Meet the New Bad Guys: Hired Guns, Zero-Minutes and Malware 2.0

Other than perhaps the medical and legal industries, no field relies on jargon more than computer technology. Take, for instance, the use of words borrowed from other lexicons -- terms such as "virus, "Trojan," "intrusion prevention system," "spyware" and "attack vector."

You might hear these terms spoken by physicians, Greek history professors, government intelligence agencies and combat instructors. However, all five terms are now deeply rooted in computer jargon. They all refer to various aspects of security vulnerabilities suffered largely by millions of Windows-based computer users.

The same can be said of malware, a generic reference to malicious program code that can enter a computer and carry out numerous activities without the user's knowledge, consent or control. Malware can direct a computer to send volumes of spam, sniff out confidential information on the hard drive or link the computer to a nebulous zombie network.

Perhaps the newest of these computer slang terms is "malware 2.0." PC Tools began using this term earlier this summer in its marketing materials for its antispyware tool called "Spyware Doctor." No doubt, it could easily become a term that keenly describes the newest delivery methods for malware.

"There is no industry designation for Malware 2.0. We don't agree with using names in this industry. They are too varied," David Perry, public education director of Trend Micro (Nasdaq: TMIC), told TechNewsWorld.

Major Shift

PC Tools' SpyWare Doctor is an application that relies on detecting rogue programming code by looking for aberrations in what a program does when executed. This behavior-based detection is different from traditional signature-based methods, which spot a computer virus by matching the infecting code against a vast database of known characteristics.

Nearly all software security vendors have been developing new products to counter these new malware attack methods. Some vendors offer stand-alone products that supplement other antivirus software. Other vendors integrate behavior-based scanning engines within their established products.

Signature-based detection is limited to the ability of antivirus software makers to identify new signatures and deploy them rapidly. Behavior-based detection engines can find malicious code activity and stop it without waiting for detection updates.

"The security space is changing rapidly. We are witnessing a major shift in the anti-malware marketplace moving into a new era of malware 2.0.," Kurt Baumgartner, chief threat officer for PC Tools, told TechNewsWorld. "We are now also dealing with zero-minute rather than zero-day threats that have the potential to further evade signature detections."

As virus writers shift their tactics, they also exhibit increasingly defined trends that describe this shift.

Key Trends

A close connection exists between these new virus attack methods and changes in the Internet. As new Web-based services and applications developed in the last 18 months or so, the concept of Web 2.0 became the catch phrase for the new Internet functionality.

As a result, said Baumgartner, malware variants are now released at immense rates, driving up sample volumes and making it almost impossible for researchers to keep on top of updates using manual analysis. These threats are taking advantage of the non-detection sweet spot where they can freely propagate and infect before anti-malware companies can respond.

Another trend is the use of new compilers and other techniques to make threats more difficult to detect with traditional signature-based systems. This technique relies on advanced server-side systems to create completely unique threats each time, devoid of the commonalities required for signature detection to be effective, he explained.

A third trend is the use of micro-malware. Thousands of malware variants are in circulation but are focusing attacks on smaller groups of PCs, making it less likely to attract the attention of security vendors, according to Baumgartner. As a result, malware is spreading in epic proportions and security vendors are being forced to triage the samples.

"These three key trends demonstrate that just as the Internet has moved into the Web 2.0 phase, the security space is moving into a new era of Malware 2.0. The real challenge for security vendors is in identifying new ways to detect the behavior of malware. Signature identification alone is ineffective in protecting consumers," said Baumgartner.

New Plus Old

Clearly, malware writers are becoming much more prolific. Virus hunters get 125,000 to 150,000 code samples sent to them per day, which is a huge increase over last year, said Dave Marcus, security research and communications manager of McAfee's Avert Labs.

"Not all of the malware we see are new technologies. A lot of what we see is the same old things. The only change is that the bad guys can do it a lot quicker now," Marcus told TechNewsWorld. "We continue to see malware that is designed to steal passwords and install rootkits. The increase in activity and success is driven by financial incentives."

Despite this voluminous increase, malware writers are not creating anything that software vendors cannot detect and remove. Their techniques now just make it more complex for researchers to keep up, he said.

Misleading Term

Not all security experts agree with catch phrases such as "malware 2.0." Some suggest that beyond marketing convenience, such terms serve little purpose.

"Malware 2.0 is a bit inaccurate a term. If we were to give the current state of malware a marketing term, it would probably be something like "malware 40.0." Malware is in a constant state of change," said Trend Micro's Perry.

If anything is a trend, it is the changing nature of the Internet that is causing a shift. There are 100 million new Internet users per year, he said.

"We are seeing the same malware that used to be delivered in e-mails six months ago now being delivered on infected Web pages. These new infections are not obvious to the computer user," added Perry.

Real Trends

It is more important to separate marketing hype from real trends when it comes to computer security, Perry believes. The latest trends show people looking for access through back doors to many of the same types of Web sites at the same time, he said. For example, malware writers will target dozens of travel sites with the same malicious code.

Another trend is that almost all the code writing is being done by professional programmers. These programmers work for hire and do not know how the buyer will use the programs.

"The programmer is simply hired to develop an upload script or an installation package. The primary criminal is not doing the actual code writing. The person who does the actual infecting on targeted Web sites is not the end of the crime chain. He may sell off his work to the highest bidder in a chat room," Perry explained.