In 2013, most people understand that the acronym APT stands for Advanced Persistent Threat, but I’m coining a new one … AFT, which stands for Another… uh … Freaking Trojan, and I suggest that all malware now falls into one of these two categories.
Every day, every antivirus lab gets some very large number of new and unique samples, (Kaspersky put the number at 200k in December 2012, up from 125k per day earlier in the year … http://www.kaspersky.com/about/news/virus/2012/2012_by_the_numbers_Kaspersky_Lab_now_detects_200000_new_malicious_programs_every_day), but most of these are just automatically and programmatically generated variants of a much smaller number of genuine families. This is done to avoid detection from signature scanners, but it means that the underlying behavior rarely changes, and is pretty easy to detect by behavior monitors, something that antivirus products are getting much better at. Oh, and create a user-level account for day to day work, and you’re pretty safe.
Over the weekend, however, came the “revelation” that the FBI was using exploits and malware that they’d developed themselves to catch Bad Guys.
Whether you think that’s a good thing or a bad thing is up to the individual to decide, and is not germane to this story anyway, because the point is that it underscores just what our new Age Of Malware really is.
It’s not an Age Of Cyber War as many have suggested, although that’s part of it, and neither is it an Age of Cyber Espionage, although that’s part of it … the real point, the real issue, is that it’s now an Age Of Enterprise Malware.
On one level, this is mildly amusing, because right from the outset, people have said to antivirus companies, “How do we know that you guys don’t write the viruses?”, and while the antivirus companies are still not writing them, other companies sure are.
For the first time, our opponents are not anti-social, albeit intelligent, teenagers; and nor are they criminals, both opportunistic and organized… they’re enterprises. Now, by “enterprises”, I don’t just mean the generally accepted idea of a profit-driven business, I really mean large, organized groups of people with enormous resources. This can be a government body or a for-profit defense contractor, or it might be a company developing surveillance tools -- whoever they are, they have resources.
No wonder attackers have become so good.
Here, then, is the nub of the matter. We don’t see much Enterprise Malware, maybe a piece every couple of months, but when we do, it’s important, and can be classed as an APT, but for the 200k other things every day, well, they’re just AFT.