Malware’s Future Looks A Lot Like Its Present

SAN FRANCISCO – What does the future of malicious software look like? Depressingly like the present, according to a panel of leading experts.

RSA Security Conference 2013

Phishing attacks, spam and even self-propagating worms will continue to plague technology users in the years ahead, just as they have for much of the last two decades, according to experts at the RSA Security Conference in San Francisco on Wednesday. However, the malware will operate across a far more crowded landscape of mobile devices, virtual machines, cloud-based computing resources and Internet connected “stuff” – complicating the job of securing sensitive information.

The panel, “50 Minutes into the Future: Tomorrow’s Malware Threats” asked the experts to look into the crystal ball and predict what malicious software would look like in the near- and distant future. The answer was: much like it looks today.

Dave Marcus, the director of security research and communications at McAfee Labs, said that the rate of growth in the mobile malware space was accelerating rapidly, and far outstripping the rate of growth in the (much) larger population of PC malware. Mobile malware authors were also applying lessons learned in the PC space to rapidly improve their creations.

“We’ve seen  mobile malware go from ridiculously simple SMS spam in 2009 to stuff, today, that regularly breaks out off the sandbox,” he said, referring to the virtual containers that modern operating systems and browsers use to contain malicious code. “Its as if they ]took all of what they learned in the pc malware space and applied it to mobile malware.”

“Mobile makes everything new again when it comes to security,” said Mike Sutton, the Vice President of Research at security firm zScaler. Though mobile operating systems are generally considered to be more secure by design than their desktop cousins, mobile platforms can be an even more attractive target for certain kinds of scams, such as phishing attacks, Sutton said. “Most phishing attacks are short-lived, so the always-on nature of mobile devices is a huge advantage,” he said. Also, the small screens on mobile devices make many visual clues used to distinguish phishing pages from legitimate sites harder to see.

Andrew Brandt, the Director of Threat Research at Solera Networks said he expected the shift to mobility and application stores to yield some improvements. Mobile application consumers were already more wary of applications that sought excessive access to sensitive data and functions on their devices, he noted – a big departure from the world of desktop applications.

The panelists said the global supply chain that is behind almost all technology today was a major source of security risk. Compromised hardware and software components from unscrupulous or inept suppliers could be difficult to detect and result in damaging security breaches and data loss, said Brandt.

“The supply chain is an open question,” said Brandt of Solera. “We know where that supply chain starts, and there’s just a huge issue with that,” he said, in an apparent reference to China.

Organizations and device makers could make their products less susceptible to compromise by malware by improving sandboxing- and memory protection techniques, and by leveraging hardware based security mechanisms like the Trusted Platform Module to bolster on-device security.

But panelists said there was only slow movement towards those goals in the market. As a result, they doubted that cyber criminal groups and other motivated attackers would need to work too hard to compromise their targets, given the plethora of easy to exploit software vulnerabilities and lax user practices.

“There are still plenty of issues with software, so I don’t see attacks going to the hardware,” said  Jaime Blasco, the Labs Director at the security firm Alienvault.