Arguably, the best attack never reveals itself. Back in 2007, the breach into the IT systems of TJX, the parent company of T.J. Maxx and other retailers, progressed for more than a year before being spotted. Attackers had plenty of time to steal credit card numbers and line their pockets.
More recently, there's been Stuxnet -- everyone's new poster child for security Armageddon. But if it was so good, why was it discovered? As Apple's incoming global security chief, David Rice, noted in an online post a few months ago, whoever made Stuxnet blew four zero-day vulnerabilities on a piece of malware that arguably could have succeeded with just one. "Far from 'amazing,' as this malware is oft described, this was an operational fumble," he said.
Some are leveling the same charge at today's crimeware toolkit vendors. Mickey Boodaei, CEO of Trusteer, said via email that Zeus -- and now the new SpyEye Zeus hybrid -- has long included functionality designed to disable his company's Rapport, a free tool designed to block malware such as Zeus. But when malware takes aim at a security application, it's essentially broadcasting its presence. Accordingly, Rapport nukes Zeus.
"For malware, it's always better to keep a low profile," Boodaei said.
Instead, the SpyEye Zeus developer -- or developers -- seem to be operating like a Silicon Valley startup, replete with chief evangelist. "Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media," Boodaei said. "The main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen."
What's a malware toolkit vendor to do -- skew toward exclusivity, or aim for a high sales volume via low prices and heavy advertising? Beware the latter approach, as law enforcement agencies love a big takedown.
The equation is slightly different, however, for spam-spewing botnets and their related worms, where more of everything makes for tougher-to-stop malware. The latest version of the Waledac malware, for example, now carries 123,920 FTP credentials. What's a worm going to do with all of those passwords?
In an email, Fraser Howard, a principal virus researcher at Sophos, told me that the malware uses those credentials to upload its own pages to legitimate Web sites. These Waledac-built pages contain META tags to redirect people to spam Web sites, typically selling scareware, drugs, or fake drugs. Because attackers hide malicious redirects on legitimate sites and name their pages randomly -- think "sdfsdfsklj.html" -- they're difficult to detect, at least in isolation.
The overall goal is simple: to fake out spam filters. "By using a continually changing pool of URLs to legitimate sites -- albeit dodgy redirect pages on them -- they try to evade spam blocking," Howard said. "These legit sites may have a 'good reputation' and so are unlikely to trigger spam blocks." Accordingly, the more Web sites on which Waledac can hide its dodgy pages, the better. This makes detecting and blocking the worm's activities, or proactively blocking exploited Web pages, much more difficult.
Waledac also contains nearly half a million POP3 email account passwords, the better to relay spam. While the scale of that password harvesting might sound surprising, "it is pretty commonplace in all sorts of data stealers," Howard told me.
So bigger is better for worms that generate profits via spam. Then again, just like crimeware toolkits, spam-driven malware and botnets might make such a big splash that law enforcement agencies catch up with their authors -- as happened with Mariposa -- or white hat hackers find a way to take down the botnet itself, as happened with Conficker. Then crimeware and botnet operators, despite the profits, also know what it feels like to be a target.