Tag Archives: malware

Economics of Malware: Presentation

Thanks for those of you who have been following my series on the economics of malware (part 1, part 2, part 3). I presented about that topic at Madison’s Nerd Nite today (October 30, 2013). This is the presentation, along with notes necessary to give it. It is available under a Creative Commons – Attribution/Non-Commercial/Share-Alike license.

 

The Economics of Malware: Criminals

Note: This is the second of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Today we will look at the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Malware is created using vulnerabilities, either purchased through the markets described previously or self-researched. There are broad categories of malware, each of which has a different profit mechanism.

Account Credential Theft

Attacks in this category include any mechanism by which a user’s form of authentication is taken for uses outside of their control. This can include user and password combinations for financial institutions, games, websites, or IM/VoIP clients, or password and certificate combinations used for encryption (such as a GPG pair). These can be either be sold in black markets, or used in attacks described later in this article. Typically, it is done either by phishing (directing users to fake login pages and having them enter their credentials), or through keyloggers.

Bot Activity

While the previous attacks were somewhat passive, listening in or gathering information, those that cause bot activity take control over the compromised machine. Machines can be used in this way to send spam to continue to grow the botnet, or solve captchas, or launch DDOS attacks either to attack an enemy or as part of a ransom attack (see below). They can also be used for click fraud, either to drain the funds of a target or if they control the ad network in question to raise revenue. Finally, it can be used to anonymize any other attack described here, so that they look like they are only coming from another victim (this is a common objection to offensive security since you will not be responding to the initiator of the attack, just the attack itself).

E-Mail Attacks

Email attacks are those used once you have the credentials necessary to access them. Once accessed, a multitude of attacks are available, although the automation of these attacks varies widely. For instance, Stranded Abroad attacks (also used in social media reputation attacks) use the email account to contact associates with a call for monetary assistance due to some need overseas, and ask for money to be wired overseas to accounts under the attackers control. Emails can be sent containing malware to other people to gain other access. The accounts can also be mined to look for registration emails from websites, and used to reset the passwords on all of those sites and gain access to those to perform other attacks. Finally, the information in the emails itself can be of great value, if mined correctly or a precision attack is made.

Financial Credentials

The most obvious of value from malware is in financial institutions. Being able to log into an individuals bank, stock, 401k, or other similar account can immediately result in a windfall, depending on the security of the institution in question. In these cases, often smaller withdrawals are made to look for triggers that would cause questions to be raised. There are also attacks made on the financial institutions themselves, where money is either shifted into other accounts or simply created out of thin air.

Ransomware

Machines can be totally removed from the control of their owners. In those cases, the malware will either encrypt data on the machine, requiring that they pay the attacker in order to have it unlocked, or make it appear that such action is required. Sometimes this will be cloaked in the façade of the user having done something illegal and it being a fine (sometimes with hilarious results), other times it is just an open ransom request. With the system controlled, it will sometimes take advantage of an embedded webcam and take compromising pictures, and demand ransom for that.

Reputation Hijacking

That last example can also fall under the category of reputation hijacking. With reputation hijacking, typically social network accounts are used to post information that compromises the value of the target’s identity. Individuals may find their Facebook account posting incriminating photos or statements, Businesses may find their Yelp profiles dragged through the mud by competitors. In these cases, they are usually paid character assassinations.

Server Compromise

If a compromised machine has useful characteristics, it will be used for them. This is different from the normal bot behavior described above, in that they will often be used to host services for users other than the attackers. This includes sites that serve warez or child pornography, and do not want to use machines that can be traced back to an individual. They often can be used for phishing or other malware-related sites.

Virtual Good Theft

Finally, the machines compromised can include various information of worth. If license keys can be found in recoverable form they are easily resellable. Also with high value are gaming accounts and goods from those accounts. Gaining access to either Amazon or iTunes accounts can also grant value for the compromiser.

These methods are often used in tandem via malware packages. As of March 2013, thirty-eight percent of all malware was distributed by the Blacole or Cool kits, both created by the same person team, led by a user known as Paunch. Almost all of malware traffic comes from packages now. Interestingly, these packages are sold similar to other software-as-a-service. This includes data analytics, user targeting, upgrades, and more. The Blacole kit could be rented for approximately $700 a month, while Cool retailed for $10,000.

With all of these avenues for making money, perhaps the hardest part is actually gaining access to it. Organized crime who are the largest users of malware packages will retain money mules to gather the money. At times, this money never reaches its destination, either due to the mules being interceded by authorities or the attackers concerned about their ability to recover it.

The reason why that concern is justified is that these criminals are high value targets. You may notice that many of the articles I have linked to involve arrests. This is because every point on the chain of making and expatriating the money involved is a target. For instance Paunch and his team, mentioned above, were arrested earlier last week in Russia. Despite this, it is extremely lucrative for the time they operate.

Part three of this three part series will cover the last of the major users of retail vulnerabilities, governments and their agents.

Cryptolocker and Handling Malware Generally (This Means Backups!)

I received a request to discuss the cryptolocker family of malware, and will be talking about that today. If there are any other topics that are requested to be covered, please leave a comment below or contact me. This form of malware falls generally under the ransomware category, which installs itself and then demands money for one reason or another in exchange for removal. Sometimes it is because it claims you have violated the law, and it is a fine to remove it. In this case, it instead encrypts data off of your hard drive using a public-key cryptographic setup that appears to be well designed, and at least appears to legitimately offer a hope for decryption if it is paid.

Encryption is Hard™, and it is the mistakes in designing cryptographic software that is easier to break than the theory that is implemented. In this case, however, no obvious flaws have been found. This does not mean that I encourage payment of the ransom. Like all ransoms, you have no reason to trust whoever created the malware. Payment only encourages them to ask for more, and the key could be discarded as soon as the files are encrypted.

More realistically, if you see this malware appear on your system, you have two hopes. First, this is the “cheap” form, which will not actually encrypt your system but instead hide all your files and pretend to. Removing the malware will make your system function again. You can use your typical form of antivirus, or something like malwarebytes. Secondly, you of course have good backups, right? Many infestations come in large packages now, containing various malware to do different tasks such as keylogging or changing your DNS server to point you towards what they control for ad clicks or prevent you from obtaining software updates. When you discover malware on your system, at that point you do not know what else is wrong. A full system reinstall is the best solution, and the only way to guarantee things are fixed, assuming you also are sure your backups are clean as well.

Therefore, if you want to be sure about your security, be sure about your backups. For my system I use duplicity, and it ties in well with my previous instructions on personal encryption. I have it doing daily backups, which are incremental (so it only adds what is new from the previous day’s work), and then a full backup every week. My crontab and backup scripts are below:

# m h  dom mon dow   command
0 5 * * 2-7    /home/USER/.duplicity/duplicity_daily
0 5 * * 1    /home/USER/.duplicity/duplicity_weekly
#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/USER file:///data/backups/USER
#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) full --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/<USER> file:///data/backups/USER
$(which duplicity) remove-all-but-n-full 3 --force file:///data/backups/USER

For each of the above, you would replace “<USER>” with your username, and “<GPG_KEY>” with your encryption public key.