Malware Crystal Ball

by Sam Curry on 11/23/2009

“Love of money and nothing else will ruin Sparta”(Life of Lycurgus, Plutarch)

I was sitting down to write a blog on predictions for trends in Malware (as a follow up to my Phases of Malware blog) when I saw some interesting “breaking news”: there’s a worm that targets iPhone. I dug around in the R&D group, and checked out Security.nl (thank you Babelfish since I am not proficient in Dutch) for their take on this (Chester at Sophos has a good blog here). So what is the news scoop here? Before we get to my 5 big take-aways, I’d recommend you read the basics of my blog on financial, predictable motivation of hackers (Part 1 and Part 2) and on determinism and probabilism.

1. It’s Still Not The Year Of Mobile Malware
What we are seeing with the 5 Euro scam and “iKee/rickrolling” are proof-of-concepts. What we see with the new threat is more malicious. I won’t repeat the details of what others have said better here, but the new threat goes after something of value. This is, in essence, the early days of mobile malware. The game theory model that I described in my Understanding the Crowd blogs predicts that as the value of a platform rises, the attention paid by hackers to that platform will rise too. And over time, with attention, the cost to break it will drop.

For now, this behavior and the real threat is stochastic in nature. As it builds, it will achieve critical mass and become a sustained phenomenon that we can measure and even make reasonable trend projections regarding!

2. It May Be The Year Of Mobile Malware News
Ah…the press. There is news here. It is meaningful because I still hear people ask if there is inherently better security in one platform over another. These people need to know that there is no security in obscurity. There is no platform that is inherently superior to another, although some platforms handle security as a process better than others. These people will be shocked to learn that their Macs, Linux, BlackBerries, Androids and iPhones are all potentially as vulnerable over time to attack.  In fact, the more valuable platforms become to people, the more the bad guys want to attack them.

There’s news here. There isn’t a clear-and-present danger to everyone on these platforms, so I only hope that the press acts responsibly in couching the relevance of these attacks.

3. Remember It’s About Financial Motivation
This one is easy: remember it’s primarily a financial issue, not a technical one. It’s an arms race. The bad guys are waking up and starting to invest in attacking what has until now been safe.

4. For Home Users: Think Before You Act and Trust No Platform!
If you’re thinking of investing in a new platform – go for it. Don’t assume it is safe, though. Talk to your bank before you do banking with it. Talk to your company before you use it for business. And remember Douglas Adams: “Don’t Panic!”

5. For Enterprises: Treat This Like A System and Process
For Enterprises – this should not catch you by surprise. It’s time to start treating those iPhones like the BlackBerries you’ve been dealing with for years. It’s time to blow the dust off the mobile appendix to the security policy and make it fresh along with all the other New Year’s resolutions.

Oh, and my predictions for the future evolution of Malware? They continue in the same vein: money, money and more money:

1. With the recent economic downturn, legitimate programmers are available, making the cost to build malware cheaper – expect more of it (this is a reduction in the “D” factor in my behavioral model)
2. With formerly “legitimate” programmers working on code, expect an influx of “benefits” into malware packages or of malware disguised as “performance optimization” or even “PC enhancement” software
1. Imagine if malware improved PC performance…
2. …might people who clean their PC voluntarily reinstall it?!
3. Expect the “bad guys” to go for a “bleed” strategy of slow, almost unnoticeable theft instead of the old “big payday” (or what I call “butcher”) approach
4. Expect new platforms to see first proofs-of-concept and then stochastic first pay-out attempts that garner public attention through shock and surprise
5. Expect over time to see newly targeted platforms become part of the normal malware life cycle and become predictable

Be leery of anyone who claims to know the future though: predictions affect the system. I am always being asked “what’s the next big threat” – to which there is no single answer. I can tell you how it will behave and come about, but predicting it affects it. Remember the fate of Cassandra: cursed to know the future but doomed to never be believed.  So…plan a system. Plan a process.  Be ready for change and dynamism, not trying to get the silver bullet guess and point solution to deal with what may or may not happen in the next 12 or 24 months.