Perimeter
5/17/2011
08:24 AM
Gunter Ollmann
Gunter Ollmann
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Today's Crimeware Life Cycle

Advanced malware is a slippery beast, but understanding its crime life cycle offers hope for successful defense strategies

As an industry, we've spent an inordinate amount of time characterizing the malware we observe propagating the Internet or breaching our corporate defenses. Because of our capability to label so many varieties and features, we've become hypnotized by the intricacies of the software element of the threat. Malware is the threat. And today we're being even drawn even further in to the trance with "advanced malware."

For those actually charged with the day-to-day defense of their corporate systems, the malware threat can typically be divided neatly in to two components -- malware delivery channels that bypass layers of corporate defenses, and the malware component that gets left behind on the compromised system. The "advanced" form of the threat basically translates to being "better" at the evasion part and having enhanced remote control functionality.

The past decade saw the threat transition from annoying virus to destructive malware. For the past few years, the threat has evolved further -- in to the realm of financially driven crimeware. Despite all the public attention this transition has garnered, few appreciate the changes going on behind the scene.

Instead of admiring the fine brushstrokes of a painting, sometimes you need to stand back a little to take in the picture as a whole. The hypnotic allure of malware dissections and high-profile breaches has prevented many organizations from understanding the dynamics of the real threat -- crimeware and the ecosystem that supports it.

Even those that know their droppers from their downloaders too often fail to grasp the relationships between the vendors, service providers, and tool manufacturers that contributed to the success of an attack. Add to that an increasingly false and outdated assumption of an attack is the personification of an "attacker." It's far more likely that many hands were involved in constructing and delivering the attack -- most of whom had no idea of who else was involved and not caring to know.

Back in the days when malware was just malware, a malicious dropper would be downloaded from a server the bad guys owned (or hacked) following the successful exploitation of a vulnerability within the victim's Web browser or via an unpatched plug-in. That dropper would then automatically unpack itself, extract its malicious payload, deactivate or prevent any local defenses from working, and finally start its core remote control agent -- making an outbound connection to a command-and-control (CnC) server and seeking instructions.

With evolution proceeding from malware to crimeware, the installation life cycle has changed substantially. In an effort to thwart the layers of defense deployed within the network or on the host, many additional steps have been introduced by the attackers -- a lot of which are not only subcontracted to third-party service providers, but have become full-scale businesses in their own right, operating in legal gray areas.

The crimeware installation process also incorporates a number of checks and balances designed to increase the robustness of the attack against detection and deception. Having invested substantial time and materials into an attack among multiple vested parties, cybercriminals are loathe to have their malware fall prey to automated analysis systems and honeypots. As such, they have incorporated steps that validate the authenticity of the victim prior to installation of the core crimeware components. From a service provisioning perspective, the new infection life cycle enhances the overall ecosystem and provides additional monetization opportunities.

For a more detailed dissection of the threat (as it stands today), I've released a new whitepaper -- "Behind Today's Crimeware Installation Lifecycle" -- covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your "opponent" shouldn't be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.

Gunter Ollmann is research vice president at Damballa. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web