Wednesday, September 11, 2013

Malware: the blame game

As you may know, there's a never-ending debate between who's at fault when a user is infected:
  •  is it the user for being "gullable" or being social engineered to click on a malicious link?
  •  is it the fault of the antivirus or antimalware application for missing an infection?
  •  is it the fault of the administrator in corporate networks for not having proper policies?
  •  last but not least side-question: is antivirus useless?

Here's an excellent article which goes deeper into these questions and discusses about it:
(TL;DR: Imperva performed an antivirus test with doubtful and possibly improper testing methods and the (antivirus) community reacted on it)

My personal opinion? There's only one group to blame here which seems to get missed in these debates: the malware writers themselves. After all, the people who create (and use) the malware are responsible for the millions of infected machines and affected businesses, which may both lose a considerable amount of money by either
  • users: paying up to ransomware or rogueware, or CC (Credit Card) theft or fraud
  • businesses: personal records stolen (user/password databases), business plans stolen, not to mention the financial & productional losses.

So what's the endless discussion about and why are we not blaming the malware authors and botnet operators? (to learn more about botnets see my blogpost: the botnet wars: a Q&A)

Here are the main points antivirus companies are blamed on:
  • making money on the back of the customer and 
  • not protecting well enough.  

How much of this is true? Is antivirus dead? My only comment about this:
antivirus provides a good (basic) layer or level of protection on your machine. Is it sufficient? Maybe. Do you need extra protection? Depends. If you're a normal "home user", an antivirus and firewall will surely suffice. Free or paid antivirus doesn't really matter at that point. If you're in an organisation or corporation, antivirus will surely provide a good base to start from, not only signature-based but heuristically as well.

But you'll need more. Ideally, you need an extra set of eyes just for monitoring unusual behavior in your network. Is this realistic? Maybe. Are there solutions specifically designed for this on the market? Yes.

I won't go any deeper into the points above, as it's been discussed & debated upon many times.

Moving on:

Do ISPs (Internet Service Provider) need to take an arrow in the knee for this? How many and which ISPs are already detecting machines which are infected? These are newer and interesting questions as well. ISPs are obviously not responsible when a user is getting infected, however... When that machine in question starts sending out quite a lot of traffic (zombie), does the ISP need to take action?

In my opinion, if there's indeed an unusual load of traffic coming from a machine (sending out mass emails, trying to DDoS a box, ...) the ISP should indeed warn the user.

Some ISPs already do this, for example:
CenturyLink, KPN, Time Warner, Xs4All, Ziggo, ...

Getting back to my original point. Whenever there's a big "outbreak" of malware or there's a so called "APT" (Advanced Persistent Threat) found, people from several branches of the industry are very fast to point fingers or play the blame game (hence the title of this post). Examples:

  • You have no proper security implementations!
  • Your $securitysolution sucks! (use ours!)
  • You(r employees) are easily fooled!
  • You use Windows!
  • ...

It so appears that every single person is forgetting the simple fact that malware writers are actually the cause of one's computer issues. Not antivirus. Not Microsoft. Not the user. Not the ISP.
You can basically view these as buffers. Buffers against the malware. Buffers against the bad guys. Yes, you reading this now, you're actually a buffer as well! Do you have any idea on how often companies are suffering from attacks? How many attacks are actually prevented by $securitysolution, sysadmins and even users?

So, let's state it clear for once and for all. There's only one entity to blame:
the malware writer / botnet operator / put-other-synonym-for-bad-guy-here

Why am I using the word "entity" you may wonder? Well... You must know that malware writer and botnet operator aren't actually synonyms (as opposed to suggested above). The malware writer isn't necessary a botnet operator or the other way around. One thing's for sure though: they both take the blame here.

The malware writer for creating and distributing the malware in the first place.
The botnet operator or herder for consequently infecting users.

Here's a simple flowchart I made about how the current "blame" situation is:
(the direction of the arrow indicates who is blaming who)

Note: may differ from current view

An ideal flowchart would be:

An ideal world?

I propose a new model. One where nobody gets the blame, except for the malware writer malicious entity.

A model where nobody points the finger to the user, which seems to happen in quite a lot of the cases. 

Indeed, a joint effort is necessary in this particular subject. It requires effort from all the involved parties. 

We'll start with each and go build our foundation, our basis:

The user:

  • Should know his or her responsibility and consequences when browsing the web
  • Should install an antivirus & firewall (free or not is irrelevant, as long as both elements are present)
  • Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
  • ... That's basically it.

The antivirus vendor:

  • Should acknowledge the user.
  • Should know the user's needs and shortcomings
  • Should know there's no 100% protection. There's a maximum of 99(,9?)% protection at least.
  • ... That's basically it.

The security company:

  • Should acknowledge both the user and the antivirus vendor
  • Should keep giving feedback for both instances
  • Should acknowledge the cat and mouse game between "viruses" and "antiviruses"
  • ... That's basically it.


  • See The antivirus vendor and The security company

The 3rd party app:

  • Should acknowledge the user
  • Should know the user's needs and shortcomings and therefore:
  • Simplify the processes while increasing the security (not easy, I know)

That's basically it. If by now you're still thinking things like "users are gullible", "X antivirus is really bad", "Y security company is really lacking", "Windows is filled with vulnerabilities", "Java, Adobe, etc. are so easily exploited", .... Then you missed the point of this post. Start again from the top.

The foundations suggested above are what they are, foundations, and is how I see it. Your foundations may differ depending on the situation you're in, but in the end we're all in the same situation:

"fighting the malicious entity".

That is why there's a need for cooperation, coordination. There are countless possibilities, but to give a few examples for a kick start (for once let's get a step ahead of the bad guys):

The 3rd party app:

Not too many options here, besides:
  • listening to feedback from security companies and researchers and
  • prioritize security and provide sufficient information about security patches.

  • Continue the cooperation that currently exists between security companies and others
  • Share your research, especially new malware trends. Everyone benefits!

The security company:
  • Continue the cooperation that may currently exist between you and other companies
  • Found anything interesting? Don't hesitate to share. 

Note: I realize there are sometimes reasons specific findings or research may not or cannot be shared. Obviously these specific situations should not be shared then. If you're in this industry, I'm sure you'll know why. An alternative some companies are applying is simply not naming who or what has been affected, but still outlining the incident, solution approach and solution on itself.

The antivirus vendor:
  • Consolidate your resources. There are countless researchers out there who are simply eager to share their findings, suggestions, research or simple MD5 hashes with you
  • Share your own findings as well when there's an "APT". Do not simply use it for the next big marketing move
  • Share, where appropriate, MD5 hashes so the community can benefit.

The ISP:
  • Warn your customers when you see an unusual and/or malicious high traffic load from end-users

The webhost or hosting provider:
  • Provide clear, useful and enough information on how to send an abuse report

Note: I realize there are more than enough (malicious) webhosts out there which do not list an abuse@ address, provide a fake one or do simply not reply. If you are a webhost, start implementing proper security checks so there's no malware being hosted on one of the websites you provide. Provide an email address or online form where security companies and/or researchers and users can send their abuse reports.

Last, but not least:

  • Don't panic. Panic is a bad counselor. Stay focused and note down what happened or at least what you noticed or think what happened. What did you do right before the culprit happened?
    Did it turn out your version of Office or Windows is illegal?
    Did you click on a link? Did you pick up a call from "Microsoft Support" but ended up in paying countless dollars/euros/pounds/etc. for a problem that didn't even exist in the first place? 
  • Have you been infected with malware (in particular banking malware or ransomware)? 
  • Were you the victim of CC theft, identity theft or any other form of online fraud or theft? 

Report it to the correct instances. Sadly, I found very little useful websites in regards to those situations. Prevention tips are scattered everywhere, but what to do afterwards, when you sit there and think about what has happened, well, that information is very scarce. What I did find is listed here:

Is this of no useful information to you? Exactly. More resources should be available for this.
"What now?":

  • Contact your local police office and file a "cybercrime" complaint: you're a victim!
  • Consult the website of your local CERT - Computer Emergency Response Team - Often they have additional information or may even have a hotline or contact form to report your incident.
  • ...


In this post I have addressed the current situation in regards of a malware infection and its results. Who is to blame? The answer is simple: the malicious entity. This may sound mysterious but as indicated above, I mean the malware writer and/or botnet operator. You can also call it the "cybercrook" or "cybercriminal" or whatever term best suits your needs.

I have proposed a new scheme, a new situation, a new model where we can all benefit from. Insights have been given and hopefully something can come out of it. As a matter of fact, it all boils down to these 3 points:

  • You are not to blame, only the malicious entity is to blame;
  • Look at yourself before pointing the finger to others who have in fact provided you all these years with resources!
  • Work together. Cooperate. Coordinate. Consolidate. You may call it "the 3 C's".
    Be victorious in your efforts to stop "cybercrime" once and for all!

Originally I had named this blogpost "Responsibility with malware infections", but as the post (yes, you may call it a rant if you like) continued to grow, I realised the current title fits the subject in a more appropriate and understandable way. Though you should still take your responsibilities when this kind of incident happens.

Questions? Comments? Feedback? Suggestions? I'm all open for it. Give me a shout-out on Twitter or simply post a comment below. I'll try to answer as soon as possible.


  1. amazing post Bart, keep it up!!

  2. Thanks man.. I will be sending this around my office tomorrow. I do think everyone spends a ton of time pointing fingers at each other instead of just saying that .1% got us.

  3. Great post. Grammar is a little screwy, and make the site look light and inviting please.

    1. Thanks! Each to his or her own writing style I guess ;-) .
      I did make the site lighter and easier accessible, but of course there's always room for improvement.

  4. interesting point of view, maybe some marketeers will now realise their marketing campaigns should be more useful instead of just constant FUD....

    1. Thanks!

      While marketing plays quite a role (ie. communication about new threats to media), it's not always fully FUD, but I do understand your point.

      The most important part however is that users learn something from antivirus' vendors blog posts, rather than get the full load of FUD over them.

  5. It's easy to blame the criminals when your computer got infected. It's easy when you blame burglar when he broke into your house. What if you left the door open, is he still to blame.... yes, but you made it very easy for him, too easy. Although no one should ever enter your house without permission, you know that burglars are there, you know you have to close the door when you leave, just commonsense.

    The same for computer users; we all know malware it out there, we have to protect ourselves as you described in your post. So if your computer got infected and you want to blame soneone, you have to check if everyone took his/her responsibility. You cannot simply blame the cybercriminals, simple because it is too easy and not helping you to imporve the level of security.

    Only when you know who is really to blame for a specific infection on your system, you can improve the protection of your system!

    1. Thanks for your feedback! You make some valid points.

      However, realizing the malware writers are the only ones to blame is a good start... It won't help much but the main intention of this article was to basically stop the finger-pointing to other parties who have helped protect your machine(s) in the past and suddenly get the blame.

      Everyone needs to improve, everyone needs to step up their game and take their responsibilities. The bad guys will (unfortunately) not disappear into thin air, which is why we need to work together - not only all the technical parties, but users as well.

  6. Quote "If you're a normal "home user", an antivirus and firewall will surely suffice. Free or paid antivirus doesn't really matter at that point."

    Free or paid antivirus does matter, especially for "normal home users". Only if you know the real difference between a free and a paid solution, you can decide what is the best for you to protect your computer.

    You and I can decide what's the best for us to use, but (with all the respect) my sisters can't and they are normal home users ;)

    1. In this specific aspect of the article I decided to state that free or paid antivirus do not matter, as long as there's an active protection on the machine (AV + FW).

      The debate about free versus paid antivirus is an entirely different one and I might take it on my plate someday as well ;-) .

      Of course! The standard reply would be "test X or Y antivirus and see what best suits your needs". If users come to us with questions, we'll answer them and point them in the right direction, but I see no need in "holding their hand" the entire time when they browse the web.

      This is why all the parties need to realize there's a need for change. And of course the 3 C's which I mentioned in the conclusion.

  7. Many security problems are created by design (OS, network, etc). For example, spam.
    And ISPs are good example, they can't afford lose customers and they can't do security for all their customers. So, problem stays.
    Another good example are abuse e-mails, by design useless or ineffective.
    Conclusion - if the security problem costs more than, for example, 200 000 USD, it will be solved (maybe). If there is a problem with your neighboors unsecured wireless or your blog deface from China - nevermind.
    Another interesting point - often you hear advice, that suspicious machine should always be reinstalled, because you can never be sure. And it's advice from Microsoft security professionals. And it means - it's by design, if there is no 99% sure way to proof that system isn't still infected :)
    Nowadays IT security isn't like physical security. In IT security you can't buy expensive "steel box" and feel relaxed. It's like dark magic and good luck - depends on what is attacking you.

    1. Good points! Although I do agree that many security problems are flawed by design, I do not agree on the point that an @abuse contact would be ineffective. There should at least be a way to be able to make contact, right?

      That advice is indeed very old, and I'm afraid it's correct most of the times. Interesting that you note Microsoft gave this advice themselves though.

      I totally agree! Just buy a mysterious box and let it sit there - it will do all the work for you. IT isn't voodoo (well not always), so it should be made more accessible for everyone who even has the slightest interest. Also, the person who buys a box should understand there's simply more to it than that.

      And yes, luck plays a part in here, it depends on who is targeting you. (state-sponsored malware anyone? ;-))

      Thanks for your feedback!

  8. Altough I think that the issue of "blame" is valid and important, in view of the current developments and the trend of "BYOD" in a professional environment the issue of prevention and failing that, damage control, is the most important. Cybercrime like any other form of crminality has become a part of our day to day functioning, and it will take a consolidated effort of all parties concerned to try and limit its impact om both our professional and private lives.

    We should also realize that even people who are not using this kind of applications themselves are affected by the consequences of them. The money involved in fighting this are affecting everyone, not just the people using the system actively.

    1. Very true, Patrick!

      "and it will take a consolidated effort of all parties concerned to try and limit its impact om both our professional and private lives."
      This is the essence of my blog post, a consolidated effort of all parties is necessary to counter these threats.

  9. You've raised a lot of points here, Bart, and I tend to generally agree with them :) I'm not much into finger-pointing, although I see that everyday, but I personally believe that all of us involved in security--yes, that includes users, too--have a certain responsibility to keep. The bad guys, more often than not, never bothers to take any sort of responsibility for what they did. If there is any "positive help" they can give us is that they make us realize that we made the wrong choice of leaving our systems not as secure as they should be. Acting on this realization is very important.

    We can blame the bad guys all we want, too, but at the end of the day, we, the potential victims, get to be responsible for keeping our systems as secure are possible and our computing habits as worthy of emulation as possible. What we see out there right now may seem like a dirty job, but it should not just be the job of one I believe.

    1. Hi Silva, thanks for your reply.

      Correct indeed! Realization of the possible dangers on the web is a first good step for users.

      I'm not saying blaming helps anything, but that is also a step in the good direction - transferring our focus onto the bad guys. Exactly right, through cooperation we can succeed!

  10. well written and you make some valid points, well done! you're right when saying not too many info is available after your bank account has been cleared out, never had it before luckily :)

    1. Thanks! I can only imagine what a nightmare it would be to have your bank account cleared or being impersonated for example.

  11. this post is appreciable, I really like it!

  12. Nice pleasant to read with the new background! I'm waiting for more nice articles! I hope more CEO's and System administrators read this blog. More cooperation is needed.

    1. I did improve the blog a bit, glad you noticed! Thanks for your feedback!

  13. Good post Bart, finally the target is clear... more cooperation is needed.

  14. I found this information on the "forum" and was very impressed to your post.

  15. Thanks for share knowledge .it will be helpful for us.

    1. My pleasure! And thanks for the comment :-)

  16. @Bart you have touched very interesting points in your article. I totally agree with you. The real point is that our enemy is the malware, not the security software, there are a lot of comments like "Antivirus A sucks", "Antivirus B is bad", "Antivirus A is betetr than B", etc. but the real question should be who damaged our computer ? The Antivirus or the malware ? The malware. Who has or tried to bypass the security software ? The malware. Don't forget that is always the malware that try to infect your system, and don't forget that when there is a door, there is always the 0000000.1% for the malware to find a hole and enter in the room, including social engineering attacks, MITM attacks, etc. This should be taked into consideration from both users and security software vendors. But again, the malware is the author of the intrusion. It is really hard to handle and detect all types of malware, but we should not forget that the malware remains our enemy, not the security software, so we should always blame the malware, why ? Because it is the intruder, that tried to bypass the security software, install in the system, steal sensitive information, hijack security software, etc. The user should also understand how to correctly and safely browse the web, that it is not safe to install unknown software without prior checks, to not open every attachments on emails, to not buy everything that is cheap from online shops (counterfeits), to not trust everyone, etc. For sure security software should better cooperate with each other to take down the malware domains, C&C, botnets, and more easily share information. I think there should be less comparison-propaganda and more sharing-cooperation motivations. In my personal experience is very hard to shutdown a botnet, especially big botnets, instead it should be at least easier, when there are enough proof of botnets, the domain registrar and/or the IP owner should immediately take the needed actions, without too delays and/or very long silence. Domain registrars should handle somehow a blacklist of specific email addresses used to frequently register C&C domains and malware domains, there should be more monitoring from the domain registrars, probably. I also believe there should be more information coming from TVs and schools, the WWW is going to be used by almost every user on the world soon, and the social networks are becoming extremely popular too, without the correct information and without the "you-should-not-do-this" or with the "you-can-do-this-if" propaganda there may be always caos, that may benefit the malware, because even with a basic knowledge the user itself can reduce a lot the percentage of infection, just following some recommended steps to stay, at least a bit, safe online.

    1. Excellent post Rob, I agree with you 100%. Especially your last paragraph makes a lot of sense: almost everyone is on the internet right now, without too much knowledge of the dangers that lurk there.

      A basic knowledge about the hidden dangers should at least be known to the users, especially with all the social networks out there, they can be easily exploited.


  17. I have to admit that i not agree 100%. First i have to say that im not a native English speaker so maybe my interpretation of words is wrong.
    I would rather say "Fault" or "responsible" then "blame", because then its easier to give the right answer: the malware.
    But if you show steps how everyone can improve the situation (and i agree with your ideas; for corporate users you should add CEOs) that means IMHO the situation before wasnt optimal. And without blaming everyone should ask him-/herself if he/she could have done things differently. Again: not for the reasdon of "blaming" (that doesnt help anyone) but to find out where everyone can improve themselves.


    - as a vendor: if you cant give 100% protection, dont promise that

    - as a consultant: was the suggested solution for the client the best solution for me or for the client?

    - as a vendor: if i implement a new function, do i think also about security?

    - as a user: could different behaviour have prevented what had happened? Do i know where to look for help when something goes wrong?

    - as a company: how can i help my users?

    - as an IT pro: how can i help to improve IT security for friends/neighbours/everyone?

    The problem (IMHO) is that too often some one asks the question "why did that happen" only to have someone to blame. But we shouldnt care if someone could have prevented this, we should *only* ask "how can we improve to protect the system better in the future". But very often companies stop after finding someone to blame but never improve.

    And yes, you could have compress this blog entyr into one line;-)

    Talk more, not less!

    PS: we (as part of Security industry) should not blame the users for not listening to us, we should ask ourselves why people dont listen to us.

    If you want to change the world, start with yourself.

    1. Excellent comment Thomas and thanks for your input!

      You are absolutely right: we should all improve. I believe better cooperation is key here. "Responsibility" might have been a better word here, but I choose "blame" on purpose so people would find it easier to identify themselves with the situation. (like: "hey, my friend/boss/whoever does that!)

      Your examples are hitting the nail on the head, for sure. We should ask how to improve to protect the system and the user. Unfortunately, this is mostly only AFTER there has been an incident. (but better late than never, right?)

      Thanks a lot for your feedback!