informa
Commentary

Schwartz On Security: Advanced Threats Persist And Annoy

APTs are today's normal threat, and companies such as RSA must do better, even as the odds against them keep increasing.
How difficult is it for criminals to send lots of spam, for example, to illegally manipulate stock prices? In an e-mail, Kaspersky researcher Dmitry Bestuzhev said that "the price depends on the spam provider and the quality of the penetration" but averages about $100 per 130,000 e-mails sent. Compare that to just one pump-and-dump scheme, operating for a month, which allegedly netted one promoter at least $150,000.

How's that for affordable? In fact, that's the problem where APTs are concerned. According to remarks made by Bestuzhev at a recent press event, building a good botnet requires an initial investment of only about $5,000, at least for a do-it-yourself approach.

Here's how to build a botnet: First, spend $750 on average to buy a top-notch malware toolkit, such as SpyEye. Or upgrade to the Phoenix exploit kit 2.4 ($2,200) or BlakHole Exploit Pack ($1,550) for even more automated attacks. Next, spend $480 per year to subscribe to a site such as Virtest.com, which tests whether the malware you've built can be detected by current scanners. Also contract with a bullet-proof hosting service -- a really good one will set you back $3,600 per year -- for storing malicious code as well as purloined data. Finally, pick a good phishing pack -- these are free -- to ferry your malware via e-mail to unsuspecting victims.

What if you don't have time for DIY? Good news: "There's another service available called 'pay per install,'" said Bestuzhev. In this scenario, you contract with other criminals to install malware on PCs for you. Rates for 1,000 installations (zombies) vary by country, from an average of $20 in the Netherlands to $150 in the United States (thanks to its residents using more credit cards per capita). "So, building a 30,000-bot, high-quality botnet can cost you $27,000," he said.

For hackers with coding chops, there's an even cheaper and more direct option: Knock off an existing botnet by taking control and locking out the current owners. Bestuzhev says this tactic isn't uncommon.

But the bigger issue is that criminals without computer savvy -- even penny stock price manipulators who previously relied on phone and fax boiler rooms -- have easy access to botnets, either directly or through intermediaries with affordable rates. As a result, anyone can launch millions of spam e-mails, mass infection campaigns, and spear-phishing attacks, using the latest malware plus APTs to bypass many defenses.

Accordingly, let's dub ATP the "new normal" in security attacks. Because as Bestuzhev describes the problem, using a popular Russian phrase: "You have money? You don't need brain."


Recommended Reading: