Wednesday, October 25, 2017

BadRabbit, etc, yawn

So, anyway, the world has seen another ransomeware worm, and it has been effective, and it has hurt some folks.

Guess what? It is a given that there will be more.
Here's why.
When I started in antivirus, waaaaaaay back in 1987, there were only three ways to tell if something was malicious.
(1) You saw it do something malicious
(2) You reverse engineered it, and saw it contained code that _could_ do something malicious if it wanted to, or,
(3) Someone's signature scanner _told_ you it was malicious.

The problem with the first one is that it could cause a support call. "I think this program is doing something bad. Please come and sort it out." This causes a support call, and this is anathema in a corporate environment.
The problem with the second one is that it's really hard, and takes a _lot_ of effort. Humans are essentially and inherently lazy, so no one wants to do this much.
Option three, a scanner, either blocks something, or says nuffink. The upside is that if it blocks it, all is well, and this does _not_ cause a support call, but if it's a ransomware worm, or nation-state stuff, like Duqu 2.0, it gets away, and really, really, really hurts.

Regrettably, nothing has changed, and there are still only three ways.

Waaaay back in the early 90s, corporations chose scanners, and voted with their pocketbooks.

This made a certain amount of sense, when there were only a few thousand pieces of malware, but the problem with signature scanners is that they have great difficulty seeing new things. The Bad Guys understood this, and started finding ways to make new variations of their code as frequently as possible. This is automatable, by, for example, changing a few chunks of unimportant code, or changing the packing, or the encryption algorithm, or both.
Today, we see a million new, and unique pieces of malware every day.
This is a natural consequence of choosing signature scanners, back in the early 90s.
We can not keep going like this, or one day, there will be ten million new samples every day, or a hundred million.
There is a simple-ish solution.
Detect that it's doing something malicious.
No, it's not easy, but it's smarter, and the right thing to do.
And, we testers need to stop testing scanners, once a month, against old malware that probably doesn't exist any more, and start testing how everyone detects the day's new stuff.
It's the only way forward.
Stay tuned here, folks.

No comments: