2008-08-01
Abstract
'It may even come to pass that an entire class of malware gets forgotten because they are rarely heard of any longer.' Kurt Wismer.
Copyright © 2008 Virus Bulletin
The traditional view of how AV vendors interact with malware is pretty straightforward: the vendor receives a sample of the malware, analyses it, creates a detection routine for it, and then moves on to the next one while the one they just dealt with begins its gradual decline towards eventual death. Only, death doesn’t necessarily come easily for malware. Detection routines are a reasonably effective form of population control, but only where they actually get used.
That doesn’t stop people from believing the malware has completely died out, however. After the malware falls off the WildList’s radar (if it made it there in the first place) unconfirmed reports decrease in frequency until eventually it is forgotten about. It may even come to pass that an entire class of malware gets forgotten because they are rarely heard of any longer and because it is felt that they can’t operate properly on today’s hardware or software.
As the memory of such malware fades, it is easy to forget the security considerations and best practices that were peculiar to and/or prompted by such malware. While the advice to alter the boot sequence in BIOS used to be commonplace, it is rare to encounter it any more. Likewise, the advice to boot from a known-clean, bootable, write-disabled medium in order to scan a suspect system has largely been supplanted by advice to boot into ‘Safe Mode’ or even advice that goes straight to loading an online scanner in your web browser (not to detract from the convenience of such options, but they don’t capture all the benefits of a true clean boot).
Another piece of advice rarely heard these days is to scan your floppy disks. That may seem quite reasonable – after all, who uses or even owns floppy disks any more? Increasingly computers are being sold without floppy drives so the threat posed by the oldest PC infection vector seems all but irrelevant. This is where the trouble begins though, because there are still computers with floppy drives and there are still people using them. Some may only use them once in a blue moon to get an old piece of data from their backups. Others may use them frequently, as many living in the many less affluent areas of the world have to make do with older hardware and software because it’s all they can afford. With that in mind it no longer seems so strange that Stoned.Empire.Monkey took 10 years to fall off the WildList’s radar, or that people were still reporting problems removing Form.A from Win98SE systems as recently as March this year. Boot sector viruses are perhaps the best example of the persistence of old malware because they’re the oldest and people are still getting exposed to them – even if they can’t spread on modern systems, they can still infect them and pose as much of a problem as any trojan. But there are other examples, such as email worms like NetSky, which are still prevalent in spite of having been detectable for years, in spite of the widespread adoption of email gateway scanning that should be blocking them in transit, and in spite of the widespread adoption of email content controls that strip the very types of attachment they use.
The discovery of malware on consumer electronics like MP3 players and digital picture frames may pose a persistence problem because of inconsistencies we’ve already seen in the application of recalls, leaving malware-laden products in stores, warehouses, and maybe even on eBay for years to come.
Magazine issues that came with malware-laden CDs may quickly be forgotten, but will your local librarian know and have the resources to keep abreast of such potential threats hidden among the library’s stacks? Books with CDs pose a similar problem not only for libraries but also for bookstores.
There are countless cracks and crevices like these for malware to hide in. Since users will forget how to protect themselves from old malware, and since AV solutions sometimes compound the problem by having older detection signatures removed or simply by not getting the opportunity to detect such malware (e.g. on-access scanners missing a BSI because the disk isn’t accessed while the scanner is running), then, like some abandoned minefield from some long forgotten war, old malware will continue to find victims far into the future.
