminal than it is to be a physical criminal. You know, you can distribute malware, the tools are automated, it doesn't take a lot of skill, and you can do it from the comfort and privacy of your own house in relative safety and anonymity. Combine that with people needing to pay bills and worrying about where the next paycheck is going to come from, I think there's definitely going to be an uptick.
Rob Westervelt: The BBC got into a little hot water recently.
Dave Marcus: The BBC botnet.
Rob Westervelt: For buying a botnet. What's your take on that style of investigative journalism?
Dave Marcus: It's effective, number one. You know, they got an awful lot of press out of it. They raised a lot of awareness. I think they did it for the right reasons. To show how damaging a botnet can be; how easy it is to contract with a botnet and send out spam. So I think they did it for the right reasons. What I would argue is there are ways to do exactly that without compromising people's machines and using their resources without their knowledge. So it could be done safely. It could've been done in a contained environment. They could've shown everything they showed with a live botnet, in a demo environment. But I certainly understand why they did it. And they raised a lot of awareness. They had a lot of people talking about the dangers of botnets; how easy it is to send spam; how easy it is to make money. So I think, again, that they did it for the right reasons, but I question their need to do it on a live botnet. They could have done it in a demo environment.