Thursday, February 22, 2007

400,000 Malware Definitions and Counting

Our malware database just crossed the 400,000 mark. As proud as I am of our team and their hard work in this area, knowing that there are now more than 400,000 identifiable instances of malware is not exactly something any of us should celebrate.

Think about it. Let's assume the database contains a large amounts of "variants on a theme". At a twenty to one ratio (which is about right), our malware analysis engines, and the engines of other leading malware hunters, are facing the collective output of a football stadium's worth of criminal programmers. That's a lot of programing power.

I know what you're thinking: why do these programmers do this? How do they justify moving their considerable talents over to "the dark side"? The answer is, of course, "money." We all need to pay the rent and feed the kids. And maybe, just maybe, buy a big boat. Here's just six ways malware creators get paid:

1. Botnet creation. Old-fashioned spam.

2. Hostageware. Hostageware hackers focus on creating targeted forms of malware that enable them to slow down or interrupt the commerce infrastructure of an online auction house, casino, stock trading company, or retailer. Most of these hacks focus on denial of service attacks against published IP addresses - or if that fails, the IP addresses of their ISP - and it usually starts with a demonstration of capability. Once the capability has been demonstrated, the hacker calls the casino and asks for cash in exchange for uninterrupted service. Casinos and online trading houses must weigh the advantages of paying the hacker versus losing network access.

3. Phidgeting. Phidget (PHIshing using wiDGETs) attacks haven't yet entered the mainstream, but in a year or two, "phidgeting" could well become the number one form of attack. Why? Because nothing is more effective that a crime that goes undetected in plain sight. Phidgeting hackers have numerous tools available, including several desktop application-creation software engines that enable the creation and rendering of pretty-looking, branded widgets/gadgets that interoperate right in front of you, on the desktop, rather than deep in the operating system. When hackers combine a tasty widget with a fake banking URL and the trusted brand of a financial institution, the potential for stealing credentials is great.

4. Phishing. Has anyone on the planet not yet received an email from the deposed ex-Attorney General of a third world nation offering them thirty million dollars in return for their kindness, a vow of secrecy, and a few thousand bucks in "legal fees"?

5. VOIP-Based Caller-ID Spoofing. Criminals are starting to make use of IP phones programmed to display trustworthy references - the brand of your bank or your trading company - to call unsuspecting consumers to "verify" account details. The better scammers combine this capability with email phishing attacks that tell consumers *not* to trust their email because of the potential for abuse. These emails recommend calling the bank instead to "verify" their accounts have not been touched. According to some of the folks I spoke with at the RSA conference last week, these phone lines typically take you to automated IVR (Interactive Voice Response) recordings that answer in your bank's name and ask you to please enter your account number and PIN in order to speak to a customer service agent. Try to guess what happens while the music plays...

6. Account Hijacking (Zombie Trading). In November, both eTrade and TD Waterhouse reported that their clients had suffered $22m in losses suffered due to "zombie trading". For this hack, criminals hijacked a hundred trading accounts on the platforms and used these stolen credentials to drive up the price of several targeted stocks held by the criminals. Once the stocks reached their target price, the criminals purchased the stock using the hijacked accounts from their own accounts, at a massive profit. It has been widely reported that they made $22m on the trade. Was this a test for a bigger scam, involving tens or hundreds of millions? Let's hope these guys don't head over to the derivative counter anytime soon.

The most worrying stuff to me involves the criminal use of real accounts, "call center staff", real-sounding IVR recordings, and "in your face" branded desktop applications. Regardless of what has happened in recent years, consumers still trust brands - and human voices. I sense there is a ton of money still to be scammed via these vectors.

No comments: