Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers.
To change the game, we need to change the way we work.
It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their own strengths and methods to protect their customers and constituents. Each group is able to claim victory from their efforts, but the malware families retain a significant advantage. No matter how big, the reach of each antimalware ecosystem player only extends so far. As a result, our adversaries only need to shift just a bit beyond that reach to get back in business. For example, let’s assume an advertising network identifies and shuts down a click-fraud attack. This is great for the network and its advertisers, but the bad guys need only to pivot and attack another advertising network to remain in business. And this time, maybe the bad guys are more effective, because now they’re more educated about the need for resiliency and continuity.
By not working together, we have yielded our advantage to the malware authors. They can see the reach of our tools, and they can dance away from each of us. While we are disrupting them, we are also making them more resilient and more efficient.
If we want to fight effectively and protect our customers and constituents, we need to eradicate the malware families. To do this, we must coordinate our collective scope and reach so that the bad guys have no room to dance away. Of course, some coordination already exists within the industry today. Antimalware vendors exchange malware samples, prevalence information, and even clean file metadata. They participate with CERTs, ISPs, and law enforcement in sinkholes and takedowns. But it hasn’t been enough: a quick glance at the age of the detections that we’re still using to find our top malware families shows that we are not eradicating them.
Figure 1: Malware encounters on Microsoft real-time protection products September 1, 2013 - January 25, 2014
Getting to a more coordinated eradication effort for each malware family will require much stronger industry partnerships. It also needs new partnerships with financial institutions, payment networks, large internet services, and software bundlers. Each partnership will increase our collective ability to present a unified front, thereby reducing the bad guys’ ability to evade and profit.
Tighter coordination is a natural evolution of the malware protection industry, and it is already beginning. For example, when Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI), a number of ISPs and A10 Networks against the Sirefef/ZeroAccess botnet, the results went far beyond a few days of disruption. Faced with a broadly coordinated action against their IP addresses, Sirefef authors waved the white flag. They are not quite eradicated, but they’re certainly heading that way.
While these efforts are working against malware authors, they are essentially one-offs. We have hundreds of active malware families that require eradication, and we need a repeatable model that will scale.
We have talked about the scope of Microsoft’s customer-focused approach, and how we are sharing malware telemetry information. We want to take it much further. We need to create a structure that makes it easy to coordinate campaigns and share more types of information across the entire antimalware ecosystem.
The time has come to do this now. We need committed antimalware ecosystem partners to join together in coordinated campaigns to eradicate malware families. Here are some examples of how partners can help with their tools, reach, and scope:
- Security vendors: By sharing detection methods, malware behavior, and unpacking techniques, vendors can more quickly identity and block the malware families as they appear on network-connected endpoints and servers.
- Financial institutions, online search, and advertising businesses: With better fraudulent behavior identification, these organizations can starve malware authors of their ill-gotten gains.
- CERTs and ISPs: Armed with vetted lists, CERTS and ISPs can block and take down deploy sites, and command and control servers.
- Law enforcement: Using correlated evidence, law enforcement can prosecute the people and organizations behind the malware.
Figure 2: The antimalware ecosystem’s coordinated malware eradication
The challenge is how we can all work together in a way that’s efficient and long-lasting. Microsoft is committed to helping drive this industry effort forward. We are beginning by looking at what we can contribute to such a community, and we are asking our antimalware ecosystem partners to do the same.
Several industry events are coming up this spring and summer. For example, RSA in San Francisco in February 2014, DCC in Singapore and the PCSL/IEEE Malware Conference in Beijing in March 2014, the May 2014 CARO Workshop in Florida, and the June 2014 FIRST event in Boston. These are great opportunities to hammer out a working framework for making coordinated malware eradication a reality. Microsoft will be hosting discussions at these events to do just that.*
I look forward to your feedback and on-going conversations about coordinated malware eradication.
Dennis Batchelder
MMPC
* To join the discussions at these events, please contact us at cme-invite@microsoft.com.