Internet Security Systems - AlertCon(TM)

From Virus to Parasite – The Parasitic Era of Malware

Posted by Gunter Ollmann on November 24, 2008 at 12:50 PM EST.

Over the last few months I’ve been discussing the technology advances within the major malware families and what that means for our major international customers.

Stepping back from the minutia of the actual technology advances, what’s perhaps most interesting to the clients I’ve been speaking with is the evolution of tactics in the criminal use of malware.

Driven by a mix of having to dodge better network security technologies and bypass ubiquitous host-based protection, and having to reliably exploit tougher operating systems and overcome more rigorous patching programs, the criminal teams behind the major malware infestations have developed more sophisticated commercial models in order to extract the maximum value out of their “investments”.

In the “good old days” the criminals would compromise a host, backdoor it (or Trojan it, etc.), and add it to their existing network of hacked computers. Then, to earn money from the compromised systems, they would predominantly use those systems to conduct rather noisy activities – such as spam relay, DDoS attacks and anonymizing proxies for targeted attacks. Obviously, compromised hosts that participated in these activities were pretty recognizable from a network detection perspective, and were typically shut down (or blocked) relatively easily.

Now, as it gets a little harder to compromise systems (through a mix of security advancements and greater criminal competition for the same hosts) and the criminals have had to invest more money to conduct their attacks (e.g. purchasing exploit code or contracting other criminal Internet service providers to increase the longevity of their attacks), we’re seeing a new range of money making ventures designed to remain as quiet as possible, for as long as possible.

In order to do this, the latest generations of malware have adopted a more parasitic nature in order to feed off the host and extract every ounce of value.

Instead of operating like a noisy virus of old and getting detected and shut down too fast, the parasitic malware we’re observing begins its life in a kind of stealth mode and gradually becomes more obtrusive as the realizable value of the host depreciates.

By way of example, here are some of the tactics the criminals have adopted in their evolving parasitic models:

  1. Once installed, the malware silently inventories the host…
    What kind of host is it? (workstation, server, home PC, etc.)
    What kind of Internet access does the host have? (DSL, LAN, dial-up, etc.)
    What netblock is the IP address part of, and is it on a corporate network?
    Is a VPN in operation, and what networks does the host connect to?
  2. The malware proceeds to inventory the data on the host, and extract salable data…
    Extract all the email addresses in the victims’s contacts list and email software,
    Extract all password confirmations/resets from received emails,
    Extract all credit card and address information from email sales receipts and confirmations,
    Search through all stored documents for words such as “confidential”, “secret” and “personal” and ready those documents for download
    Search through files, application and system memory for saved login credentials (e.g Web browser “remember me” data)
  3. Bundle up all the extracted data, compress it in to a single file, encrypt the data, and open up a secure channel to an Internet “drop box” and transfer the loot.
    Depending upon the quality and quantity of the data, it will be catalogued and batched for sale (along with data from thousands of similarly compromised hosts) at popular underground auction forums.
  4. Keyloggers, screen-grabbers, man-in-the-browser proxy agents, etc. will be started up to begin observing users of the compromised host and extract further login credentials – such as online banking login details, corporate VPN access codes, Webmail accounts, etc.
  5. Begin to stealthily interrogate the network the compromised host is located upon…
    Search for other network hosts and devices,
    Map out network shares and other remote file repositories for valuable data,
    If the host is on a corporate network attempt to compromise other hosts – through the use of infected files, USB devices (inf autorun.gen viruses), or more aggressive exploit-based techniques.
  6. Once all valuable data has been extracted, begin to use the host as a scriptable money-making device that “looks” like a human.
    Conduct click-fraud by clicking on sponsored advertising under the control of the criminal team.
    Install pay-for-install software trials (similar to click fraud, but where software vendors pay Web site owners for every visitor that downloads their software and actually installs it on their machine).
    Become a repository for illegal software and media content, or operate a Web server to host phishing and other scam sites.
    Proxy fraud and money-laundering attacks    .
  7. (7) As the life expectancy of the host drops, and the probability that its infection has been noticed by those capable of doing something about it, offer legacy “noisy” services…
    Spam relay,
    DDoS agents,
    Anonymizing proxy services,
    Automated bruteforce and “password recovery” services, etc.

Now, obviously, the above tactics are only a small sampling of what is possible and what the criminals are actually doing in the wild – but it should give you a taste of the staged approach to their extracting monetary value from the hosts they manage to infect.

What the future holds

Looking forward, I expect to see new money-making business models in stages (3) to (6) appear as the criminals hone their malware capabilities and find new buyers and sellers for the assets under their control.

I’m, also expecting the criminals in the future to focus greater efforts on building more complete identity profiles based off the information they can now extract. For example, over the last couple of years we’ve seen the value of credit card credentials drop to a fraction of what they used to be (all the details needed to conduct an online purchase using a credit card currently sell for between $0.05 and $2 – depending upon how many cards you purchase [bulk discounts apply]).

Meanwhile, if you assume an average home PC has been compromised, it’s pretty easy to build up a “household identity” which includes factors such as all their banking details (online banking credentials and credit/debit cards), names & ages of all family members, online browsing and purchase patterns, financial wealth and medical histories, even holiday plans, car registrations and tax submissions. Armed with this level of “household identity” information, the marketable value is easily in the $200-$500 range.

Just who purchases and uses this information? Already we’re hearing of this information making its way through to legitimate marketers and agencies through grey-market routes. But we can also expect the criminals to seek higher returns from their informational purchase/investment – e.g. instead of siphoning off a few thousand dollars from their victims bank account, why not assume the stolen identity and take out a $200,000 loan at another bank instead?

It’s also worth pointing out that many new message boards have appeared over the last 12 months (designed to connect buyers with sellers for the data being extracted from infected hosts) that now provide advanced search options capable of burrowing through what’s on offer. For example, the ability to search for hosts that belong to (or connect to) a specific organization or person.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.