Trickle down malware effects

Trickle Down Malware Effects

Basic economic and marketing theory tells us that over time, as things get cheaper to produce and command a lower price in the market, their use will spread to more people. This is often dubbed "Trickle Down Theory," and it covers all sorts of technologies: cars, computers, cell phones, and much, much more. Something exactly like this is going on in the malware world, at least for the bad guys. Sadly, as the good team, we're not keeping up.

Here's what's going on: The bad guys have been "operationalizing" good offenses for several years now with great effect. These tactics and methods include detecting VMWare or other instrument analysis environments, browser exploits, server-side exploits, and mapping the good guys' efforts and source networks. These exploit and detection techniques first appeared in the security research community where they were acknowledged and sometimes addressed.

Over the past few years, they have been adopted by the malware creation community. In some cases, the turnaround from the research community has been a matter of days or hours. What's more, much of these tools and techniques are widely available. Malcode operators don't need to know how VMWare detection works to drop it into their code and gain its benefits.

In contrast, the good guys (like me) are busy building commercial products or research projects and trying to keep them out of competitors' hands. Other groups are so busy making sure that malcode or exploit details don't fall into the wrong hands that many people with the right hands don't get access to the data either.

This self-imposed constraint on sharing data, technology, and insights has consequences, however. The rate of adoption of new approaches and technologies is significantly slower when the barrier to entry is trust or money. The rate of new technology adaptation, or changing it slightly for new purposes, is also slowed by the lack of access. And we have trouble training enough analysts to combat the bad guys.

The effect of this rate difference is that the bad guys are multiplying faster than the good guys can keep up, more of them are better hiding their samples from the hordes of medium skilled analysts, and they're increasing the pressure to patch or defend. This is happening because they have access to malcode techniques and source in addition to an intense drive to succeed.

Part of this asymmetry is inherent in the respective positions. It takes skill and training to become a valuable good team member, and the threat landscape is always changing. The good team has to know more things to react appropriately, and they have to be trusted by good team members who can make changes to disable the bad guys if they want to have an effect. Bad guys, on the other hand, can become successful even with little knowledge, as we've seen often in the botnet underworld. Bad guys usually have the "first mover" advantage, and good guys are usually left to react.

Part of this asymmetry is due to the differences in how bad guys and good guys operate. In some cases, the bad guys and the good guys operate in much the same way: open source. This has been the proof that open source is evil to some "pundits," but it's a reality: people share when they want to, and you can't ban that. With open sources come widespread use if the code meets a need.

However, not all of the bad guys' technology propagation is by design, and much of it is stolen from each others' code. No honor among thieves, I guess! Unlike the good guys, bad guys have no legal recourse to pursue in most cases and all sorts of disincentives to show themselves even if they did.

This isn't to advocate that we either allow bad guys to enforce patents and licensing or to dissolve them for the good guys, this is just to point out a simple fact: we're limiting our ability to respond by hording knowledge, tools, and insights. There are plenty of cases where we have to keep knowledge within a small circle of trusted people, but sometimes we need to open it up. The effects of a group of people fixing a problem should never be underestimated.

There's no shortage of problems to address in computer security, and if addressing the Internet's ills is part of your agenda, it doesn't make sense to horde your work. By compartmentalizing our work from each other, we've ensured that the bad guys have a distinct advantage. We need to start finding approaches to this problem. We need to start sharing information within the right circles as freely as the bad guys share their information if we're to succeed at today's pace.

Jose Nazario, Security Researcher, Arbor Networks, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at