Perimeter
5/17/2011
08:24 AM
Gunter Ollmann
Gunter Ollmann
Products and Releases
50%
50%

Today's Crimeware Life Cycle

Advanced malware is a slippery beast, but understanding its crime life cycle offers hope for successful defense strategies

As an industry, we've spent an inordinate amount of time characterizing the malware we observe propagating the Internet or breaching our corporate defenses. Because of our capability to label so many varieties and features, we've become hypnotized by the intricacies of the software element of the threat. Malware is the threat. And today we're being even drawn even further in to the trance with "advanced malware."

For those actually charged with the day-to-day defense of their corporate systems, the malware threat can typically be divided neatly in to two components -- malware delivery channels that bypass layers of corporate defenses, and the malware component that gets left behind on the compromised system. The "advanced" form of the threat basically translates to being "better" at the evasion part and having enhanced remote control functionality.

The past decade saw the threat transition from annoying virus to destructive malware. For the past few years, the threat has evolved further -- in to the realm of financially driven crimeware. Despite all the public attention this transition has garnered, few appreciate the changes going on behind the scene.

Instead of admiring the fine brushstrokes of a painting, sometimes you need to stand back a little to take in the picture as a whole. The hypnotic allure of malware dissections and high-profile breaches has prevented many organizations from understanding the dynamics of the real threat -- crimeware and the ecosystem that supports it.

Even those that know their droppers from their downloaders too often fail to grasp the relationships between the vendors, service providers, and tool manufacturers that contributed to the success of an attack. Add to that an increasingly false and outdated assumption of an attack is the personification of an "attacker." It's far more likely that many hands were involved in constructing and delivering the attack -- most of whom had no idea of who else was involved and not caring to know.

Back in the days when malware was just malware, a malicious dropper would be downloaded from a server the bad guys owned (or hacked) following the successful exploitation of a vulnerability within the victim's Web browser or via an unpatched plug-in. That dropper would then automatically unpack itself, extract its malicious payload, deactivate or prevent any local defenses from working, and finally start its core remote control agent -- making an outbound connection to a command-and-control (CnC) server and seeking instructions.

With evolution proceeding from malware to crimeware, the installation life cycle has changed substantially. In an effort to thwart the layers of defense deployed within the network or on the host, many additional steps have been introduced by the attackers -- a lot of which are not only subcontracted to third-party service providers, but have become full-scale businesses in their own right, operating in legal gray areas.

The crimeware installation process also incorporates a number of checks and balances designed to increase the robustness of the attack against detection and deception. Having invested substantial time and materials into an attack among multiple vested parties, cybercriminals are loathe to have their malware fall prey to automated analysis systems and honeypots. As such, they have incorporated steps that validate the authenticity of the victim prior to installation of the core crimeware components. From a service provisioning perspective, the new infection life cycle enhances the overall ecosystem and provides additional monetization opportunities.

For a more detailed dissection of the threat (as it stands today), I've released a new whitepaper -- "Behind Today's Crimeware Installation Lifecycle" -- covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your "opponent" shouldn't be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.

Gunter Ollmann is research vice president at Damballa. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.