Vulnerabilities / Threats
2/3/2014
04:09 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Calls For Industry Collaboration To Kill Off Malware Families

Working in isolation disrupts -- but doesn't wipe out -- malware

Malware families rarely die off altogether, but now Microsoft says it's time to change the game to ensure that they do.

Dennis Batchelder, Microsoft's partner director of Windows Protection Services, last week publicly called for security companies, CERTs, ISPs, anti-fraud organizations, and law enforcement to begin working together in a coordinated fashion to eradicate malware families. While anti-malware vendors today share samples and some file metadata and work with law enforcement on botnet sinkholes, for example, these efforts have done little to kill off the top malware threats, he says.

Infamous malware families remain alive and well: Sality, Sirefef, Virut, Zbot, Wimad, and even Conficker each were detected targeting Windows machines tens of millions of times between the period of Sept. 1, 2013, and Jan. 25, 2014, according to data from Microsoft gathered via its real-time detection scans.

"Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers," Batchelder says.

He says Microsoft decided to call for an industrywide coordinated malware eradication approach after meeting with various Community Emergency Response Teams (CERTs). "What we learned was that as an industry, we need to take advantage of the reach and tools available to stop malware," Batchelder told Dark Reading in an email interview. "If the anti-malware ecosystem can go beyond sharing information and actually coordinate eradication efforts, the anti-malware ecosystem would have a chance to eradicate malware families instead of simply disrupting them."

He points to the recent takedown of the Sirefef/ZeroAccess botnet as an example of the type of coordinated effort needed to kill off malware families. Microsoft worked with the FBI, Europol's European Cybercrime Center, several ISPs, and A10 Networks in the botnet disruption operation.

Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, says seizing the offending 18 IPs involved in ZeroAccess was effective. "The heat was so much on that botnet that they just gave up," Boscovich says of the ZeroAccess botnet operators.

Sirefef malware is still holding on, but Batchelder says it's on its way to extinction thanks to the team effort to dismantle it.

"Malware families need to be identified, blocked, sinkholed, starved, seized, and prosecuted. The goal of coordinated malware eradication is to bring industry partners who have specific strengths in these areas together to accomplish this," Batchelder says.

Security vendors could share their detection methods as well as information on the behavior of the malware, and financial institutions, online search, and advertising businesses would then have better ways to identify fraudulent behavior and stop it, he says. CERTs and ISPs would have lists of offending sites and command-and-control servers to block and take down, while law enforcement would then have correlated evidence to use to prosecute the humans behind the malware.

[New report unearths what cybercriminals are charging for stolen identities and hacking services, such as DDoS and doxing. See Glut In Stolen Identities Forces Price Cut In Cyberunderground.]

The typical lone wolf strategy employed today by many vendor security research teams, CERTs, and law enforcement investigations just isn't killing off malware altogether.

"It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement," Batchelder said in a blog post. "Each group uses their own strengths and methods to protect their customers and constituents. Each group is able to claim victory from their efforts, but the malware families retain a significant advantage. No matter how big, the reach of each antimalware ecosystem player only extends so far. As a result, our adversaries only need to shift just a bit beyond that reach to get back in business."

Not everyone thinks Microsoft is necessarily the right player to take the lead on this, mainly because malware has moved beyond just Windows. "I'm definitely excited about initiatives like that," says Barrett Lyon, founder and CTO of Defense.net. "But I'm not sure Microsoft is the relevant person in this conversation anymore. Their machines are compromised, but Linux is also ... and there are the Internet of Things" devices that face threats as well, he says.

"There needs to be a way to notify [that a machine] is doing bad things, versus shutting the host off from doing a bad thing," Lyon says.

Joe Stewart, director of malware research for Dell SecureWorks, applauds the move by Microsoft. Collaborating with researchers outside his firm has been something Stewart has done and his team had advocated for some time.

"It's what we've been doing all along," he says. "It makes sense to join a community to know who else is working on" a particular research issue, he says. "If you don't reach out and you're not sharing, you're not going to know" who else is working on it and what they've found, he says.

He says it's not difficult to balance the value add of your own research to your clients and the industry with sharing what you've learned with other researchers.

Whether Microsoft will be able to rally the troops remains to be seen. "The model for this type of coordination needs to be determined collectively. CERTs, security vendors, enterprises, and law enforcement can all play an important part in this effort," Batchelder says. "Certainly, the industry will have campaigns against specific malware families, and members will commit to do their part; however, the industry needs to coordinate their efforts, which will require a lot of information sharing and a method to quickly make decisions to take action. In order to scale, we will need to have a model where any member can propose, run, or coordinate a campaign."

The biggest challenge, he says, will be keeping all parties in sync. Microsoft hopes to generate discussion on coordinated malware eradication at upcoming security events, such as the RSA Conference in San Francisco in late February. The software giant has set up an email account for these events at cme-invite@microsoft.com.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.