Malware authors’ hard-fought “professionalism” impressive, frightening: researcher

Malware authors have become so good at seeding exploits en masse that their monitoring, customer service, marketing and Australian localisation strategies have come to resemble professional business operations, a senior Trend Micro security researcher has observed.

Noting the significant jump in malware variability that became possible thanks to exploit kits during 2011 and 2012, senior threat researcher Jon Oliver said malware authors had put in enough trial and error over the past decade to qualify as experts under the 10,000-Hour Rule – a theory posited by author Malcolm Gladwell that says mastering any field takes around 10,000 hours of practice.

Modern malware hackers are already showing the signs of having achieved this level, Oliver said in a presentation at this week’s Evolve 2013 security conference in Melbourne.

“By digging into some of the detail of our regular reports, we can really see the professionalism that cyber criminals are using,” he explained. “They’ve had about ten years to clock up the 10,000 hours, and there was a big leap in professionalism when they brought in the exploit kits.”

Blackhole-delivered spam exploits accounted for 27% of all exploits during 2012, figures from the Sophos Security Threat Report 2013 suggest, with Australia ranked as the sixth safest country in the world in terms of threat risk.

Yet the ingenuity of the exploit kit isn’t the technology – which interacts with client browsers to find out what version of what operating system and browser they’re using, then feeds them an appropriate exploit to ensure compromise of the system – but the way it has been bundled into a full suite of hacking tools that is being sold for great profit to online miscreants.

“It’s not especially new technology,” Oliver said, “but it’s the professionalism by which they went about it – to the point of offering customer service to customers, and writing release notes where they discuss how they’re avoiding security vendors’ tools.”

Blackhole even has a professional-looking dashboard that tracks infection success rate by operating system, browser, country, and so on. Java, in particular, enjoys considerable prominence as a preferred penetration method, thanks to its recent history of high-profile exploits.

A screenshot of the dashboard, displayed by Oliver during his presentation, showed an overall success rate of 14.61%, with 83.36% of the successful attacks being launched against Java systems. Chrome was the least frequently penetrated, with a success rate of 0.46%, while Opera (at 15.91%) was the most frequently compromised, followed closely by Microsoft Internet Explorer (15.51%) and Mozilla Firefox (13.97%).

“They are attacking everything,” Oliver explained. “They track everything, and optimise every aspect of it just like marketing people are optimising every aspect of a campaign, working with Google to get their keywords up to the top.”

“Cyber criminals are doing the same: up on the top of the page, they’ve got ads for other cybercriminal services. They even schedule holidays: last Christmas we noted very particular holiday periods in their spam runs, and they don’t go back until the first Monday of the new year.”

While such attacks enjoy particularly high profile for security researchers, however, Oliver was quick to point out that the biggest problem is not the professionalism by which spam and botnets are being managed – but the fact that similar techniques are being used to manage targeted, advanced persistent attacks.

“The lesson we’re learning here translates across to the targeted attacks space,” he said. “Those attackers are doing exactly the same things – but it’s not visible, and it’s not available for rent. So, we’ve got to take lessons from this and apply them to the targeted threat arena. The whole thing is a very professional situation, and it’s a truly frightening scale of legitimacy that they put around their attacks.”

Join the CSO newsletter!

Error: Please check your email address.

Tags evolve security conference 2013Sophos Security Threat report 2013TrendmicroBlackhole apm exploitscybercriminalsmalwarecyber security

More about EvolveGoogleMicrosoftMozillaSophosTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts