Some computer consultants say the global malware threat has gotten so bad that conventional security measures, such as anti-virus software, are no longer adequate to fight them.
Anti-virus programs are “totally useless,” says Mohammad Mannan, an assistant professor at the Concordia Institute for Information Systems Engineering in Montreal.
“If you use them, you might even be vulnerable [to malware] to some extent,” he says.
A recent Visa survey showing that 92 per cent of respondents under the age of 35 had been the target of phishing scams demonstrates the tenacity of the hackers who are trying to seize personal financial information.
Anti-virus software works on the principle of identifying malevolent files and infected sites. But because of the sheer volume of malware online nowadays, rather than blacklisting bad sites we should be “whitelisting” the good ones, says Stu Sjouwerman, founder and CEO of U.S.-based computer security consultancy KnowBe4.com.
The amount of malicious software — better known as “malware”— circulating on the web has grown significantly in the past decade.
According to figures from virus detection sites, in 2002 there were an estimated 17 million known “good” executable files from various existing applications on the commercial internet, while antivirus engines detected two million nefarious ones.
By 2012, there were 40 million known good files and 80 million bad ones.
The main driver of this shift is cybercrime, says Fabrice Jaubert, a software developer who works with Google’s malware detection team in Montreal.
In the past, malware was often the work of malicious individuals or pranksters looking for recognition of their coding prowess. But according to Jaubert, computer attacks nowadays are perpetrated almost entirely by organized crime.
“It’s 100 per cent criminal – or 99.99999 per cent,” says Jaubert. “The end goal here is money — big money.”
Criminal hackers look for ways to install malware on your computer for the purpose of stealing your passwords, credit card numbers and banking information — which they can sell to other criminals — or commandeering your computer to distribute illicit material such as porn.
Cybercrime is estimated to be a $3 billion US industry, and its perpetrators are largely based in eastern European countries such as Romania, Russia and Ukraine, says Sjouwerman, author of Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
One of the reasons malware is such a widespread problem is that it has become harder for consumers to detect, says Tony Anscombe, senior security evangelist for anti-virus firm AVG.
“Malware viruses used to be disruptive — if you got one, you knew you had it. Now, they’re deceptive and hide in the background,” Anscombe says.
There are a number of ways hackers can get into your computer, but nowadays, a lot of it is accomplished by “social engineering.” For example, you may get an email or even a phone call that appears to be from a bank or a tech support representative asking you to open an email attachment or to click through to an infected website.
In the face of this ever-present threat, computer security firms have made billions of dollars selling anti-virus software to consumers.
The major problem, says Concordia’s Mannan, is that anti-virus software is by nature reactive, which means that it responds to specific malware after it has been distributed. Should a malware writer change a few lines of code, however, that anti-virus solution suddenly becomes obsolete.
It’s the sheer number of malware variations that makes it impossible for anti-virus software to effectively combat the problem, says Mannan. To illustrate this, he points to the Storm botnet of 2007, a sophisticated piece of malware that affected millions of computers worldwide and generated 8,000 variations of itself every day.
“How many updates or variants are you going to catch, if you’re an anti-virus company?” Mannan asks.
But while anti-virus software isn’t foolproof, it’s “a long way from useless,” says Brian Bourne, co-founder of Toronto's annual SecTor cybersecurity conference.
He likens anti-virus software to locking the doors of your car.
“It doesn’t stop someone who's motivated from stealing your car, but it does force them to put a little bit of effort in and it does mean you’re not quite as easy [a target] as the unlocked car beside you,” he says.
Google’s Jaubert says that in recent years, some hackers have even taken to posing online as anti-virus companies with legitimate-looking websites, finding victims by ironically playing on their fear of malware. They offer "virus scans" that are actually malware.
Given these overwhelming threats, Sjouwerman believes whitelisting is vital to keep web surfers safe.
The principle is similar to verified accounts on Twitter, which was a response to the proliferation of bogus accounts (usually ones pretending to belong to celebrities). Rather than identifying all the fake accounts, Twitter’s verification process simply certifies the legitimate one.
Whitelisting has been around for more than a decade, says Mannan, but only a few companies offer it right now.
The way it works is that anytime you surf the web, the whitelist prompt appears in your browser. If you go to a website that has been penetrated by hackers, the browser pops up a stern warning telling you not to proceed to the site.
Google’s Chrome browser “has this to a degree, but that’s all based on blacklists,” says Sjouwerman.
Whitelisting would keep a list of good sites on your workstation and in the cloud, which is a “sanity check” for the list on your computer.
Sjouwerman is convinced it’s the only way to deal with the growing malware threat.
“We need to do a 180, and we need to stop keeping the bad guys out, because you can’t keep up,” says Sjouwerman.
“That’s why I’m on an evangelizing rampage to tell people we need to go to whitelisting.”