Wednesday 23 March 2016

Malware by the gross

A gross is, of course, a dozen dozen, and for those readers who weren't programmed with their twelve times tables like I was five dozen years ago, that's CXLIV.

I'm now getting a gross of malware spams per day. That's more than spam for Viagra and replica watches combined. It's a deluge of badness.

I don't know what they do, except that they contact a remote server over the internet and install something nasty on the computer, although I'm guessing that it wouldn't work on me as I'm not running Windows. I'm not engaged enough in this to try to find out. I don't think the people who are involved in malware research are either, because I'm not picking up any buzz.

My guess is ransomware.

Ransomware is the new big thing. It's easy to do, you just buy yourself the malware, buy a spamming service, spew it out and wait for the untracable payments in Bitcoin to roll in. And roll in they do - a great many businesses, companies and government organisations are willing to pay £1000 to get their data back. I know this, because 30 years ago, I ran the first no-fix no-fee data recovery service in the world, and we would typically charge £500 for the service, which our customers gladly paid after their hard drive had failed - and all hard drives do fail, it's only a question of when, and do you have a good backup? They didn't.

What I did was a useful and honest service, of course. Ransomware is illegal, but that doesn't stop the Bad People. So what would stop them?

If your computer has been held to ransom, you're probably stuffed. Encryption is sufficiently good these days for it to be unbreakable without the key. You could pay up and hope that the criminals are sufficiently honest to send you the decryption key, but if they don't, you've had it - you might speak to a consultant who knows about these things because it's possible that the ransomware that hit you doesn't use strong encryption. But don't bank on it. And if you do pay up, then you have the shame of knowing that you've just made this crime profitable, thus encouraging more crime.

If you haven't been hit by ransomware yet, then there are precautions you can take. Backup is one obvious idea, but if the backup media is accessible by your computer, then it's also accessible by the ransomware, and that could be encrypted too. Even if the backup is offline, if you don't get told about the attack until the good backups have been overwritten by encrypted files, you're out of luck again.

What you need, is a product that (as far as I know) doesn't currently exist (but if it does, tell me and I'll tell people about it). This would be a product that checked inside emails for enclosed files, and stripped anything that could contain an executable (such as word macros, javascript) out of them before presenting the email to the user. It would also check inside zip and other compressed files, it would sanitise PDF files, xls files and anything else that could be a problem.

This wouldn't solve the whole of the malware problem (there's also malvertising, which is the main reason many people run an ad blocker) but it would deal with the gross of malware that arrived in my inbox in the last 24 hours.

What we don't need (because experience tells me it doesn't work) is to tell users to be careful about anything suspicious. People do not know how to decide if anything is suspicious, nor do they know how to be careful about it. To most people, a computer is just a magic box that operates on incomprehensible rules to give unpredictable results.

And if you think that your antivirus is protecting you, try this simple test. Carefully save one of the obviously malware attachments to a file, and show it to your antivirus. When you discover that the antivirus doesn't flag it, don't panic. Just speak to your AV vendor and ask them "Why?" and among the barrage of excuses you'll hear "Because we don't know how".


  1. Not automated, but:

    A number of business email server products allow the configuration of email attachment filters, although I'm not aware of any sanitisers. The user still ends up having to make their own mind up as to whether an attachment - renamed or otherwise - is bad.

  2. Not good enough. If users could reliably make up their own minds about whether an attachment is bad or not, then A) these emails wouldn't work and B) what is the filter doing, if it just tells the user the file name and asks them to make a decision?

    To be useful, a product has to operate without asking the user whether the attachment is dangerous or not.

    If you ask the user to make a decision about this, then the product is equivalent to "The Perfect Antivirus", which I invented 30 years ago, and is 100% useless.