Malware and the Grey Zone

Juraj Malcho

It has been quite a long time since the first personal computers hit the market, during which time many serious vulnerabilities and design faults have been discovered, and many things have changed. Mankind has slowly got used to the fact that every new technology can be misused, or rather, we can be fairly sure that someone will try to misuse it, whether merely to prove the concept of misuse, or to initiate a serious threat against people and/or the infrastructure. The design of new devices and technology must therefore take into account the securing of the data, dataflow, and any communication in general.

However, the systems that are being developed today are more and more complex, so even though huge effort is invested in security, faults are quite often introduced during either the design or the implementation stage. The growing number of technologies and devices broadens the attack surface available to the attackers who try to make profits by exploiting existing security flaws. And that's exactly the domain of computer infiltrations. Nowadays a vast amount of malicious or unwanted code is financially motivated. We could even say that there are only trace amounts of infiltration which exist only to demonstrate the presumed ability of the author (whether maliciously motivated or not). Proof-of-Concept (PoC) virus writing is not as popular as it used to be. In fact, if a security researcher nowadays hears the term PoC the first image that comes to a mind is a chronic, even pathological search for security vulnerabilities and exploits programming. And yet often the underlying motivation is far from altruistic service or efforts to improve software reliability and security.

On the contrary, new security vulnerabilities are now very much in demand on the black market, and present great opportunities for illegal income. That is the reason why PoC code and vulnerabilities tend to gravitate more easily towards malware authors than to the respective software developers. And that's how we get to the typical malware of today, which takes advantage of some type of vulnerability-whether a technical or a human one. The decision about whether malice is intended and threat classification is very straightforward and unambiguous in this case. For an AV company the main problem here is implementing detection. The protection schemes in modern malware tend to be complicated, new variants are coming out in huge volumes and the professional groups on the other  side work deliberately on evading detection. The income of these criminal groups is mostly derived from trading stolen credentials or any data stolen from compromised computers, or by renting botnet services, such as adware push-installations, advertisement and spam delivery or DDoS attacks.


Let's leave the clearly defined malicious code aside and focus more on greyware-the software from the grey zone. The complications with these applications are not usually inherent in code complexity, code protection/obfuscation, or in implementing detection. The problem lies in the decision as to whether the software is or is not malicious, or if it's actually useful somehow. Of course, one will automatically assume that the decision criteria have to be subjective and possibly ambiguous to some extent-every user could have a different opinion or different desires. So the boundary between good and evil, usefulness and uselessness is unclear. Even different AV companies might have different views on various issues and the philosophy might differ somewhat, leading to disagreements even among the experts. Naturally, these companies cooperate closely (and not only in
order to evade similarly conflicting situations).

Over the years several projects and organizations have been established in order to introduce generally respected rules and best practices that have been developed and discussed within the community.

Add Comment      Leave a comment on this blog post
Apr 16, 2012 2:04 AM website recovery website recovery  says:
The malicious program is disguised as something normal or desirable, users may be tempted to install it without realizing it. This is the technique of the Trojan horse or trojan. In broad terms, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. Thanks. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.