Wednesday, October 5, 2011

Dialing in the Malware

Despite several decades of anti-malware defense development, the pro-malware industry is still going strong. As I listen to presentations here at VB2011 in Barcelona this week covering many aspects of malware-based cyber-crime and the advances in detection being made, I'm reminded of a recent posting I made on the Damballa site concerning the success of malware. At the end of the day it costs the attacker practically nothing to generate new malware instances and, with a little investment in a QA process, they can guarantee evasion...

There’s often a lot of discussion about whether a piece of malware is advanced or not. To a large extent these discussions can be categorized as academic nitpicking because, at the end of the day, the malware’s sophistication only needs to be at the level for which it is required to perform – no more, no less. Perhaps the “advanced” malware label should more precisely be reattributed as “feature rich” instead.

Regardless of whether a piece of malware is designated advanced or run-of-the-mill, and despite all those layers of defense that users have been instructed to employ and keep up to date, even that ever-so-boring piece of yesteryear malware still manages to steal its victims banking information.

How is that possible?

I could get all technical and discuss factors such as polymorphism and armoring techniques, but the real answer as to why the malware manages to slip by all those defenses is because the bad guys behind the attack tested it prior to release and verified that it was already “undetectable” before it was shipped down to the victim’s computer. Those host-based defenses had no chance.

It’s worthwhile noting that generating “unique” malware is trivial. Armed with a stock-standard off-the-shelf DIY construction kit, it is possible to manually generate several hundred unique variants per hour. If the cyber-crook is halfway proficient with scripting they can generate a few thousand variants per hour. Now, if they were serious and stripped back the DIY kit and used something more than a $200 notebook, they could generate millions of unique variants per day. It sort of makes all those threat reports by anti-virus vendors that count the number of new malware detected each month or year rather mute. Any cyber-criminal willing to do so could effectively choose what the global number of new malware will be and simply make enough variants to reach that target. I wonder if any online betting agencies will offer worthwhile odds on a particular number being achieved. It may be worth the effort.

Armed with a bag of freshly minted malware, the cybercriminal then proceeds to test each sample against the protection products they’re likely to encounter on potential victim’s computers – throwing out any samples that get flagged as malware by the anti-virus products.

Using a popular malware DIY construction kit like Zeus (retailing for $4,000, or free pirated version via Torrent download networks), the probability of any sample being detected even at this early testing stage tends to be less than 10 percent. If the cybercriminal chooses to also employ a malware armoring tool that average detection rate will likely drop to 2 percent or less.

Obviously this kind of testing or, more precisely, Quality Assurance (QA) is a potentially costly and time-consuming exercise. Never fear though, there are a lot of entrepreneurs only too happy to support the cybercriminal ecosystem and offer this kind of testing as a commercial service.

Today there are literally dozens of online portals designed to automatically test new malware samples against the 40+ different commercially-available desktop anti-virus and protection suites – providing detailed reports of their detection status. For as little as $20 per month cybercriminals can upload batches of up to 10,000 new malware samples for automated testing, with the expectation that they’ll receive a thoroughly vetted batch of malware in return. These “undetectable” malware samples are guaranteed to evade those commercial protection products. As a premium subscription service model, for $50 per month, many QA providers will automatically fix any of the malware samples that were (unfortunately) detected and similarly guarantee their undetectability.

Armed with a batch of a few thousand fully-guaranteed malware samples that are destined to be deployed against their victims in a one-of-a-kind personalized manner, it should be of little surprise to anyone precisely why run-of-the-mill or feature-rich malware manages to infect and defraud their victims so easily.

Tuning Spear Phishing Campaigns

I was recently asked to discuss tools and tactics of cyber-crime campaigns in relation to advanced spear phishing tactics. One of the interesting service industries that form the advanced criminal ecosystems is that of ProRing. The following Damballa post summarizes this particular industry...

Despite the advances in anti-spam technologies and mail filtering gateways, if you’re inbox is anything like mine, each morning there will be a bundle of emails offering a cut of some recently liberated or long forgotten monies, offers to work from home (all you need is a US bank account!), notifications of bank detail confirmation requests, or some obscure social engineering whatever. We’ve all seen them, and most of us recognize them for what they are – broad spectrum Internet scam campaigns launched by online crooks.

Again, if you’re anything like me, sometimes you’ll catch yourself laughing at the content of the spam emails. Too often the language is all mixed up, has misspellings, and was obviously written by someone to whom English is a second language).

For the victims, these messages are the start of their problems. For the attackers, the distribution of these messages is roughly a halfway point in their current fraud campaign. For some specialized criminal operators, the content of that email is the culmination of their efforts and contribution.

I was reminded recently by the following very funny (and obviously not serious) tweet that there hasn’t been much attention to the organized crime aspects of translation – in particular, the realm of cybercrime-as-a-service (CaaS).

Figure 1: Humorous tweet in Chinglish with misspellings

It should be no surprise that there are CaaS providers that offer boutique translation services to other Internet criminals.

For quite a few years now there have been folks working behind the scenes translating the content supplied by foreign criminals into the messages arriving in your inbox. I’m not talking about those pigeon-English things you receive and rapidly reject, but rather the ones you’re probably missing based upon a first-pass grammar and spell check. Translation services are rather lucrative for those involved. If you happen to be a fluent English speaker/writer and based in Russia, you can make a couple hundred dollars for each phishing email template you convert or social engineering message you construct. For some CaaS operators a percentage of any fraudulently gained funds may be part of the deal – tying the payment to their translation capability and the success of the attacker’s campaign.

Translating the written language is one thing, it is quite another if you have to speak it. As such, there are a number of CaaS operators that specialize in what could be best described as translation call centers. A common name for these kinds of criminal services are “ProRing” – basically “professional ringing” services, tuned to the requirements of criminals (not just online ones either!).

Supporting a small number of languages, ProRing services are often utilized by cyber-criminals in a variety of ways:

* Account change confirmation for stolen and hijacked accounts

* Money mule coordination and bank account management

* Package tracking and delivery

* Vishing message construction

* Spear phishing “helpdesk” impersonation

* Social engineering

Figure 2: ProRing service supporting multiple languages

The larger more established ProRing providers tend to support the most common languages encountered in Western countries (i.e. English, German, French and Spanish), although other languages may be included – depending upon staffing arrangements and access to external contractors (e.g. Dutch, Serbian, Hebrew, etc.). Several providers also offer male and female speakers.

Rates vary considerably between ProRing providers, but are generally in the realm of $10-$15 per call (made/received), and will increase in price if the speaker does not possess a foreign accent.

The phone numbers being used for the calls will often use callerID spoofing and/or local POP exchanges to hide the international nature of the call. However, it is important to note that many of these ProRing CaaS operators are themselves international and may not necessarily need to obscure their phone number.

Figure 3: ProRing CaaS provider with disclaimers

As with many CaaS providers, ProRing services often come complete with disclaimers and service-level agreements (SLA), which may require financial retainers for participation in longer-running attack campaigns.

So, the next time you’re inspecting your morning email or cycling through those voice-mail messages, you may want to remember that this rapidly evolving cyber-crime ecosystem has your number (literally). Professional ProRing service providers are out there making sure that the next attack is more successful than the last.

Cyber-siege Strategy

The tactical view of cyber-warfare is that of hacking in to systems, infiltrating data and causing systems to self-destruct. It's all a bit Hollywood in many ways, or at least that's the perception of many not intimately involved in dealing with the threat.

I recently wanted to address the strategic concepts of cyber-warfare - in particular the non-destructive aspects of an attack. The first article covering the strategic objectives of modern cyber-war was published yesterday on eSecurityPlanet with the subject "Siege Warfare in the Cyber Age".

In the article I point out the value of non-kinetic attacks and the restoration of device control at the end of hostilities (or regime change), and how future cyber-warfare can take on a siege-like approach.