Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

How to Identify Malware in a Blink

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.  

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.  

Let me use a few examples to explain what I mean. Take two random and unknown diseases, and say that you notice that almost everybody with the first disease was in contact with another infected person, while almost everybody with the second one ate spinach very recently. You already know something about how these two diseases’ patterns of spread, don’t you? Identifying Malware

Take the first disease now. Everybody who got it became ill three to five days after the infected person they know became ill, and everybody who got it kissed somebody who also got it. You know something about the incubation time and the way the disease transmits now, right? 

It may take months after people know how to minimize their risks of becoming infected before pharmaceutical companies have succeeded in understanding the structure of the virus or bacteria, and started to develop a cure. 

Why do we treat malware epidemics like we were pharmaceutical companies? 

To deal with malware epidemics, we build honey-pots, collect potentially malicious code, observe the code execute in sandboxes, and try to reverse-engineer the code. Why do we not simply observe how it spreads? 

Time for some examples again. Say that we have inferred that some collection of machines is infected. (We may know because we observed anomalous or criminal behavior, or because we ran a software-based attestation method.)

Say that the infected devices are mostly in geographical proximity of each other. Could it be a Bluetooth virus? Or say that the device owners are unusually tightly connected over social networks. Maybe it spreads using email or MMS? Does the infection spread like wildfire? Maybe not a Trojan then! All infected devices run the same version of the same operating system. What does that tell us?

Once we have classified the problem, we are halfway there. We know where countermeasures need to be applied. 

A Bluetooth virus needs a patch – but only for devices in the affected area. Malware propagated by MMS can be slowed down by filtering or delaying suspect messages. Trojans can be fought using cloud-based whitelisting and blacklisting methods. And if we know the operating system and version, we know something about the vulnerability. 

The faster we can react to outbreaks, the better off we are. As the pace of malware evolution increases, we need to keep up. If we do not, we are asking for trouble. 

Related Column By Markus Jakobsson: Looking for Malware in All the Wrong Places

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.