Shostack + Friends Blog Archive


It's Getting Worse All The Time?

So there’s a post over at F-Secure’s blog:

There’s a growing trend here. We’ve been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money – not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it’s just another document that they need to review, open it up and the backdoor gets installed.

So while I follow the logic, I have a question: If fewer outbreaks are evidence that things are getting worse, are more outbreaks evidence things are getting better? If not, is there any evidence possible of things getting better, or are they always getting worse?

[Update: Linked to the post. Sorry about that! F-Secure doesn’t have per-post archive pages, but the post is titled “Exploit Wednesday.”

Also, lacking deep insight, I don’t dispute what they’re seeing or saying. I’m simply asking if it were to be the case that things were getting better, what would the evidence look like?]

8 comments on "It's Getting Worse All The Time?"

  • kurt wismer says:

    big outbreaks are more suggestive of a hobbyist malware author rather than a determined criminal, but i’m not sure that’s necessarily better…
    the only thing i can think of that would unambiguously suggest things are getting better is if the rate of malware production decreased… however that doesn’t seem likely to happen…

  • Evidence that some people don’t understand evidence. Or logic.
    I agree that even if visible attacks are decreasing, this doesn’t provide conclusive evidence that invisible attacks are decreasing.
    And the lack of evidence that invisible attacks are decreasing does not imply any evidence that invisible attacks are increasing.
    But that’s not quite what F-Secure says.
    F-Secure avers that the reduction in visible attacks provides evidence that invisible attacks could be increasing.
    But this is rubbush. We don’t need evidence for the possibility of increased attack; it’s not something that requires evidence. What we want to know, which F-Secure avoids telling us (at least in the extract Adam provides here), is actually what is going on.

  • David Brodbeck says:

    Funny, I was just reading this comment today, in an article in the Christian Science Monitor about border enforcement:
    “…the border patrol plays it both ways, claiming to be an effective deterrent when apprehensions are down and an effective law enforcer when apprehensions are up.”

  • Joseph Ashwood says:

    I think there is certainly an argument to be made that either side is correct. To extend a bit of a metaphore (perhaps too far) the indiscriminate attacks are akin to a mosquitos, annoying but it takes a huge number of them to cause any real damage. The targetted attacks are more akin to a javelin, a single strike is enough to kill. Depending on your view each one is worse. For the common person the mosquitos are worse simply because no one will be throwing a javelin at you. For the tempting target the mosquitoes are functionally irrelevant, but since they are a target for javelins, the javelin-esque attacks are a major threat.
    The other problem is that this represents an advancement in the state of the art of weaponry, and if this process continues it is only a matter of time before the pike, sword, musket, gatling gun, handgun, rifle, machine gun, …, nuclear warhead appear on the landscape. The escalation options are worrisome, so I guess I do agree with F-Secure on that this is a problematic trend.

  • I have now found and read F-Secure’s original post
    F-Secure does seem to have some evidence for the growing sophistication of the attacks, and a plausible explanation for the fact that these attacks are less visible. But explanation is not evidence, and I stand by my earlier point.

  • The F-Secure comment needs to be seen in the context of what they are seeing in their research labs. Looking at the figures shows that the number of individual pieces of Malware is increasing as is the capabilities it has – think keyloggers and rootkit functionality.
    The simple truth is that there is no profit in widespread outbreaks, but there is in small attacks that slip under the radar. Of course, once money is involved people will spend more time writing better code because creating new Malware becomes their day job.
    So F-Secure are very probably right in this situation, less outbreaks does mean a bigger problem.

  • David Brodbeck says:

    It’s not entirely true that there’s no profit in widespread outbreaks. It depends on the goal. I recall a case a while back where someone created a huge network of zombie PCs, which they then rented out for spam runs.

  • kurt wismer says:

    the more nodes a botnet has, the more likely it is to be detected and shut down – so even for botnets it doesn’t pay to have really large outbreaks…

Comments are closed.