Security Experts:

How to Identify Malware in a Blink

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.  

Let me use a few examples to explain what I mean. Take two random and unknown diseases, and say that you notice that almost everybody with the first disease was in contact with another infected person, while almost everybody with the second one ate spinach very recently. You already know something about how these two diseases’ patterns of spread, don’t you? Identifying Malware

Take the first disease now. Everybody who got it became ill three to five days after the infected person they know became ill, and everybody who got it kissed somebody who also got it. You know something about the incubation time and the way the disease transmits now, right? 

It may take months after people know how to minimize their risks of becoming infected before pharmaceutical companies have succeeded in understanding the structure of the virus or bacteria, and started to develop a cure. 

Why do we treat malware epidemics like we were pharmaceutical companies? 

To deal with malware epidemics, we build honey-pots, collect potentially malicious code, observe the code execute in sandboxes, and try to reverse-engineer the code. Why do we not simply observe how it spreads? 

Time for some examples again. Say that we have inferred that some collection of machines is infected. (We may know because we observed anomalous or criminal behavior, or because we ran a software-based attestation method.)

Say that the infected devices are mostly in geographical proximity of each other. Could it be a Bluetooth virus? Or say that the device owners are unusually tightly connected over social networks. Maybe it spreads using email or MMS? Does the infection spread like wildfire? Maybe not a Trojan then! All infected devices run the same version of the same operating system. What does that tell us?

Once we have classified the problem, we are halfway there. We know where countermeasures need to be applied. 

A Bluetooth virus needs a patch – but only for devices in the affected area. Malware propagated by MMS can be slowed down by filtering or delaying suspect messages. Trojans can be fought using cloud-based whitelisting and blacklisting methods. And if we know the operating system and version, we know something about the vulnerability. 

The faster we can react to outbreaks, the better off we are. As the pace of malware evolution increases, we need to keep up. If we do not, we are asking for trouble. 

Related Column By Markus Jakobsson: Looking for Malware in All the Wrong Places

view counter
Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.