Malware Is Software

My article on trends in malware has finally appeared on the Safari Books Online blog.

Malware is a nasty threat to everyone, whether you’re trying to enrich Uranium with fancy centrifuges in Iran or enrich your bank account with fancy craft projects on Etsy. The really menacing examples are named like characters lifted from fan fiction based on William Gibson books or The Matrix: Flame, Stuxnet, Duqu, Gauss.

I’ll use this post to fill out some background for the original article. For example, there’s good reason to believe that anti-virus is less useful against malware authors who spend a little effort to evade detection (or attack the AV itself). We can’t even get web sites to deploy HTTPS everywhere, but malware authors are smart enough to use encrypted channels to successfully evade analysis. Malware is rife in mobile applications. But even “safe” applications are poorly written — I made the observation in my book (and here, slides 37 & 38) how few apps bother to actually verify the certificate used for an HTTPS connection.

The point is that good software design should reduce the kinds of vulnerabilities that malware exploits, but there’s nothing preventing malware authors from adopting those same design principles — leading to better malware that’s more difficult to analyze. And poor software design (e.g. not verifying certs) makes an app insecure in the first place.

I’ll plug my book again, mostly because you should be looking at Hacking Web Apps (HWA) instead of Seven Deadliest Web Application Attacks that’s mentioned at the end of the article. HWA is the updated, expanded version. There’s no point in purchasing the other unless you like collecting whole sets. The other titles focus on malware and will give you better insight into that world of software.

Hacking Web Apps: Detecting and Preventing Web Application Security Problems
Malware Forensics: Investigating and Analyzing Malicious Code
Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides
Mobile Malware Attacks and Defense

Published by Mike Shema

Mike works with product security and DevSecOps teams to build safer applications. He also writes about information security, with an infusion of references to music (80s), sci-fi (apocalyptic), and horror (spooky) to keep the topics entertaining. He hosts the Application Security Weekly podcast.

%d bloggers like this: