Perimeter
5/17/2011
08:24 AM
Gunter Ollmann
Gunter Ollmann
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Today's Crimeware Life Cycle

Advanced malware is a slippery beast, but understanding its crime life cycle offers hope for successful defense strategies

As an industry, we've spent an inordinate amount of time characterizing the malware we observe propagating the Internet or breaching our corporate defenses. Because of our capability to label so many varieties and features, we've become hypnotized by the intricacies of the software element of the threat. Malware is the threat. And today we're being even drawn even further in to the trance with "advanced malware."

For those actually charged with the day-to-day defense of their corporate systems, the malware threat can typically be divided neatly in to two components -- malware delivery channels that bypass layers of corporate defenses, and the malware component that gets left behind on the compromised system. The "advanced" form of the threat basically translates to being "better" at the evasion part and having enhanced remote control functionality.

The past decade saw the threat transition from annoying virus to destructive malware. For the past few years, the threat has evolved further -- in to the realm of financially driven crimeware. Despite all the public attention this transition has garnered, few appreciate the changes going on behind the scene.

Instead of admiring the fine brushstrokes of a painting, sometimes you need to stand back a little to take in the picture as a whole. The hypnotic allure of malware dissections and high-profile breaches has prevented many organizations from understanding the dynamics of the real threat -- crimeware and the ecosystem that supports it.

Even those that know their droppers from their downloaders too often fail to grasp the relationships between the vendors, service providers, and tool manufacturers that contributed to the success of an attack. Add to that an increasingly false and outdated assumption of an attack is the personification of an "attacker." It's far more likely that many hands were involved in constructing and delivering the attack -- most of whom had no idea of who else was involved and not caring to know.

Back in the days when malware was just malware, a malicious dropper would be downloaded from a server the bad guys owned (or hacked) following the successful exploitation of a vulnerability within the victim's Web browser or via an unpatched plug-in. That dropper would then automatically unpack itself, extract its malicious payload, deactivate or prevent any local defenses from working, and finally start its core remote control agent -- making an outbound connection to a command-and-control (CnC) server and seeking instructions.

With evolution proceeding from malware to crimeware, the installation life cycle has changed substantially. In an effort to thwart the layers of defense deployed within the network or on the host, many additional steps have been introduced by the attackers -- a lot of which are not only subcontracted to third-party service providers, but have become full-scale businesses in their own right, operating in legal gray areas.

The crimeware installation process also incorporates a number of checks and balances designed to increase the robustness of the attack against detection and deception. Having invested substantial time and materials into an attack among multiple vested parties, cybercriminals are loathe to have their malware fall prey to automated analysis systems and honeypots. As such, they have incorporated steps that validate the authenticity of the victim prior to installation of the core crimeware components. From a service provisioning perspective, the new infection life cycle enhances the overall ecosystem and provides additional monetization opportunities.

For a more detailed dissection of the threat (as it stands today), I've released a new whitepaper -- "Behind Today's Crimeware Installation Lifecycle" -- covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your "opponent" shouldn't be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.

Gunter Ollmann is research vice president at Damballa. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.