Security gurus look for better ways to classify malware

Two senior security veterans from Trend Micro Inc. are trying to get the industry to change how it classifies malicious software.

They argue that today's classification system, which tends to focus on the technical way the software works, neglects a far more important metric that matters more to users: how it tries to steal your money.

"This is my pet bug-a-boo -- the unclear language," said David Perry, global director for education at Trend. "I come from 26 years of technical support, and it irks me that we protect people against things and they don't know what we're protecting them against."

Perry and Anthony Arrott will present their paper, "New approaches to categorizing economically-motivated digital threats," on Friday at a security conference in Vienna.

Take the term "virus." The proper definition of virus is a piece of software that replicates or makes copies of itself and attaches itself to other pieces of software.

But for nonsecurity professionals, it's "taken to mean the universal indication that there is something wrong with their computer, no matter what the cause," Perry said. Toss in relatively newer terms such as "Trojan horse," "dialer" and "adware" and the situation becomes a mix of confusing vocabulary.

Perry and Arrott stop short of proposing a new taxonomy. However, they do detail some parameters that should be considered when building a new framework to categorize Web threats.

Although malware categorization systems exist, a new one is necessary because of the focus on economic crime. The "business" models behind the malware are far easier to define than the infinite technical variations that the malware can take, they write.

Malware can then be classified into fewer, overlapping categories would help deflect "the endless efforts to determine the exact definitions of the boundaries between categories," Perry said.

The new groupings would ideally take into account how a threat is installed, its economic purpose, how it exploits a host computer as well as how it hides itself from detection, the paper said.

Another new metric that could be considered is the persistence of threats, since it may more accurately frame the scope of an ongoing fraud. The antivirus industry has tended to focus on "top 10" lists, which indicate the most frequent recent threats but not the most successful attacks over time, the paper said.

Trend Micro researched over time fraudulent antispyware programs that were most persistent on computers. This research indicated the diversity and depth of fraudulent programs such as Winfixer or the Zlob Trojan, which purport to fix security problems but install advertising software instead.

"Rogue antispyware is just on example of economically-motivated threats where chronic persistence is more significant than acute outbreaks," the authors wrote.

Perry is hoping for fruitful discussions on taxonomy, although he said the security industry is notoriously fractured and not exactly known for working well together. "There are no grown-ups in this industry," he said.

Ultimately, Perry believes the proposal is "a bid toward accuracy and to deconflict the issues that face us as an industry."