Why Don't You Provide Useful Malware Descriptions?

Posted by George Yunaev on 2016-08-18 18:27:01

Question_Mark_Aug_2016.png

 

Very often we're being asked a question, why don't you[1] provide useful malware descriptions? Wouldn't it be better for everyone? Don't you people understand how important and useful is it for us when we know what exactly the malware is doing, when it is described in a human-readable language? And if it also mentioned relevant CVE# so we know which vulnerabilities it exploited? We'd also like this analysis to cover the possible sources of malware, similarities between different malware, see the full list of files it creates, and have the detailed instructions of how to remove it. Don't you think this would be useful? 

 

And we always answer – yes, we do understand its usefulness. But unfortunately, the economic reality ensures this is not going to happen.Let's first start with the question: who should be writing that malware description? Obviously it has to be someone with the engineering background. But even this person wouldn't know much about the malware unless he/she is a malware researcher, or works directly with the one. In any case, the details about malware, if not the complete description, should come from someone who is capable of doing malware research, has reverse-engineering experience and deep knowledge about malware.And the malware researchers are rare and expensive. To make someone, who is already a senior software engineer with knowledge of Assembler, reverse engineering and many languages, a malware researcher would take additional 6-12 months of training. Thus those people are precious, limited and rare resource.

 

They are also usually busy, as their responsibilities typically include things such as:
  • Adding detections for new malware;
  • Improving existing generic and heuristic-based detections;
  • Adding or improving disinfection procedures;
  • Fixing engine crashes, bugs and false positives;
and so on. All those tasks are important, and for most of our users they are more important than having malware descriptions – every single user when asked if they preferred the malware to be detected earlier without description, or much later with full description, typically choose early detection. Which is understandable – once you're infected with ransomware, reading its description would be of little help.Now let's look at the scale. AV-Test estimates there are 390,000 new malware samples a day[2]. Let' s assume it takes 30 minutes for a malware researcher to write a full description (this is very generous assumption – it took me longer to write this article, and I did not have to do any research for that). Considering the typical 8-hour shift, a single researcher would be able to create descriptions for 16 malware samples. A staff of 10 researchers – which is more than many anti-malware companies have on duty at 24/7 – would be able to cover 160 samples a day. The remaining 389,840 will remain uncovered.So offering this service would require significant expenses on the company side (again, malware researchers are rare and expensive), would distract them from the kind of work the users appreciate the most – detecting new malware – and would only provide miniscule benefit, covering less than 0.1% new malware samples each day. This is the main reason why no antimalware company provides full or even sporadic detailed coverage of all the malware they detect.What is possible then?

 

  • It is possible to provide you with automated details of what the malware is doing when run in an automated sandbox. Those would be highly technical and of little value to anyone who is not familiar with OS API calls, but generating them would not require human effort.

Two problems with this solution are: expected increase in support calls when the users would ask to explain what this particular text means, “I just used a (competitor vendor), but got infected with this malware, and I read your description and don't understand how to remote it, please tell me”. Another problem is that this would provide valuable information to some security companies, which attempt to compete with Bitdefender without proper resources into taking the time to research malware for themselves”

 

  • It is possible to provide automated human-readable description based on malware name. For example, something like “Win32.Trojan.Ransomware.Locky” can generate something like:
“This malware is from ransomware family. This means it typically encrypts or otherwise makes your data unavailable until the ransom is being paid. The encryption is typically irreversible without paying ransom, so if you install the antivirus after you got infected, it will remove the malware but will not get your files back. Please note that there is no guarantee that you will get your files back even after ransom is paid, because at least some ransomware groups simply collect money and do not decrypt files. This malware is also a Trojan, meaning it comes into your PC disguised as another program, such as Flash Player or codec update which some malicious site asked you to install to play the video. This malware only works on Windows, and belongs to Locky ransomware family.”While at first glance this sounds valuable, this feeling will quickly pass when you see exactly the same description for 50 more malware, differing only by malware sample name. Even more, people who read those descriptions usually have at least basic experience with malware, and see little value when you explain to them what Ransomware or Trojan is, they're more interested in what exactly it is doing and how to get rid of that. This is, of course, this description cannot satisfy – at maximum it can satisfy a curious reader with zero malware experience.Thus, as you see, there is no good solution which would be easy to automate, and at the same time would provide valuable information to all kinds of users. This is why nobody offers this kind of information.

 

[1]Depending on who's asking, “you” could mean either “Bitdefender” or “anti-malware companies”, as this is common situation with all security companies.

[2]“The AV-TEST Institute registers over 390,000 new malicious programs every day”;  see https://www.av-test.org/en/statistics/malware/ - checked of Jun 2016

George Yunaev

George Yunaev is a Senior Software Engineer at Bitdefender. He joined the company's OEM Technology Licensing Unit in 2008, after working at Kaspersky Lab for seven years. Aside from developing SDKs for various OEM solutions, George is also providing partners and prospects with useful insights into emerging threats and potential pitfalls of technology licensing. His extensive software engineering experience of 19 years also covers reverse-engineering and malware analysis. He is based in Silicon Valley, California, and enjoys traveling and active sports such as skydiving and wakeboarding.

Topics: Technology