Debunking 10 top myths about malware

(Editor’s note: It’s a safe bet that most people aren’t cognizant of the pervasive and steadily rising threat of identity theft, online account highjacking, corporate data theft, and general disruption posed by cybercriminals and hacktivists. Malware techniques cycle from one technology to the next, repeating endlessly even as the technology continues to change. Mac malware has even become more of a threat throughout the years. In this guest commentary, Lysa Myers, a senior security analyst at Intego, outlines widely-held misconceptions about malicious softeware – malware — lurking on the Internet.)


By Lysa Myers

Suffice it to say, I’ve heard a lot of myths about malware, and I’m always surprised they’re still floating around and that people still believe some of this crud. My compulsive, nerdy need to correct people when they’re saying something un-factual has resulted in the following list of 10 malware myths that just won’t die:

“Malware isn’t really a problem anymore because it doesn’t make the evening news.”

Apparently the malware problem got fixed a decade ago because the local evening news no longer breathlessly tells people to update their antivirus to protect against the latest outbreak. Malware outbreaks used to be novel and newsworthy. Now they happen so often, news outlets would end up filling their entire broadcast discussing the new threats that keep popping up. Just because you’re not seeing malware warnings every time you turn on your TV to watch the evening news doesn’t mean these threats are no longer a problem. In fact, malware and online threats are getting steadily worse, especially for Mac users.

“Malware is created by pimply teenagers simply for bragging rights.”

I can’t really speak to the skin condition of today’s malware writers, but they’re sure not infecting people for the lulz anymore. That may still be true on the hacking side of things, but nowadays malware is largely all about the Benjamins, as they say. Financially motivated malware is big business that operates much like a software company in that groups of individuals cooperate and have separate responsibilities in creating and distributing malware. That was the ostensible purpose of Flashback, but because they got too big too quickly, they got noticed and emerged with nothing. You gotta keep your head down if you’re gonna get that cash!

“I can protect myself from malware by not going on porn/warez sites.”

Sites for sharing pirated software are definitely not part of a safe Internet experience, but porn sites can actually be safer for your computer than you might imagine. A lot of the more problematic malware events of the past few years have been due to compromised, legitimate websites, especially if they use ad networks. Your friend’s blog, that site with all the cute kitten pictures, even some fairly major reputable websites get hit and start serving up malware. Avoiding the “dark and seedy corners of the Internet” is no longer a sufficient enough measure to keep your computer malware-free.

“I can safely open this attachment because it appears to be from my friend/family/trusted authority.”

Remember that whole Melissa virus thing that happened about 14 years ago? That one did make the evening news. It was a large-scale malware that spread via email, appearing as if it had been sent by someone in your address book (so, probably by someone you know and trust). And yet, people are still blindly opening unexpected attachments that appear to come from friends, family, or trusted companies. Email still remains a very common attack vector, and people are still being scared or enticed into opening unexpected attachments. Always remember to stop, move your cursor away from that attachment, and check with the sender before opening it!

“I’ll know if I’m infected because malware is noisy.”

…Because Hollywood blockbusters are a solid place to go for factual information about computer security. You can’t upload computer viruses to an alien spaceship from your Mac laptop, and they don’t all come with images of laughing skulls. But even on a more subtle level, malware won’t necessarily cause your network speed to grind to a halt or cause visibly wonky behavior. Malware is quiet. Nothing unusual appears to happen. It quietly infiltrates your system and starts sending your sensitive data to its controller.

 “I don’t have enough money/data/CPU power to be valuable to malware authors.”

Most malware authors are looking for the lowest-hanging fruit. Yes, they may only make a few bucks from your machine by stealing your data or using your machine to send spam. But if you multiply that few bucks by 10,000 other infected users in the same boat as you, it can add up to a nice little payday for cybercriminals without drawing too much attention to themselves.

 “Malware is only a problem on Windows.”

Malware is certainly a big problem for Windows users, but cybercriminals are not going to let millions of users go unmolested just because they’re on a different OS. As other operating systems have increased in popularity, malware authors have sought profit on those systems as well. Android has been seeing some huge increases in the number of malware, and OS X has had a definite increase lately as well (most notably, Flashback). And while we’re at it, there is no one browser or other piece of software you can avoid that will keep you safe from malware.

 “Malware that doesn’t do damage isn’t a problem.”

If you don’t think cybercriminals having access to your computer and all the important data on it is problematic, more power to ya. For most of us, however, that sort of security breach would at lead to a whole lot of hassle, if not outright financial loss. People downplay the severity of malware if they feel it’s unlikely to do them harm. Besides, malware isn’t made for bragging rights anymore; thus, malware that spreads just for the sake of spreading doesn’t really happen anymore. If it’s not useful for stealing your data or CPU cycles, it’s not really worth a malware author’s time to create.

“Buggy/invasive software is malware.”

This myth is one we deal with a lot in research labs. People feel like we should be detecting any old thing because they’re angry about a vendor’s behavior or product. Just because you don’t like a specific software or are disappointed by it doesn’t mean its intent is malicious. The mere potential for a piece of software to cause damage is not enough to qualify it as “malware. Basically, if the intent of the software is not to defraud or damage someone, it’s probably not malware.

 “Malware is created by antivirus vendors.”

It’s cute that some people think we have so many extra resources, we’re sitting around making up problems to solve. Most anti-virus companies are very strict about not hiring people they even suspect have written malware. The skills useful for writing malware are very much different from those that are useful for finding, analyzing, or writing detection and removal of malware.

Malware itself is a big business that makes its authors a ton of money. That’s motivation enough for hundreds of thousands of new malware to be created each day, without security companies having to add to that in any way. Our hands are full with dealing with the tidal wave of samples, plus sharing information between researchers and law enforcement to shut these bad guys dow

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone