Malware: Defending the difference

As at April 2005, we see malware as being of two different types:

• Traditional malware (worms, viruses, trojans) that have unbounded malicious potential, and which should be tackled formally (i.e. without running the OS they infected)
  
  
• Commercial malware (spyware, adware, dialers, various revenue-redirection scams) that have to curb abusive behavior so their creators can plausibly deny malware status, and which are thus safe to tackle from within the infected OS

This difference is maintained only through legal challenge; it is not a boundary that can be defended technologically. And this is where we are asleep at the wheel.

Currently, several commercial malware push the envelope:

• Clickless attack through software defects, e.g. Java exploits
• Active in Safe Mode
• Resist termination of in-memory threads
• Resist or DoS anti-malware removal tools

We have yet to see destructive payloads or peer-to-peer spread, but in most other respects, the boundary is blurring and the time is near when we will need formal tools to clean up commercial malware. We are ill-prepared even for traditional malware; the de facto maintainance OS for NTFS-bound XP is a free download that could vanish in a fit of vendor licensing pique, and av tools that run on this are rare and costly, reflecting the FUD and financial risk that developers must face here. There are no mOS-ready scanners for commercial malware as yet.

As long as the legal climate allows vandalism in the name of commerce, we can expect the boundary between commercial and traditional malware to be poorly defended. As technologists, we should get our tools ready; the need may soon be at hand.