Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/16/2014
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

2014's Top Malware: Less Money, Mo' Problems

Here are the five most active malware packages to give attackers a huge ROI on a small investment.

Why reinvent the wheel when the first version rolls just fine? Black hat criminals certainly ascribe to this philosophy when it comes to the malware they use to carry out attacks. As illegal as it may be, the cybercrime game is fundamentally a business, and the bad guys are looking to improve their margin. According to new analysis from the Israeli security startup CyActive, the black market reflects this on a daily basis. Researchers identified the five malware families that offered hackers the biggest bang for their buck.

Among those malicious programs, a common theme emerged with all of them achieving their aims through recycling of code and refining previously perfected attack methods. Across the entire group, these five malicious attacks reused 37 components. As attackers reduce their operating costs, they create an unfair advantage over the good guys, who increasingly must spend more to deal with the ever-growing list of attacks to hit the corporate environment each day.

"Fighting malware is time-consuming and expensive, while 'recycling' malware for reuse is quick and cost-effective: for every dollar spent by black hat hackers, hundreds of dollars are spent by the IT security industry," the report explained. "This price tag imbalance is a key facilitator of the springboard from which cybercrime and cyber-terrorism are launched."

Tops on the list in this category is Snake, also known as Turla and Urubos, which CyActive ranked as the most effective and efficient malware of the year. A variant on malware that breached the US Department of Defense in 2008, Snake is still infiltrating government and military targets six years later and includes 12 reused components throughout its attack cycle. Next up is Black PoS, which is best known as the malware to hit Target and Home Depot in their megabreaches. With eight recycled components and costing just $1,800 on the black market, this malware offers the bad guys a ton of ROI.

In the No. 3 slot, Gyges is actually government-created malware that criminals have repurposed for other commercial attacks. It sports eight reused components, with stealth and encryption tools that were once used only in state-sponsored malware. Coming in fourth, Dragonfly reuses six common components to help attackers target industrial control systems used within the aviation, defense, and energy industries. Finally, No. 5 is ZBerp, a hybrid banking malware program that mashed up components from the wildly popular Zeus and Carberp packages that cropped up last year and targeted 450 financial institutions this year.

According to CyActive, these pieces of malware should offer a warning to security programs that they need to find more ways to bring the economics of security in line with the attacker's financial efficiency. "2015 marks the time to start thinking like hackers, rather than defenders, and move the unfair advantage to the good guys' side," the report advises.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...