For 'Malware as a Service' merchants, business is booming

They are well organized. They pay close attention to product quality, working hard to make it effective and scalable. They are all about customer service, providing after-sales support. They even solicit the help of their customers in product development.

All admirable qualities. But all in the service of theft.

They are malware merchants; in the business of helping others steal from legitimate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for Malware as a Service (MaaS).

"The life cycle of (malware) products is the most amazing aspect," writes Pierluigi Paganini, a certified ethical hacker and founder of Security Affairs in Italy, in an article posted this past week on Infosec Island. "From design to release to after-sales support, each stage is implemented in every detail with care and attention."

One of the most famous examples is the Zeus Trojan, designed to steal banking information, which can be customized with new features demanded by its customers. There are an estimated 3.6 million computers in the U.S. that have been compromised by Zeus botnets.

In early January, the Israel-based security firm Trusteer reported on a new version of the SpyEye Trojan that, somewhat like a security camera hack, swaps out banking web pages to prevent account holders from noticing that their money is gone.

Not that the botnet market is new. But it is maturing, and is more diversified and dangerous than ever.

Kevin McAleavey, cofounder and chief architect of the KNOS Project outside Albany, New York, who has spent more than a decade in antimalware product development and research, says this is a logical progression. "Today's 'professionals' were once amateurs, and by that I mean the authors of the malware itself," he says. "It should come as no surprise that what may have once been done 'for fun' can readily be monetized by criminal and government elements for their own purposes."

The modern malware developer and distributor, he says, is selling not just the malware itself, but "the means to keep it hidden and from being detected."

But, if these merchants of malware are operating like businesses, can't authorities just track them down and shut them down?

Not so easily, it turns out. Most use the so-called " Onion Router," which lets users conduct business anonymously.

"The only time one has a chance to track down individuals is when they rat each other out," says McAleavey.

It is not only the Onion Router, but the fact that they operate in countries where they are hard to reach -- Latvia, Lithuania, Ukraine, Brazil and others -- where McAleavey says enforcement is lax. "Generally, these 'kids' are smart and don't leave much in the way of tracking data," McAleavey says. "They know how to layer proxies to cause the trail to go cold. Some people working for antivirus companies have successfully managed to audit the trails only to find the perps pull up stakes and move elsewhere by the time the authorities actually show up."

The "app store" element of the business amounts to a detection test service, "where a site accepts uploads of packaged malware and tests it against every known antivirus engine with the latest updates and spits out who detected it and as what. So the kids go back, change the code and keep changing it until nobody detects it whereupon, it goes out."

Paganini reports that Zeus offshoot Citadel offers a basic bot builder and botnet administration panel for $2,399 plus a $125 monthly "rent." It also offers what McAleavey noted -- a module for $395 that, "allows botmasters to sign up for a service that automatically updates bot malware to evade the latest antivirus signatures."

What should enterprises and consumers do? All of the usual things -- don't open odd attachments, even from those you know. Stay away from sketchy websites. Keep your antivirus up to date.

Paganini recommends public awareness and alert networks spread through social media. He would also like to see task forces composed of members from various sectors like government, industry, health and the military, "since we are facing cross-sector threats."

But neither Paganini nor McAleavey is optimistic in the short run. "As long as there's ways to get into Windows, and money to be made doing so, there will be no shortage of malware authors and those willing to make money servicing them -- until the means of hijacking machines themselves is solved," McAleavey says.

Paganini says there are no products on the market now that are able to block an enemy that "grows day by day."

"We are completely unprepared," he says, to fight a "perfect business machine that moves an amount of money equal to the economies of several nations."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about CitadelIsland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place