17 December 2007

Malware "War", Lost Territory

Technorati tags: ,

I've often seen the malware situation described as a "war", and conventionally, wars are fought over territory. 

What territory has been lost to malware?

Consider various integration points that are now routinely defended against usage, on the basis that the only things likely to use these, are malware.  These OS "features" are now effectively "owned" by malware, in that legitimate software will trigger defence alerts if they are used.

Consider a number of ill-advised features that are designed to allow arbitrary material to automate the system, e.g. MS Word auto-running macros, auto-running scripts in HTML email "messages", \Autorun.inf processing on USB flash drives, etc.  Today, these will typically be disabled, because the most likely use will be by malware.  So Malware "own" that, too.

Consider several business models that involve messages, attachments or links sent by the service's site, such as email greeting cards.  As malware can arrive via forgeries of such messages, usage is limited to those who are too dumb to know the risk they are expecting the recipient to take, which is a smaller and more limited demographic than when such services were first started.  Effectively, these kinds of businesses and practices have been killed by malware.

Should we scorch and abandon some of this territory?  For example, remove OS integration points that are hardly ever used by anything other than malware?

Should we assess likely future "ownership" before creating new technologies and features that are likely to be swamped by malware?


Anonymous said...

Totally agree. But, those 'technologies' , when they came into life, didn't serve any useful purpose except to save the lazy user a few clicks here and there. So not really a loss anyway - left tossed at the bottom of dumbland... :)

Chris Quirke said...

I don't completely agree with you there, as the impact is also on types of business and interaction that initially appeared to be a big benefit of the Internet.

I agree with you regarding auto-running scripts in "documents" and "email message text", \Autorun.inf processing, and I predict in future this will apply to "enriched" folder views that enlarge exploit surfaces, and searches that return malware look-alikes.

To me, these technologies are obviously better suited to malicious use than anything else, and the first three should never have been created.

Content groping to enrich folder views may be safe at the design level of abstraction, but not if you go below that to consider the exploitability of code defects.

I predict that search, as a replacement for navigation, is going to become a bugbear for Vista - especially if crucial path and type information is hidden (or malware-spoofed) when the results of the search are returned.

But the effects are wider than the predictable (inevitable?) exploitation of ill-considered "features" that allow arbitrary material to unexpectedly run code and thus "oen" the PC.

The examples I gave, include online greeting cards and other "send this to my friend as an unsolicited email" business types, which may have harmless or useful in themselves, but result in traffic that cannot be safely differentiated from malware traffic.

Also, any sort of online commerce, such as banking, Pay Pal or eBay, is less attractive given the risks of falling for malicious forgery email that purports to be from these sites, but either links somewhere else, or comes with malware. I expect this risk to cause a slowing or die-back in the growth of such business - it's certainly changed my behavior already.

But it's a Pandora's box situation. There was a time when writing code viruses was difficult and commercially not worth the effort, until by-design stupidity lowered the barrier to entry and grew the malware scene through years of Office and script malware that travelled in editable form.

By now, this large pool of malware coders has evolved into big business, rivalling the size and resources of "legitimate" software, especially if software employment opportunities are viewed on a regional basis.

That's why it's too late to simply kill off these dumbo design "features", because by now, malware development resources can fund the investigation and discovery of vulnerabilities and exploits.

So even if only Microsoft writes the OS and sees the source code, it's not their platform anymore.

Sorry about the delay in moderating your comment, by the way; I missed the "moderate this!" email from the blog site.

That in itself is an example of what I mean, as the reason I missed it has to do with spam loads and filtering glitches.