I am sure that you know this song. Yes, Daft Punk absolute rocks, although this post is about malware not the band.

Anyway, I was going through some blogs today and I stumbled across some articles regarding a malware affecting MacOS. Apparently this piece of malicious software is of a type downloader/installer. All it does is to connect to a remote server, fetch the payload and execute. Nothing special really!

One advantage this malware has over other types of malware is that the payload can be changed over time, which is cool. However, the antivirus folks will continue taking samples of the new payloads and add more signatures to their software. The game is on!

At the end of the day, regardless whether the malware runs for MacOS (the new hype), Windows or Linux, it is composed of pretty much the same routines. If you think about it, there is a common pattern among most malware, which means that at some point, once we have better technologies to map any given application behavior, we will be able to insulate potential problematic processes and perhaps even drop them in a sandbox while running. Actually, this is possible today to one degree or another.

My point is that once a malware sample is found, it can be quite quickly neutralized. We know that Antivirus software is not perfect but at least antivirus vendors try to solve a quite complicated problem, so you have to give them some credits. The key point which we have to draw from all of this nonsense which I wrote so far, is that we do not know if a particular type of malware exists until we find a sample of it, which brings me to my main point in this post:

What if it is not possible or it is very hard to get a malware sample?

I blogged about these stuff before, but my question still remains. What if the malware does not persist on the system, instead it weakens the security perimeter and than it destroys itself? What if the result of this weakening looks very similar to the environment you will usually find in corporate networks (yes, corporate networks tend to be quite weakened). In this case the antivirus software has no clue whether this weakening was intentional or not? I am not malware researcher so I am not sure if such a beast exists, but if it doesn’t than I find it scary that there is no practicel advice what to do apart from trying not to get infected on first place. I hardly doubt that antivirus software can do much about the situation either.

Ok, I will leave this concept to sink with you. If you have anything to say please do so bellow. Some may say, hey you spreading FUD, but I don’t think that this is FUD. I believe in impossibilities but some stuff are simply impractical for the time being.