The Implications of Malware-as-a-Service

Wednesday, January 25, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

As previously stated, the cyber crime industry is proving to be invoiced in a thriving company that knows no crisis.

The reasons are countless, high profits and unpunished crimes most often the main ones. What amazes me is, however, the organizations managing the criminal businesses.

Criminal operations are managed as corporations and malware is designed as a service like those of large companies, with a maniacal attention paid to product quality. The life cycle of products is the most amazing aspect, from design, to release to after sales support - each stage is implemented in every detail with care and attention.

On more than one occasion we read of malware designed with complex solutions to meet the most demanding requirements of implementing effectiveness and scalability, evidence that there are high skills behind these projects, probably coming from legal industry.

Just recently I read the news on the commercial distribution on the of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. The Zeus Trojan is an agent with the ability to steal banking information by logging keystrokes and form grabbing.

It is spread mainly through phishing and drive-by downloads schemes. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States).

As of October 28, 2009 over 1.5 million phishing messages sent on Facebook were for the purpose of spreading the Zeus Trojan. Regarding Zeus diffusion I suggest the consultation of the web site https://zeustracker.abuse.ch/ that provides updated statistics on the localization of the Command and Control (C&C) servers of the botnet-based agent.

Among the huge quantity of statistics available I have found a couple of issues that I consider really indicative the Average Antivirus detection rate (last 60 days) and the list of the top C&C servers:

(click images to enlarge)

An important factor is that cybercrime’s financial and geographic growth has showed no slowdown during the global economic crisis. Indeed, it probably took advantage of the crisis factor to undermine businesses and become much more profitable.

Lack of awareness of the threat, and contraction of investment in prevention have played in favor of cyber crime. No company or organization is immune.

What amazed me is the news that in many underground forums users have posted numerous complaints related to the leak of support for the developing of new features for the popular Trojan.  

Very interesting is the organization of sales and support channels, in many ways like to those used for legal products. Forums and social networks used to collect information on bugs and request information regarding the commercial development of new features, a shortcut between developers and end users.

No doubt this approach raises a lot of concern because of the unpredictable evolution that the agents may have with their own community supporting open development.

The apparent evolutionary leap made by these types of products and their marketing have identified different ways of selling their products, which can be purchased in packages that provide ongoing support and evolutionary maintenance of the Trojans to meet changing customer needs.

Always with an eye on the malware distribution model and support services, commonly referred to as "software-as-a-service", I point out the Zeus offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments:

(click image to enlarge)

 Which are the main services offered by the Citadel's owners? Standing to their declaration they propose a common platform for content sharing based on a social network model:

  • A social network for customers, Citadel CRM Store, to allows users to be active player in the in product development
  • Report bugs and other errors in software with a ticketing systems
  • Code Sharing platform. Each client can share its module and software code with other, creating new modules or improvements
  • Promoting of public proposals for software improvements and new features
  • Efficient jabber and instant message communication channels

The model described is essentially applicable to all kinds of malware from the moment it divulges its source code. A group of developers can then operate in the autonomous communities that take charge of the improvement of the product to meet business needs. This is the critical transition from malware business opportunity.

Regarding the specific case of Citadel, I quote numbers drawn in article published Krebs on Security:

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

Another necessary reflection is related to the implementation of this model of development that could benefit even government organizations for the recruitment of hackers experts in the development of malware.

Platforms such as those described in fact allow for high skills and evolutionary supports which are relatively easy to handle, and potentially lethal if concentrated on the development of cyber weapon.

How do they do it? Recall the case of Tilded, the malware development platform recognized as the basis for the development of agent like Stuxnet and Duqu.

What would happen if a government decides to engage hackers to build a community dedicated to the development of a similar platform? Hackers have the skills to work on a generic platform for malware development, then once terminated could be recruited by governmental personnel to work with modules developed internally to attack strategic targets.

Scenarios like this are as terrifying as possible, and it is important to remain vigilant. We are assisting an impressive growth of the cyber crime industry which will be difficult to stop, a relentless progression that requires us to implement in both Government and private sectors a series of measures to contain the threat.

The first step is to become aware of the threat and risks… the second step is to take action!

References

Cross-posted from Security Affairs

Possibly Related Articles:
8927
Infosec Island Viruses & Malware
Federal
Phishing malware Botnets Banking Cyber Crime Stuxnet Zeus keylogger trojan DUQU Pierluigi Paganini Citadel Tilded Malware-as-a-Service
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.