« CSI NetSec | Main | Let go! »
June 16, 2005
On the Virulence of Malware
In a previous post, I talked about the evolution of malware and speculated that we might see malware that evolves to be useful, similarly to the way mitochondria have evolved to be useful to us. So it was with great interest that I read a recent article in Security Focus about the evolution of malware, in which they argue that malware is becoming more stealthy and more benign (non-destructive) in terms of damage done to the host computer. They claim that because malware is more useful to the attacker (eg for financial gain) the malware is less likely to have a destructive payload. To support this, they present data that shows a distinct trend of the last five years in the growth of non-destructive malware. This is the key graphic in their paper:
The authors claim that this is a perfectly logical consequence of the fact that malware is becoming a "truly successful parasite". They list three conditions for a parasite to be "truly successful":
1. it spreads rapidly and effectively;
2. it does not cause a violent adverse reaction in its host such that it is rapidly destroyed;
3. it is able to extract valuable resources from its host.
This is a rather naive view of parasites, at least from a biological perspective. In the biological world, "success" is defined purely by survival and propagation: the more copies there are of a parasite, the more successful it is. We can look at this measure of success in different ways, for example, if a parasite can retain high numbers across a variety of environmental changes, then it is even more successful (robustness to environmental perturbations). The issue is that this definition of "success" introduces a new tension that may favor destructive behavior towards the host: increasing the number of copies of a parasite greatly increases the chance of it being virulent, i.e. harming the host.
In fact, the evolution of virulence of a parasite is not well understood and is very complex, depending on a variety of factors, including:
1. Transmission mode is theorized to be the main determinant of virulence, but the relation is complex; for example, virulence in malaria is postively correlated with transmission up to a certain limit, but after that excessive virulence is selected against because harm to the host will cause prevention of transmission.
2. Some results indicate that the more "durable" the pathogen (its ability to survive outside the host), the more virulent it will be because it has low reliance on host survival. This has been termed the "curse of the Pharoah" because Lord Carnarvon was thought to have died of an extremely durable pathogen he was infected with upon opening the tomb of Tutankhamun.
3. Hard selection (the death of an individual is independent of others) results in higher virulence because there is pressure to produce more copies, which causes harm. An example of this is a model demonstrating that immune responses boost virulence.
4. By contrast with the previous point, soft selection (the death of an individual is dependent on others, e.g. through competition) can actually lead to lower virulence. This is a consequence of interference between pathogens reducing host exploitation.
5. Vaccinations can have differing effects on virulence: imperfect vaccines are likely to increase virulence, whereas perfect vaccines that block transmission are likely to decrease virulence.
The above list is by no means exhaustive and there is a lot of debate about these various factors. One thing that is clear is that it is extremely hard to generalize. An article in Proc Biol Sci (2001 Nov 22;268(1483):2331-7) cogently makes this point:
Consequently, a detailed mechanistic description of how parasites and other mortality sources combine to cause host mortality is required before reliable predictions about virulence evolution can be made.
Given the complexity of the evolution of virulence in biological parasites, it is interesting to speculate on how particular factors in computer systems could influence the evolution of virulence in computer malware. As in biological systems, the picture is anything but simple.
First, we have to understand what it means to be successful for malware. This can be quite varied. For self-replicating malware such as worms and viruses, success could be very similar to that in biological systems: the number of copies extant. But if we define success in terms of the malware writers' goals, then there could be many definitions. Some goals will lead to destructive malware and some won't. Here are some ideas:
1. Attackers that want to steal information or use the resources of victims for spam relays or other such purposes are likely to favor reduced virulence, because the computers are valuable resources.
2. Attackers might alternatively want to take down machines in Denial-of-Service style attacks, or corrupt data, either as part of an extortion racket, or industrial sabotage, or terrorism or for other reasons. In this case, damage to the host is probably mandatory.
3. The increase in the variety of malware and the number of malware authors, and the increase in the number of malware on any one computer is likely to lead to increased virulence because there will be more buggy malware causing problems, and there will be more unforeseen contention between malware. We can already see evidence of this in the way spyware can clog up machines and render them virtually unuseable.
4. Some of the biological results mentioned above indicate that an immune response can increase virulence. Does this imply that security mechanisms for computers would also be likely to cause virulence?
5. What are the effects of hard and soft selection? In the biological world, there is some evidence that soft selection decreases virulence. Does this imply that having multiple varieties of malware on your computer will decrease their virulence as they compete amongst themselves? This would be counter to the argument I made in point 3 above!
6. What about malware that causes harm as a side-effect of spreading very rapidly, like the SQL Slammer worm? Clearly, if the malware authors intent is to get it on every machine for purposes such as information stealing, then a noisy, visible worm that overloads the network is a bad idea. However, what happens if a new vulnerability emerges and multiple worm writers decide to exploit it in order to get malware on as many machines as possible? If each worm closes off the vulnerability behind it, then the worm that moves the fastest will be the most successful in compromising the most machines. But that very factor increases virulence, at least in terms of network load. It is unavoidable, just as it is in the biological world. Will we see such races in future, increasing virulence?
This certainly is a complex and fascinating topic. I would love to see the writers of the Security Focus article extend their analyses to consider more factors. I will certainly be an avid reader!