The Maladjusted World Of Cybersecurity
I was taught some time ago whilst learning to do a little DIY, that you really need to use the right tool for the job to get a good result. The same is true for cybercrime. Cybercriminals need to make sure that they pick from the wide choices of malware and methods, the right combination to get the best outcome. Every budding cybercriminal will understand this truism and will work out a plan of action based on what crime they want to commit. For example, if they want to take down the White House website, they won’t use ransomware.
Cybercrime is a thriving business. In a report by HPS, cybercrime as a business was found to be just behind Apple Inc. in terms of revenue – grossing around $450 billion annually. I may find the ethics of cyber criminals despicable, but I admire their business acumen.
The product offerings within that business are many and competitive. PandaLabs in a recent report found 18 million new malware samples in Q3 of 2016, that’s 200,000 per day. AV-Test figures are even more astonishing with around 390,000 new malware samples identified each day, and increasing in number year on year.
Malware direct sales on the Dark Web are booming and different models of use are encouraging this. Malware-as-a-Service (MaaS) is the perfect option for the wannabe cybercriminal who doesn’t have the skills to write their own malicious code and distribute it. And it doesn’t cost the earth to become a cybercriminal, with prices from $39 for a lifetime license, as recently discovered by security company Heimdal.
The world is awash with malware and methods of getting it onto our computers. To keep abreast of all things cybercrime, it’s always useful to have a rundown of what you’re dealing with. So, below I have listed some of the malware types and their associated propagation methods.
The Worm malware mode of action is to copy and distribute. One of the defining feature of a worm is that it is self-propagating. Typically, a worm will initially infect a machine via a software vulnerability, say in a browser. It then hijacks your email address book (or similar) and sends out emails (messages) to all of your contacts. If a recipient clicks on a link in the email, they will be taken to an infected site. If they have a software vulnerability to exploit, the worm will infect their computer, and on it goes. One of the most famous worms was the ‘I Love You’ virus. One of the more recent worm-based infections which shook up the Internet was the Mirai botnet of 2016. In the case of Mirai, the propagation was performed by the worm, scanning for specific vulnerabilities in IoT devices. Once identified, the device is then infected with Mirai worm malware and becomes part of a wider network of bots which then work together to perform a DDoS attack.
Just the word ransomware is enough to send shivers down the spine. Ransomware is the cybercriminals dream as the 3000% increase in attacks since 2012 attests. Ransomware has one main job, i.e. do something devastating to a computer, that results in you being forced to pay money to reverse the attack. There are many types of ransomware around. Some, such as CryptoWall, encrypt files on any drive that is accessible, payment of the ransom (hopefully) resulting in a decryption code. Other ransomware types will lock a device or application. For example, malware families such as ‘Small, and Fusob’ work by placing a fake screen over the mobile interface, then displaying the ransom note.
Infection by ransomware is not automated as seen in the worm malware. Instead, this malware is propagated via an infected email attachment, or an infected website which hosts an exploit kit – that is a piece of software that looks for software vulnerabilities and installs malware automatically. Occasionally, it can also be found in infected online ads or videos, known as malvertising.
Malware types often overlap, the same type of malicious software performing different jobs. Trojan malware is the cybercriminal equivalent of the Swiss Army Knife. You get many variants of the Trojan: Trojan-Spy, Trojan-Ransom (as in Small and Fusob above), Trojan-Downloader (which is a conduit to download other malware), and Trojan-Rootkit. The Trojan is a general purpose tool. You can some form of Trojan to perform a lot of different hacks. However, unlike the worm, it has to be propagated by a human actor in some manner – usually through an infected email attachment or via an exploit kit on a website. The latter was the method of infection with the ‘Tiny Banker Trojan’ or ‘Tinba’, so-called because the file size of the malware was very small. Tinba infection is via the Rig or Angler exploit kit, which is often associated with malvertising based infections. Another method of infection used by a Trojan is demonstrated in a recent Trojan exploit which targets Chrome and Firefox users. On landing on an infected site, a popup message appears asking you to download a “Hoefler Text font” on clicking download, install of the Zeus Panda banking Trojan begins.
RATs and Backdoor Attacks
Backdoors are the malicious program equivalent of a skeleton key. They are a method typically used against a known target to get at network access credentials. The mode of operation of a backdoor attack is often multi-step. Firstly, the target will receive a spear phishing email. If they then open the infected attachment or click on the link which takes them to an exploit site, they are at risk of malware installing, that will obtain network login credentials, to ultimately steal data. Often a Command and Control link will be established between the hacker and the host computer to keep the connection current and open, siphoning off data at will. Backdoor malware is designed to hide under the covers. Remote Access Trojans (RATs) use the backdoor method to steal data, often over long periods of time. An example of a RAT being the Sakula RAT which was behind the OPM attack of 2015.
One very cute way that a Trojan based backdoor can be installed is known as the Vulnerability Based Backdoor (VBB). In this attack, a user is tricked into downloading a legitimate application like Adobe Reader. The application is real, but it has a vulnerability added by the hacker – in this way it is not recognized as an infection by anti-virus software. This vulnerability allows the next step of the attack to take place, using the vulnerability as an exploit for installation of other malware.
Malware and cybersecurity, in general, is having an adverse impact on the growth of business and our competitive ability to innovate. McAfee has found that half of the respondents to a survey when asked, admitted to slowing their Cloud adoption down just because they didn’t have trained cybersecurity staff to deal with the protection requirements. Keeping on top of the flood of malware infections is an ongoing task. The fluid nature of the methods used to infect our networks, and the ever changing profiles of the malware itself, means we cannot rely on antivirus software alone to deal with the problem. Malware infection is ultimately behind most external cyber security breaches, so we need to have a deep understanding of how these attacks are propagated and perpetuated. Knowledge is power in the world of cyber security.
Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies