The malware factory

Pierluigi Paganini June 16, 2012

Article Published on The Hacker New Magazine – June Edition “Malware” With the term malware we refer a heterogeneous family of malicious software designed with the purpose to disrupt computer operation, gather sensitive information, or gain unauthorized access to victims systems. With the term we indicate in fact several types of malicious code such as computer viruses, worms, trojan, spyware, ramsonware, adware, rootkits, and other applications. In recent years we have witnessed an unprecedented growth in the development of malware linked to rapidly changing of the technological context supported by the increased use of internet and the explosion of mobile services. Internet has condensed billions of entities into a single virtual marketplace in which the spread of pathogens is to be considered natural as would happen in real life between individuals. To give an idea of what we have observed in the recent years consider that in the last couple of years the release rate of malicious code and other unwanted programs was greater of the one related to previous 20 years. To monitor the diffusion of the cyber threats major security firms have deployed specific  network all over the world capturing spam, phishing and malware data through a variety of sources, such as decoy accounts and network probes. Billions email messages and Web requests are processed daily processed in dedicated data centers, gathered information are put in relation with data acquired through an antifraud community of enterprises, law enforcement advisor and consumers feedback. Let’s see the case of Symantec that with a similar model of analysis provides periodically report and bulletins on the evolution of malware and more in general of any cyber threat. Giving look to the last issue “Internet Security Threat Report” we can have an idea on the trend related to malware evolution and the sector mainly impacted.

It has been reported an increase respect last year result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Particularly dangerous are malware that exploit zero-day vulnerabilities, almost impossible to know when they attack a target, because they are developed to operate in stealth mode to evade detection systems. According the report it has been registered an increase of unique variants of malware 140% respect 2010, passing from 286 million of variants to 403 million. The trend is also confirmed looking data related to new zero-Dayvulnerabilities rate that is of 8 new vulnerabilities per day.

The principal channels for propagation of malware

The spread of malware in recent years has been made possible following various schemes for which we try to provide a quick overview below. One of the main channels exploited for Malware is internet and in particular the possibility to host the malicious agent on compromised web site. The categories of web sites mainly impacted by this type of attack are Blogs & Web communications, Hosting/Personal hosted sites, Business/Economy, Shopping and Education & Reference. The malware diffusion during last year is rapidly increased due to the growth of “Drive-by attacks” against internet users. The figures are amazing with hundreds of millions of system infected every year. The infection process is subtle but effective, it is sufficient that users visit a compromised website. The redirection of the user navigation on the site follows different schemas, for example it is necessary a click on a link contained in an email or on a link published on social network, in this way the victim is hijacked on infected websites. Very common are attack techniques such as ‘clickjacking’ or ‘likejacking’ that deceives the users attracting him to watch a video or simply expressing its pleasure regarding a specific topic using “I like” function. Another factor that has dramatically impacted on the malware diffusion is the availability in internet of exploit toolkits which allow creation new malware requesting few capabilities. This peculiarity it has facilitated the rapid adoption and diffusion of the attack kits in the criminal world that have intercepted the growing demand in a millionaire business, a phenomenon that continues in its inexorable rise. Let also consider how quickly these kit are updated with new exploits, in some cases new development are commitment to add new features to an existent malware, we are facing with the malware factory. If you are scared of the price of these toolkit, don’t worry, usually they are really cheap with prices ranging from a few dollars to a few thousand. Another preferred channel used to spread malware is of course the email. During the last year the number of malicious email is increased targeting mainly large company. Usually malicious emails contain infected file as attachment that exploit vulnerabilities in the target system, it’s clear that to circumvent the user the content of the mail appears legitimate and try to catch the attention of the victim. Similar attacks are used by cybercriminal but also by governments like happened in Syria where the regime to persecute opponents has used malicious email containing malware to trace them. This is not the only schema for malware diffusion, as we have already discussed malicious emails could also contain link to infected web site. I have left for last the discussion of another method of malware diffusion that is seriously impacting user’s digital life, the social networks. During the last year with the impressive growth of social network we have also observed the increase of the number of malware propagated using the popular social platforms. Millions of user always connected and with low awareness on the cyber threats are ideal victims for cybercrime that once again uses malware to exploit user’s vulnerabilities. In the social networking the fundamental factor is use of social engineering techniques to circumvent users that most often are redirected on compromised web sites through the sharing of “malicious hyperlink”. The most important social network are always under attacks, cyber criminals and hackers daily address social network’s users with any kind of malware variant, it’s the case for example of the last discovered related to Zeus Trojan. The experts of Trusteer firm have discovered a new variant Zeus malware responsible for a series of attacks against principal internet service providers. The variant carried out attacks using the P2P network architecture targeting users of Facebook, Hotmail and Yahoo and Google Mail. The malware is really appreciated by cyber criminals that have improved its feature over the months. Zeus Trojan is born as an agent able to steal banking information by logging keystrokes and form grabbing, it is spread mainly through phishing and drive-by downloads schemes. The malware variant that hit Facebook uses a web injection mechanism to propose to the victims a special price reduced of 20% for purchases made with Visa or MasterCard debit card using their Facebook account. The scam promises in fact that after registering debit card information, the victim will earn cash back when they purchase Facebook points. Of course to the user is proposed a form for the registration of debit card info that is equivalent to a legitimate one also in term of proposed layout

What are the main motivations behind the design of a malware?

The use of malware, as described, presents a sustained growth trend thanks to the operational flexibility of the cyber threat that makes fruitful use of malicious programs in several areas. The areas where the malware have found major use are:

The criminal organizations are the most active in the development and diffusion of malware, malicious programs that could be developed to realize complex frauds with reduce risks. Criminal gangs have discovered how much lucrative is the cybercrime and how reduced are the possibility to be legally pursued. Computer crime by its nature has placed in the cyberspace with direct effects on the real world, but due this characteristic, its persecution is virtually impossible for the absence of globally shared regulations against this type of illicit. Malware could be used in different fraud patterns, mainly their use is to steal user sensible information like banking credentials. The diffusion could happen through several channels like social networking, mail spamming, visiting infecting host or hijacking web navigation. The common factor is the identity theft of the user for fraudulent activity. During the last weeks we have assisted to the rapid diffusion of new generations of Ransomware demonstrating that the use of malware could be adapted for different model of cybercrimes. Ransomware is a type of malware which restricts access to the computer resources of the victim demanding the payment of a ransom for the removal of the restrictions. To prevent the access to the resources the malware encrypt files of infected machine. Cybercrime is not only the sector that adopts malware for its purposes, one of the most interesting usage is related to cyber warfare.  Borrowing definition of “cyber weapon” provided by security experts Thomas Rid and Peter McBurney :

“a computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings“

we can immediately think to the effect of a computer malware targeted against a strategic objective such as a critical infrastructure. Over the years many cyber weapons have been identified, without a doubts the most famous of which is the virus Stuxnet, for its development is common opinion that has been involved, by US and Israel Governments, a pool of high specialists. Stuxnet is not the unique example of usage of malware as cyber weapon, Duqu malware in fact is a similar agent that has been deployed with the purpose of information gathering, ideal for espionage operations. The reality is more complex, the future for malware in cyber warfare scenario is made of dedicated platform used to create multiform and modular agent that could target specific objectives simply including new components. We are facing with open projects that evolve with the need and in function with specific targets present new offensive features. Kaspersky’s director of global research & analysis, Costin Raiu, discovered with his team the existence of a common platform to build the malwares Duqu and Stuxnet, that they named “Tilded platform” because many of the files in agents have names beginning with the tilde symbol “~” and the letter “d.””. What is really interesting is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware confirming the existence of a “factory” platform that Costin Raiu defined using the following statement:

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

But malware could be also the next option of group of hacktivist such as Anonymous. During the last couple of years we have witnessed the escalation of operations conducted by the Anonymous group, the hacker group that is expressing a social dissent through cyber attacks. Is common conviction that the group use only DDoS attacks for its operations, but the collective is changing and some security experts believe that they are also exploring other options such as malware deployment.  The purposes of malware usage maybe be different, malicious software could be used to attack strategic objectives with targeted campaign and also to conduct cyber espionageoperations. Also DDoS attacks could be automated infecting machines of the victims or simply hosting a malware on a website that redirect the attacks against the chosen targets. Another regrettable usage of malware is monitoring and controlling, typically implemented by governments and intelligence agencies. In most cases virus and trojan have been used to infect computer used to attack dissident, opponents and political oppositions. The purpose is to track their operation on the web, gather sensible information and localize them. In many cases the use of malware has made possible the capture of the victims and their ruthless suppression. During the Syrian repression the government has discovered that dissidents were using program such as Skype to communicate, so it has used the same channel to spread the backdoor “Xtreme RAT”. The schema of the targeted attacks was simple, after the arrest of some dissidents, the government has used their Skype accounts to spread a malware hidden in a file called MACAddressChanger.exe that was accepted by others activists. The dissidents were confident in the MACAddressChanger usage that they have used in the past to elude the monitoring system of the government. Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). To confirm that backdoor has been installed by the Syrian Government is the IP address of the command server that belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment). The sample reported is not the only one, the experts of the Trend Micro firm have in fact discovered the usage of the malware DarkComet to infect the computers of the opposition movement. The malware is used to steal documents from the victims and it appears to have been spread through Skype chats.  Once in execution the malware try to contact the command and control (C&C) server to receive instruction and also to transfer the stolen information. It has been observed that the C&C server is resident in Syria, the range of the IP addresses is under the control of the government of Damascus.

Which future for malware?

The scenarios reported share the same trend in the malware growth, more complex agents are daily developed being able to exploit well know vulnerabilities but also 0-days ones. Millions of PC are infected with new variants of malware composing scary botnet that are used for several purpose, the major concerns come from mobile technologies and cloud computing paradigm, in particular the mobile world has registered the major number of malware that have targeted its platforms and operating system. To give an idea on how much attractive is the mobile technology for malware developer let’s give a look to the Mobile Threat Report released by security firms F-Secure that warns of a dramatic increase in malware targeting mobile devices, especially Androind OS based. The following table reports interesting statistics on mobile threats discovered between 2004 and 2011, showing an impressive growth grouped by malware type.

According the report “In Q1 2011, 10 new families and variants were discovered. A year later, this number has nearly quadrupled with 37 new families and variants discovered in Q1 2012 alone,” the report states.

The experts of F-Secure attributes the growth to the increasing number of variants designed to evade antivirus protections by utilizing a greater number of signatures.

“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts. This growth in number can be attributed to malware authors crafting their infected or trojanized applications to defeat anti-virus signature detection, distributing their malware in different application names, and trojanizing widely popular applications,” the report notes.

The situation can only worsen in the near future, more than worry about evolution of malware in the mobile landscape I’m worried by the impressive increase of polymorphic malware that are able to provide different signatures to evade security systems making difficult pattern-matching detection implemented by major antimalware software. The battle against these powerful cyber threats must move on two parallel tracks, prevention and response. The first aspect requires a high level of awareness of the related risks that can be obtained through well-designed information campaigns and through the establishment of a greater number of control centers and monitoring institutions. Regarding the second aspect it is desirable that computer crimes can be prosecuted with a globally recognized law that provides stiff penalties for criminals.   About the Author : Pierluigi Paganini, Security Specialist CEH – Certified Ethical Hacker, EC Council Security Affairs ( ) Email : [email protected]

you might also like

leave a comment