The Malware Economy
With more and more activity happening within the hacking industry and the malware market, you might wonder:
How can it scale so much and where does it end?
Just like any other business, the cyber criminals’ activity and the opportunities in the malware market are a matter of demand versus supply.
Naturally, there is no real demand for malware. But there is a market, which we all are responsible for making available.
The Macro and Micro malware economy
The malware market, like any other, offers a wide range of products to fit your “unattended needs”. Today, some of the best offerings are APT’s, ransomware and banking Trojans with as many names as we can possibly wish for. Just like when you go to the supermarket.
Financial Trojans statistics from The state of financial Trojans 2014 by Symantec:
- Around 1,467 financial institutions in 86 countries are targeted with financial Trojans.
- The top 9 targeted financial institutions were attacked with more than 40% of the Trojans.
- Attackers are focusing on new targets outside of online banking, such as Boleto, Bitcoin, and password managers.
- The number of infections of Zeus (Trojan.Zbot) and its variants grew by 10 times from 2012 to 2014.
- The US is the country with the most financial Trojan infections, followed by the UK and Germany.
The underground financial fraud community has become increasingly organized, facilitating an expanded reach.
Everything from bots and intelligent configurations to localized distribution channels are being bought, sold, or rented out as a service. Attackers are no longer just participating in financial fraud; some are dedicated to creating tools to facilitate these activities. Attackers can leverage third-party services to operate more efficiently and can even outsource the cash-out process. Compromised banking accounts are traded for 5 to 10 percent of their current balance.
The number of total financial Trojan infections around the world has steadily decreased after a spike in March 2014 and is now at a similar level as the number seen at the end of 2012. This represents a drop of 53% from January to December, 2014.
The visible drop could be attributed to various takedown operations and malware author arrests.
Two such events are Operation Tovar or the Shylock Trojan Gang takedown operation.
The malware market has evolved from something that was tested and used ideologically or for fun, into a targeted weapon. Some groups still use their ability for ideological purposes, across borders such as Anonymous, whilst others, like DD4BC, which we covered recently, use them for money making purposes.
There is no doubt that the financial aim of malware or IT attacks outweighs by far the ideological aim in today’s market.
1,425% — attacker’s estimated return on investment for exploit kit and ransomware schemes.
So the malware market has evolved, just like any other market, from an early-adopter stage to a fine-tuned, mass production and mass-distribution space.
Cyber criminals have seen malware move from small business, to a very big business of millions (or potentially billions of dollars). The business is still growing, but to continue its growth it is now being taken from macro-economic level to micro-economic level, which I’ll enlarge upon.
Market established — time to divide and conquer!
The malware economy is now firmly established using macroeconomic strategies, with wide scale phishing attacks (mass marketing), massive and centralised malware distribution channels and big botnets.
However, during the last 1–3 years, law enforcement has been catching up to these distribution and harvesting tactics, because they are used at large scale, easier to find and easier to tumble.
Remember: the bigger they become, the harder they fall.
So within the last 2 or so years, the malware market has also developed. The surfacing of a new term, APT’s — Advanced persistent threats, has also become a palpable reality.
Malware is getting more stealthy, it is changing much faster, making it more challenging for traditional protection mechanisms to keep up.
Being smaller and more stealthy is getting more and more important for hackers, in order to stay under the law enforcement’s radar.
The market is now shifting to the micro-economic level, fine tuning its techniques and taking a much more granular attack approach. The market is becoming fragmented.
Main types of malware used in 2014:
Diversified attacks and multilayer protection
As the granularity of attacks increases, a new range of attack and deployment mechanisms have come into play from regular business economics as well.
Time to market is now a key factor in the malware sector. Using exploits almost as quickly as they occur, is one of the preferred methods of approach. Zero Hour exploits happen before everybody else knows about them, of course, and are ideal for the attacker to have.
But even new vulnerabilities that are made public are often exploited and targeted within a day by cyber criminals! They try to penetrate user’s systems via segment-targeted spear phishing attacks, malvertizing campaigns or through web servers, which have been compromised and can be used to deliver malware.
You and your users are becoming victims of drive-by-attacks, malicious injections and exploits that use tricks that marketers have used on us for ages.
Cyber criminals are stepping up their game and becoming much better at it. So we have to get better at it as well.
Common responsibility — improved cyber crime defense
We might not have asked for a malware market, but we are still serving it through unpatched software, the lack of sufficient firewalls or inadequate antivirus or APT products.
Here are some relevant facts from the 2015 Trustwave Global Security Report:
- 28% of security breaches resulted from weak passwords and another 28% from weak remote access security
- Weak passwords or weak remote access security contributed to 94% of POS breaches
- Weak or non-existent input validation (including SQL injection) or unpatched vulnerabilities contributed to 75% of e-commerce breaches.
Your computer(s) might already be part of a botnet, which effectively means that you are helping to serve and deliver attacks and malicious messages across the globe.
Increasing the level of pre-attack barriers on your computer and in your organization is a common responsibility.
Make sure your software is patched, with no exceptions. If you need exceptions, make sure you employ Zero Hour exploit protection.
Use a good antivirus product and use reviews to find it.
For larger organizations, a next generation Firewall and HIPS (Host Intrusion Prevention System) protection, as well as APT (Advanced Persistent Threat) protection are a must!
Make sure you factor in that the more data you have or the more prominent your position or company, the stronger your defenses should be.
Originally published at heimdalsecurity.com on June 23, 2015.
