A Modern Twist on Malware Production

Malware has always been a threat to companies and computer users since the early days of the internet, however while prior malware was often created by individuals and small groups for leisure and fame, today malware makers are operating at an organizational capacity similar to legitimate corporations. This industry has been coined Crime as a Service and as the name implies, encompasses a whole new class of malware creators who do not just create the malware, but provide:  toll free support lines, ongoing updates to take advantage of zero day attacks, integrated product activation to protect against piracy, easy to use control panels complete with statistics about infection rates, and much more.

To get a better idea of the malware landscape, I interviewed Ziv Mador, the director of malware security labs for M86 Security.

Origin and Demographics of Attacks

According to Ziv, the majority of malware development originates in:  Russia, Romania, and a few Eastern European countries mainly because of weak and corrupt governments which are not able to keep organized crime in check. Additionally, many of the support, sales, and logistics of:  malware kits, stolen data, and more also are handled within these regions due to the lax government climate.

As far as attack targets go, while malware typically knows no bounds, Ziv mentioned that in most of his findings Western countries are the most targeted heavily for their wealth. In particular, bank fraud tends to have the highest reward for attackers by allowing them to access large sums of money in the shortest amounts of time. Because of the easy access to funds and limited fraud protection, on the black markets, bank account information tends to sell at prices significantly higher than credit/debit card numbers.

Additionally, as many malware makers prefer to have ongoing revenue, fake antivirus products and pay per install spyware often are integral to many malware makers by providing a fairly simple but effective way of monetizing their victims.

Attack Vectors

Although web browsers have been and remain the largest vulnerability point for end users, recent malware attacks have been shifting towards third party plug-ins such as Flash, Java, and Adobe Acrobat because the plugins tend to be less hardened and therefore provide better closer access to critical system files. Additionally, deploying updates for third-party programs on enterprise networks is significantly harder due to compatibility issues, making them a perfect target for attackers who are aiming for a high infection rate.

Even if you stay away from questionable sites normally associated with malware, today there is a new attack angle which allows infections to spread throughout legitimate websites without the owner or end user knowing. According to Ziv, this new form of attack is known as an iFrame injection and consists of a website being hacked and having a small code injection. Unlike the common depiction of hackers trashing websites and replacing them with obscene pages, today many infections occur in the background without notice. By using malicious code to inject hidden iFrames into a compromised website, malicious parties are able to have scripts download files to visitors in the background without warning.

This type of attack is so prevalent that according to Ziv, before launching an infection campaign, many groups will collect statistics from a few compromised servers and use that data to better target their attacks. While in the past malware used to be most prevalent on pornography and piracy websites, today even visiting a site as respectable as Facebook or Twitter could lead to an infection if a breach were to occur. Currently however, this form of attack is more prevalent on smaller independent websites where the owners fail to update and apply patches in a timely fashion.

Commercialization of Malware

As mentioned earlier in this article, the malware industry has gone from small groups of “hackers” to an industry with estimated transaction values of well over $1 billion USD. In particular the biggest sources of revenue have come from brokering stolen data and also selling malware kits. While in the past creating a virus used to require extensive technical knowledge – today, for around $1,000 USD, you can purchase a “malware kit” complete with:  a GUI for changing settings, ongoing updates for continuing effectiveness,  internal statistics to better target attacks,  and even product activation integrated by the creators to protect their creations from piracy.

This commercialization is not limited to malware.  Today brokers handling stolen data provide toll free support lines to handle reissuing data if it is flagged for fraud (common with credit and debit cards), and call centers exist to  provide criminals access to phone operators with any accent desired.  A crucial service for helping to expedite fraudulent transactions over the phone.

Closing Words

Overall, the details mentioned above are just a small sampling of today’s chaotic environment in computer security. As malware continues to be commercialized and commoditized information technology professionals of virtually every breed will have to learn to place security in the fore front of all projects. Although this article is more of an overview piece, at the least this article should alert you to the fact that today malware is not just being produced by lone wolf hackers. Rather syndicates now control the sphere, and as such, security must be given top priority to combat the increased threat.

Please leave your views and comments on the article in the Data Center Talk Forum