In the Verizon DBIR report they have an interesting graph on page 26. It shows the percentage of malware infections that have been customized. (That is to say that the malware itself is customized). In 2005-2007 the percentage held steady between 21%-28%. In 2008 is jumped to 59% and in 2010 is it still high at 54%. Perhaps not surprisingly, even though only half of the malware is customized, that half is responsible for 97% of the stolen records. Presumably non-customized malware and all other methods are responsible for the remaining 3%. Why the huge discrepancy? It’s easy – antivirus. Non-customized malware gets detected, customized doesn’t. This just goes back to something many people have started to feel in the last few years – antivirus is inherently flawed, and we’re starting to see it’s flaws. Blacklisting is inherent a losing battle, because there will always be new bad things, and there will always be something you didn’t think of. Whitelisting may seem like a pain at first, but in the long run it’s almost always easier and more efective.

I was thinking some more about the RAM skimmers mentioned in the last post. I wasn’t really paying attention the first time I read the report, but I later noticed that Verizon mentions that the RAM scraper was found on a P.O.S.  (point of sale – the system a cashier will use to check out a customer in a store) system. A P.O.S. system would seem to be a system which could be very well defined in terms of what should be running on it, and would seem to be an ideal candidate for whitelisting software. Getting rid of the AV on P.O.S. systems and replacing them with whitelisting software which only allows specific applications to run would seem to be an ideal way to greatly increase the security of these systems, and make them future-proof against whatever the next generation of malware is.

In Verizon Business’ most recent data breach investigation report they mentioned a new class of malware which I’d never heard of before but found interesting – RAM scrapers. The basic idea is that they grab data straight from RAM. Verizon goes on the conclude that the recent increase in the use of encryption and limitations on what data can be permanently stored (mostly thanks to PCI), scammers have had to start looking to other areas to gain access to unencrypted data. I guess this shouldn’t really surprise anyone too much – we already know that for every measure there is another countermeasure. This is also another good example of Shamir’s third law of cryptography – “Cryptography is typically bypassed, not penetrated”.

The Race to Zero is a competition which recently wrapped up at Defcon. In it, teams of contestants are given ten known pieces of malware – viruses and exploits – and are tasked with obfuscating the malware in such a way that antivirus programs cannot detect the malware. The competition was ultimately won by Mandiant which completed the task in a little over six hours. (About 36 minutes per challenge). This contest simply serves to illustrate the point that signature based antivirus scanning is a failing proposition. As I’ve said before, there are a virtually infinite number of possible malware signature out there, and trying to write an infinite number of signatures is an exercise in futility. It makes a lot more sense to enumerate good than to enumerate bad. We figured this out years ago when we started making firewalls use a default deny – we should be doing the same for antivirus.

According to the statistics from Microsoft’s malicious software removal tool, trojan horses designed to steal online game credentials are now more prevalent than more traditional trojans which simply turn a PC into part of a DDoS zombie network. Frankly this doesn’t surprise me too much. After all the main driver behind botnets these days is purely monetary. Since multiplayer games are now also an economic engine, it makes sense for virus writers to start going after them.