What does the future of malware look like?

The truth is, no one knows. According to the experts at Symantec, the changes we're going to see in malware over the next couple of years outweigh the changes we've seen over the last three to five years.  It's daunting to think of the technologies behind malware changing that quickly when it takes five or six years to get out an OS and even a browser takes at least 12-18 months between iterations.  Here's a little more of what I learned from my recent trip to their Southern California office.

First of all, mobile devices are definitely on the rise as malware targets.  We don't see this much inside the US, but that's mainly because of our stunted growth in the area of cell phones.  In places like Japan and the Netherlands, where they have the latest phones and use them for things like micro-payments to make purchases from vending machines, malware is common.  It's less about taking control of the mobile device and more about social engineering the target.  I guess this means our cell phone companies can start crowing about how their monopolistic practices are keeping us safe from malware.

Instant Messaging (IM) is definitely on the rise and a new player is showing up, malware aimed at the players of Massive Multiplayer Online Roleplaying Games (MMORPG).  IM is becoming ubiquitous in the enterprise, and attacks on these systems are only going to rise as the various systems, AIM, YIM, MSN, etc., start to allow messaging between them.  The loot in various MMORPG's has started to prove it has real world value, at least to the players, and so malware authors are aiming to get their slice of the money.  So if you have that uber-leet sword or armor in World of Warcraft, you better make sure you don't have a keylogger on your system or you might log in one day to find you've sold it for 2 gold while you were in classes.  (My MMORPG of choice is City of Heroes, which doesn't have loot, as such)

There are a couple of commonalities to most of the upcoming malware threats.   First of all, they're "hacking the head space"; in other words, social engineering is becomng a much more important part of malware.  It's no longer enough to have a great vulnerability to compromise a system with, malware writers are enlisting the aid of their targets more often.  The malware is becoming regionalized and targeted at specific organizations and their clients, using details about the source they're spoofing more and more often.  Even belonging to a local credit union isn't proof against having a spam attack with associated malware crafted specifically against you.

Second, zero-day exploits are no longer just a conceptual problem, they've become a constant problem.  And I mean real zero-day exploits, not the marketing definition; exploits that have never been seen by Microsoft or any other vendor are starting to show up more often in the real world.  As the malware writers morph from being bored teenagers to professional criminals and the release of malware becomes an organized venture, the crackers are being paid specifically to find these vulnerabilities.  A cracker in Eastern Europe may get paid $5000 for their latest exploit and there's not a lot that can be done about it.  Even in the US releasing an exploit is a grey area; in other parts of the world there are no laws at all against it.

It doesn't paint a pretty picture.  But the good news is that many of the things we're already doing provide a lot of protection from these threats.  Firewalls, anti-virus, anti-spyware, IDS, limiting user rights, all are good steps in keeping our enterprises safe from these new waves of malware.  It's the home users who are going to suffer from most of the attacks.  Education is the first defensive measure we need to take for helping them, but is it enough?