Posey's Tips & Tricks

What Happens When Malware Outlives its Intended Lifespan, Part 1?

Aging malware can remain dangerous long after its creators move on, leaving victims with fewer protections and no reliable recovery path.

Hardly a day goes by when we don't hear about some new security threat. Security pros rightly focus their attention on the latest active threats, but there may also be risks tied to aging and forgotten malware. In fact, there are a few different ways in which these types of risks can play out.

One of the risks that I hardly ever hear mentioned is tied to something that I like to think of as "abandonware ransomware." Here's how this works. Imagine for a moment that a criminal develops a new type of ransomware that is designed to exploit a particular vulnerability. Eventually, the vulnerability is patched and the ransomware author moves on to something else.

But here's the problem… Once ransomware enters the wild, it is there forever. Sure, in this particular case the ransomware is rendered ineffective thanks to a patch, but as we all know, not every system gets patched. Hence, the ransomware is still potentially dangerous to a certain percentage of systems.

The bigger problem is that if someone is unlucky enough to encounter this particular ransomware while operating an unpatched system, then they will undoubtedly become infected. The criminal who developed the ransomware however, has moved on.

The reason why this is a problem stems from the fact that while the ransomware is still capable of encrypting data and demanding payments, there may not be anyone to receive the payment or to provide a decryption key. The ransomware may be tied to a dead wallet or perhaps even to infrastructure that has been seized by law enforcement. In such cases, it's a safe bet that the mechanism that is designed to provide a decryption key is no longer online either. Often times ransomware is hard coded to link to specific servers or domains, and the servers may be unreachable and the domains expired. The bottom line is that with this type of ransomware, even if you pay the ransom, you're not getting your data back.

Some may be quick to point out that even if someone who is operating an unpatched machine were to encounter abandoned ransomware in the wild, there are other mechanisms at work that should be able to keep the machine from becoming infected. The first line of defense for example, is antimalware software.

The potential problem here however, is that it isn't just the criminals who might have moved on. Antimalware software vendors may also move on. Unfortunately, the harsh reality is that even though your antimalware software once had the ability to detect and protect against the ransomware in question, it probably won't have those capabilities forever. While it's true that each vendor has its own way of doing things, antimalware vendors do tend to remove malware signatures that they consider to no longer be necessary.

This raises the question of why on Earth an antimalware company would make a conscious decision to stop protecting its customers from a known threat. While I can only speculate, there are two reasons that come to mind.

The first reason is tied to the software's performance. Have you ever seen an application get so bogged down with data that it becomes painfully slow? The same thing can conceivably happen with antimalware software.

Customers expect malware scanning to happen in real time as they open files. The only way to keep the scanning process efficient enough to enable this type of real time scanning is to limit the size of the signature database. Hence, malware that is considered to be extinct may periodically be removed from the signature database (or consolidated with other signatures) as a way of making room for newer, active threats.

The other possible reason why an antimalware company might remove signatures from its database is if maintaining the signature is no longer economically viable. Normally, the signatures have to be maintained in order to prevent false positives.

Antimalware companies are businesses whose goal is to be profitable. There are presumably going to be costs associated with maintaining the signature database and it may not be worth the cost to maintain signatures for old malware that is considered to be extinct.

The bottom line is that aging malware can still potentially be dangerous. Furthermore, there is at least a possibility that it can no longer be reliably detected and, in the case of ransomware, there may no longer be a decryption path.

So realistically speaking, how dangerous is old malware to a modern system? Let's find out! In Part 2 of this series, I am going to try to intentionally infect a Windows 11 system with ancient malware to see what happens.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

comments powered by Disqus

Subscribe on YouTube