They are well organized. They pay close attention to product quality, working hard to make it effective and scalable. They are all about customer service, providing after-sales support. They even solicit the help of their customers in product development.
All admirable qualities. But all in the service of theft.
They are malware merchants; in the businessof helping others stealfrom legitimate businesses and innocent consumers. And they haveevolved to the point where they operate much like the legitimatesoftware industry. It is possible to buy malware from what amounts toan app store, or to contract for Malware as a Service (MaaS).
“The life cycle of (malware) products is the most amazing aspect,”writes Pierluigi Paganini, a certified ethical hacker and founder ofSecurity Affairs in Italy, in an article posted this past week onInfosec Island. “From design to release to after-sales support, eachstage is implemented in every detail with care and attention.”
The famous Zeus Trojan
One of the most famous examples is the Zeus Trojan, designed to stealbanking information, which can be customized with new features demandedby its customers. There are an estimated 3.6 million computers in theU.S. that have been compromised by Zeus botnets.
In early January, the Israel-based security firm Trusteer reported on anew version of the SpyEye Trojan that, somewhat likea security camerahack, swaps out banking Web pages to prevent account holders fromnoticing that their money is gone.
Not that the botnet market is new. But it ismaturing, and is morediversified and dangerous than ever.
Kevin McAleavey, cofounder and chief architect of the KNOS Project outside Albany, New York, who has spent more than a decade in antimalware product development and research, says this is a logical progression. “Today’s ‘professionals’ were once amateurs, and by that I mean the authors of the malware itself,” he says. “It should come as no surprise that what may have once been done ‘for fun’ can readily be monetized by criminal and government elements for their own purposes.”
The modern malware developer and distributor, he says, is selling notjust the malware itself, but “the means to keep it hidden and frombeing detected.”
But, if these merchants of malware are operating like businesses, can’tauthorities just track them down and shut them down?
Not so easily, it turns out. Most use the so-called ” Onion Router,”which lets users conduct business anonymously.
Rats are easy to find
“The only time one has a chance to track down individuals is when theyrat each other out,” says McAleavey.
It is not only the Onion Router, but the fact that they operate incountries where they are hard to reach — Latvia, Lithuania, Ukraine,Brazil and others — where McAleavey says enforcement is lax.
“Generally, these ‘kids’ are smart and don’t leave much in the way oftracking data,” McAleavey says. “They know how to layer proxies tocause the trail to go cold. Some people working for antivirus companieshave successfully managed to audit the trails only to find the perpspull up stakes and move elsewhere by the time the authorities actuallyshow up.”
The “app store” element of thebusiness amounts to a detection testservice, “where a site accepts uploads of packaged malware and tests itagainst every known antivirus engine with the latest updates and spitsout who detected it and as what. So the kids go back, change the codeand keep changing it until nobody detects it whereupon, it goes out.”
Paganini reports that Zeus offshoot Citadel offers a basic bot builderand botnet administration panel for $2,399 plus a $125 monthly “rent.”It also offers what McAleavey noted — a module for $395 that, “allowsbotmasters to sign up for a service that automatically updates botmalware to evade the latest antivirus signatures.”
What should enterprises and consumers do? All of the usual things –don’t open odd attachments, even from those you know. Stay away fromsketchy Web sites. Keep your antivirus up to date.
How social media can help
Paganini recommends public awareness and alert networks spread throughsocial media. He would also liketo see task forces composed of membersfrom various sectors like government, industry, health and themilitary, “since we are facing cross-sector threats.”
But neither Paganini nor McAleavey is optimistic in the short run. “Aslong as there’s ways to get into Windows, and money to be made doingso, there will be no shortage of malware authors and those willing tomake money servicing them — until the means of hijacking machinesthemselves is solved,” McAleavey says.
Paganini says there are no products on the market now that are able toblock an enemy that “grows day by day.”
“We are completely unprepared,” he says, to fight a “perfect businessmachine that moves an amount of money equal to the economies of severalnations.”