Connect with us

Hi, what are you looking for?


Malware & Threats

How to Identify Malware in a Blink

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.  

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.  

Let me use a few examples to explain what I mean. Take two random and unknown diseases, and say that you notice that almost everybody with the first disease was in contact with another infected person, while almost everybody with the second one ate spinach very recently. You already know something about how these two diseases’ patterns of spread, don’t you? Identifying Malware

Take the first disease now. Everybody who got it became ill three to five days after the infected person they know became ill, and everybody who got it kissed somebody who also got it. You know something about the incubation time and the way the disease transmits now, right? 

It may take months after people know how to minimize their risks of becoming infected before pharmaceutical companies have succeeded in understanding the structure of the virus or bacteria, and started to develop a cure. 

Why do we treat malware epidemics like we were pharmaceutical companies? 

Advertisement. Scroll to continue reading.

To deal with malware epidemics, we build honey-pots, collect potentially malicious code, observe the code execute in sandboxes, and try to reverse-engineer the code. Why do we not simply observe how it spreads? 

Time for some examples again. Say that we have inferred that some collection of machines is infected. (We may know because we observed anomalous or criminal behavior, or because we ran a software-based attestation method.)

Say that the infected devices are mostly in geographical proximity of each other. Could it be a Bluetooth virus? Or say that the device owners are unusually tightly connected over social networks. Maybe it spreads using email or MMS? Does the infection spread like wildfire? Maybe not a Trojan then! All infected devices run the same version of the same operating system. What does that tell us?

Once we have classified the problem, we are halfway there. We know where countermeasures need to be applied. 

A Bluetooth virus needs a patch – but only for devices in the affected area. Malware propagated by MMS can be slowed down by filtering or delaying suspect messages. Trojans can be fought using cloud-based whitelisting and blacklisting methods. And if we know the operating system and version, we know something about the vulnerability. 

The faster we can react to outbreaks, the better off we are. As the pace of malware evolution increases, we need to keep up. If we do not, we are asking for trouble. 

Related Column By Markus Jakobsson: Looking for Malware in All the Wrong Places

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.