Today's Crimeware Life CycleAdvanced malware is a slippery beast, but understanding its crime life cycle offers hope for successful defense strategies
As an industry, we've spent an inordinate amount of time characterizing the malware we observe propagating the Internet or breaching our corporate defenses. Because of our capability to label so many varieties and features, we've become hypnotized by the intricacies of the software element of the threat. Malware is the threat. And today we're being even drawn even further in to the trance with "advanced malware."
For those actually charged with the day-to-day defense of their corporate systems, the malware threat can typically be divided neatly in to two components -- malware delivery channels that bypass layers of corporate defenses, and the malware component that gets left behind on the compromised system. The "advanced" form of the threat basically translates to being "better" at the evasion part and having enhanced remote control functionality.
The past decade saw the threat transition from annoying virus to destructive malware. For the past few years, the threat has evolved further -- in to the realm of financially driven crimeware. Despite all the public attention this transition has garnered, few appreciate the changes going on behind the scene.
Instead of admiring the fine brushstrokes of a painting, sometimes you need to stand back a little to take in the picture as a whole. The hypnotic allure of malware dissections and high-profile breaches has prevented many organizations from understanding the dynamics of the real threat -- crimeware and the ecosystem that supports it.
Even those that know their droppers from their downloaders too often fail to grasp the relationships between the vendors, service providers, and tool manufacturers that contributed to the success of an attack. Add to that an increasingly false and outdated assumption of an attack is the personification of an "attacker." It's far more likely that many hands were involved in constructing and delivering the attack -- most of whom had no idea of who else was involved and not caring to know.
Back in the days when malware was just malware, a malicious dropper would be downloaded from a server the bad guys owned (or hacked) following the successful exploitation of a vulnerability within the victim's Web browser or via an unpatched plug-in. That dropper would then automatically unpack itself, extract its malicious payload, deactivate or prevent any local defenses from working, and finally start its core remote control agent -- making an outbound connection to a command-and-control (CnC) server and seeking instructions.
With evolution proceeding from malware to crimeware, the installation life cycle has changed substantially. In an effort to thwart the layers of defense deployed within the network or on the host, many additional steps have been introduced by the attackers -- a lot of which are not only subcontracted to third-party service providers, but have become full-scale businesses in their own right, operating in legal gray areas.
The crimeware installation process also incorporates a number of checks and balances designed to increase the robustness of the attack against detection and deception. Having invested substantial time and materials into an attack among multiple vested parties, cybercriminals are loathe to have their malware fall prey to automated analysis systems and honeypots. As such, they have incorporated steps that validate the authenticity of the victim prior to installation of the core crimeware components. From a service provisioning perspective, the new infection life cycle enhances the overall ecosystem and provides additional monetization opportunities.
For a more detailed dissection of the threat (as it stands today), I've released a new whitepaper -- "Behind Today's Crimeware Installation Lifecycle" -- covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your "opponent" shouldn't be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.
Gunter Ollmann is research vice president at Damballa.
Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio