A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs.
Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it — or clean it out after the fact.
Malware detection and decryption is my business
I met with Brandt at the annual February RSA security conference in San Francisco, Calif. We sat down to talk about the current state of malware and online security.
“Bring it on!” is Brandt’s mantra on malware. That’s because his job is letting malware run on his systems — on purpose. Using Windows XP, Vista, Windows 7, and Windows 8 test machines, he regularly browses sites known to harbor malicious content. But his unprotected systems (sometimes referred to as honey pots) often get malware infections all on their own.
The viruses, Trojans, etc. deposited daily on his computers are fodder for his primary work: reverse-engineering malware so he can understand how the latest exploits work — and how to prevent malware from intruding again. “Unfortunately,” says Brandt, “the goal posts are constantly changing with each malware sample. By design, more-sophisticated malware scripts change every time they run; they effectively create a custom version and, in doing so, change their identity every time they run. That constant change defeats much of the security software in use, which is looking for some previous design [or signature].”
Does that mean installing and using AV software is futile? “No,” says Brandt, “any amount of protection certainly helps. Some security software is better than others at finding and quarantining infections, but no single product can detect everything that’s out there, especially when it changes by the minute — not by the day, by the minute!“
As Brandt explains, AV programs need to cross-check each instance of a malware attack against a constantly updated database. But a database containing every version of malware is infeasible; it gets too large to be of practical use. Hacking codes often change their signature by as little as one byte — which might be enough to defeat signature-matching. Moreover, well-written (for want of a better term) malware uses obfuscation techniques to hide itself within a PC. “So an infection can be found only after the damage is done.” Brandt notes, “Of course, then it’s too late.”