Perimeter
5/17/2011
08:24 AM
Gunter Ollmann
Gunter Ollmann
Products and Releases
50%
50%

Today's Crimeware Life Cycle

Advanced malware is a slippery beast, but understanding its crime life cycle offers hope for successful defense strategies

As an industry, we've spent an inordinate amount of time characterizing the malware we observe propagating the Internet or breaching our corporate defenses. Because of our capability to label so many varieties and features, we've become hypnotized by the intricacies of the software element of the threat. Malware is the threat. And today we're being even drawn even further in to the trance with "advanced malware."

For those actually charged with the day-to-day defense of their corporate systems, the malware threat can typically be divided neatly in to two components -- malware delivery channels that bypass layers of corporate defenses, and the malware component that gets left behind on the compromised system. The "advanced" form of the threat basically translates to being "better" at the evasion part and having enhanced remote control functionality.

The past decade saw the threat transition from annoying virus to destructive malware. For the past few years, the threat has evolved further -- in to the realm of financially driven crimeware. Despite all the public attention this transition has garnered, few appreciate the changes going on behind the scene.

Instead of admiring the fine brushstrokes of a painting, sometimes you need to stand back a little to take in the picture as a whole. The hypnotic allure of malware dissections and high-profile breaches has prevented many organizations from understanding the dynamics of the real threat -- crimeware and the ecosystem that supports it.

Even those that know their droppers from their downloaders too often fail to grasp the relationships between the vendors, service providers, and tool manufacturers that contributed to the success of an attack. Add to that an increasingly false and outdated assumption of an attack is the personification of an "attacker." It's far more likely that many hands were involved in constructing and delivering the attack -- most of whom had no idea of who else was involved and not caring to know.

Back in the days when malware was just malware, a malicious dropper would be downloaded from a server the bad guys owned (or hacked) following the successful exploitation of a vulnerability within the victim's Web browser or via an unpatched plug-in. That dropper would then automatically unpack itself, extract its malicious payload, deactivate or prevent any local defenses from working, and finally start its core remote control agent -- making an outbound connection to a command-and-control (CnC) server and seeking instructions.

With evolution proceeding from malware to crimeware, the installation life cycle has changed substantially. In an effort to thwart the layers of defense deployed within the network or on the host, many additional steps have been introduced by the attackers -- a lot of which are not only subcontracted to third-party service providers, but have become full-scale businesses in their own right, operating in legal gray areas.

The crimeware installation process also incorporates a number of checks and balances designed to increase the robustness of the attack against detection and deception. Having invested substantial time and materials into an attack among multiple vested parties, cybercriminals are loathe to have their malware fall prey to automated analysis systems and honeypots. As such, they have incorporated steps that validate the authenticity of the victim prior to installation of the core crimeware components. From a service provisioning perspective, the new infection life cycle enhances the overall ecosystem and provides additional monetization opportunities.

For a more detailed dissection of the threat (as it stands today), I've released a new whitepaper -- "Behind Today's Crimeware Installation Lifecycle" -- covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your "opponent" shouldn't be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.

Gunter Ollmann is research vice president at Damballa. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?