Stories about Software


Addressing Malware Detection from the Outside In

Editorial note: I originally wrote this post for the Monitis blog.  You can check out the original here, at their site.  While you’re there, have a look around at the different types of production monitoring that they offer.

I worked as a software engineer for almost the entire decade of the 2000s.  While I was earning a living this way, computers were making their way from CS student dorm rooms to Grandma’s den.  Like so many other programmers of the time, I thus acquired the role of unofficial tech support for computer illiterate friends and family.  I do not miss those days in which malware detection became an involuntary hobby.

Back in 2005, everyone had computers with Windows XP or Windows 98.  And every computer with Windows XP or Windows 98 seemed to attract malware like flies to flypaper.  So I found myself sitting in front of CRT monitors next to dusty towers, figuring out why nothing worked.

I still kind of remember the playbook.  For instance, Lavasoft had a product called Ad Aware.  I also seem to recall something called MalwareBytes.  I favored these because I could download them for free.  At least, I could download them for free assuming the victim’s computer was even capable.  With those tools in place, and with a heaping helping of googling from my own laptop, I would painstakingly scan, sweep, remove, tweak, and repeat.  Eventually, I won. Usually.

It seems strange to think about now.  Ten or twelve years ago, consumers compared brands of antivirus software the way we compare music apps on our phones.  Malware detection dominated our computing consciousness, even for casual users.  But today?  I can’t remember the last time I ran an antivirus scan on my laptops.  I suspect you can’t either.  So what happened to all of this malware?  Did it simply disappear?

The Silencing of Malware

Well, no.  Malware didn’t disappear.  The criminals and spammers of the world didn’t just one day decide to do something better with their lives.  In fact, you might argue that they became more effective.

Most of the pieces of malware from my younger days had lots of bark and little bite.  They’d install themselves on your computer and hijack your browser with obnoxious graphics or spew error messages until your machine crashed.  Some came from would-be vandals, while others tried unsuccessfully to do things sneakily.

But causing some computer neophyte to say “this doesn’t seem right” and call up a young me to fix things — well, it hardly constitutes successful sneaking.  It always seemed, in those days, that malware authors sought mainly to annoy.  And malware detection and removal sought to fix the inconvenience.

In more recent years, however, the consumer annoyance factor has mostly disappeared.  Why?  Because there’s no profit in it.  Today’s malware instead aims to help its authors and users make money.  It does this by quietly gathering data, sending out spam, gaming search engines, and stealing information.  And it does all of this under the radar.

The Migration of Malware

In a disturbing sense, you might say that the malware industry has matured.  You now have more profiteers and fewer hobbyists.  This spurred the move toward subtler effects on users, and it also drove malware elsewhere.

In the late 2000s, a series of interesting things happened for casual consumers.  First, handheld Apple devices exploded into the global market, creating a large contingent of loyal users.  In the wake of that came an uptick in the sales of Apple laptops, and these devices had far fewer security woes.  Second, Microsoft released Windows 7, a substantially more secure operating system than Windows XP.  And so, as we entered the current decade, end user devices became a tougher nut to crack for purveyors of malware.

Oh, don’t get me wrong.  Malware authors continue to target end user machines, doing things like herding them into large resource pools called botnets.  But with end user machines no longer wide open invitations for mischief, they had more incentive to focus on higher value targets.

I’m talking here about servers.  End users buy relatively cheap, low power devices and turn them off sometimes.  Servers have a great deal of horsepower and, by their nature, maintain a constant, stable, strong internet connection.  Again, don’t get me wrong.  Malware has always targeted servers, just as it continues to target end user machines.  But firming up end user machines creates motivation to spend energy targeting servers instead.

The Site Owner’s Malware Detection Conundrum

When I used to help friends and family remove malware a decade ago, I did so with relatively low personal stakes.  Of course I wanted to help them.  But, if the issue proved intractable, I could always shrug apologetically, tell them we’d need to wipe their machine and start over, and then go home.  I didn’t personally feel the pain of those lost files and program configurations.

A piece of malware infecting my own machine, however, would have brought the problem home.  I’d have worried over my files and settings, disgusted at the prospect of spending a day or more starting over from scratch.  With the lack of pervasive app stores, cloud technologies, and turnkey backup solutions, starting over brought pain and sometimes information loss.  I’d have weighed this prospective loss against a newfound lack of trust for my machine.  Malware tended not only to install itself for malicious or annoying purposes.  It also frequently enlisted methods to defeat its detection and removal.  Even if you thought you’d won, could you really be sure?

And this applied just to my own desktop.  Those feelings become magnified when applied to my website and thus my public reputation and image.  Should a piece of malware find its way onto my site, enduring panic would ensue, even after diagnosing and fixing.  Could I trust a diagnosis and fix taking place on the server itself?  Would I stake my professional reputation on it?

I can thus only imagine how it feels for owners of actual e-commerce businesses.  I have an informational site and blog representing my brand.  I’d feel embarrassed by vandalism or spamming, looking like an amateur.  But I wouldn’t have to go to my readers with my hat in hand and tell them that, thanks to me, they needed to get new credit cards.

Malware Detection from the Outside In

Understanding this dynamic, I cannot overstate how important I believe it is to have a multi-pronged approach to malware detection and removal.  You might get away with not having one for a personal device.  But then again, most of your apps and devices now have all sorts of mechanisms for backing settings up to the cloud.  Whether you think of it this way or not, this recovery option represents a part of your security.  But with a server and your livelihood, you can’t rely on happenstance to own your security measures.

Just as I did over a decade ago, you need to have software running locally to help with security.  It’ll obviously look a little different today, but the point remains the same.  This software deeply understands the particulars of your system and works to prevent and expunge.

But understand the fundamental attraction of a second, external security piece.  If you have an external service performing malware detection against your server, you have comforting redundancy.  A clever enough bug can work its way to a lower level of abstraction than your on-machine security and render it harmless.  Whatever countermeasures the malware might take against an external scan, it can’t compromise the scanning tool itself.

Both malware and security have changed a good bit over the years.  But the underlying principles remain the same.  I mentioned installing two or more tools on the infected machines of friends and family.  These complemented each other to cast a wider net.  That wisdom remains applicable today, and it’s more important now than ever.