Government Malware Goes Commercial
What will happen in 2013?
Will our cyber security get better or worse?
First, the good news.
We think security will improve for larger, well-funded
organizations. In the same way James Q.
Wilson introduced community policing, transforming law enforcement, we think a
community approach—a sort of security commune—will improve security in the digital
realm. Sharing attack information will
help remove seeming randomness of attacks.
Second, the bad news:
- As bigger firms get smarter, we think hackers
will choose the path of least resistance—small companies. To date, we’ve seen for-profit hackers pursue
small organizations but rarely have we seen government-sponsored (APT)
attackers go after the little guys. We
think that will change. Small companies
contain a lot of data and, in many cases, quality intellectual property. They make for ripe targets.
- Not surprisingly, we think hackers will continue
to get more sophisticated. In 2013,
hackers will continue to refine cloud computing for attacks.
- Traditional SQL injection attacks will
continue—but we believe they will focus on content management systems
(CMS). Hackers go where the
vulnerabilities are. Today, CMS provides
a rich target.
- We think hackers will use a cloud-based model to
become more efficient and effective.
Overall, 2013 will also have many headlines reporting
breaches. We believe the path and
methods, however, will look a bit different.
Government Malware Goes Commercial
Government military research has an influence on the
industry. Commercial aviation, for
instance, has been heavily influenced by advances in military aircraft. In 2013, we believe this government-driven
cascade effect will apply to cyber security.
How? The most dynamic change
factor in the insider threat landscape in recent years is the evolution of
modern malware. The massive introduction of user-owned devices coupled with
work-force mobility is giving the “compromised insider” threat an extra weight
compared to the more traditional “malicious insider” threat.
We expect two existing trends to take us through 2013:
- Technologies previously attributed to “state
sponsored” attacks are going to become commercialized (or commoditized),
further blurring the difference between Cyber Crime and Cyber War.
- Devices affected by modern malware (APT),
representing a “compromised insider” threat, are going to become a more
prominent risk factor than malicious insiders.
The 2012 Verizon Data Breach Investigations Report noted malware’s
impact: “69% of all data breaches
incorporated Malware.” This represented a 20% increase over 2011.
Through 2011 and 2012, we have seen a variety of allegedly
state sponsored malware operations described in the media among them “Gauss,”
“Doqu” and “Flame.” Three notable aspects were discussed with respect to these
- The method of infection.
- The complexity of the software and the
robustness of the command and control network.
Throughout 2012, we have seen two of these three aspects
appear in modern commercialized malware.
Infection Methods Gone
In the second half of 2012 we closely tracked a number of botnets—which
gives us a glimpse of future infection methods with next generation malware. Today,
malware is usually delivered as a compressed archive about 50KB size and is the
basis for a very robust and versatile compromise operation. We generally see
that the initial infection package changes very frequently, even within the
same distribution campaign to the point that antivirus (AV) products appear to
have difficulty keeping up with detecting new strands of the same code. What
- A larger
number of hosts containing more sophisticated malware. Each campaign is also characterized by
keeping a large number of compromised servers that host the infection package.
The actual functional modules that are downloaded from time to time vary in
size, are by no means the tiny, size-optimized, executable programs of previous
generation malware. Some of the modules are larger than 1MB, and in some of the
instances, we tracked the total code size that amounted to almost 10MB. Modules keep evolving over time. For some, we saw version numbers grow
substantially over time.
command and control structure (C&C) becomes larger and more robust. Today,
basic malware comes equipped with a list of more than 10 IP addresses of
available C&C servers. Recently, we have seen this number go up to 40. Moreover, all C&C servers seem to share a
common state with respect to the clients through some mechanism. The different
modules downloaded from time to time provide functions such as sending spam,
file pilfering, password grabbing, and attack against web servers. Each
individual operation was able to last a few weeks before being shut down.
It seems that most operational capabilities that defined
Flame and the like as “super malware” are in fact finding their way into these
commercial malware operations. We expect the infection vector to remain the
biggest differentiator between the commercial malware and the truly advanced
C&Cs Get a Major Upgrade
In a different incident, we tracked a botnet’s activity.
This botnet is a classic banking malware typically seen in Latin America. The
instance we tracked employed two versions of the malware agent using different
methods to control the redirection of user traffic to the attacker-controlled
server and two different types of C&C channels, thus giving the entire
network an improved efficacy and redundancy.
This botnet operates by locally hijacking domain names of
online banking applications and routing the traffic through an attacker-controlled
server. It does that either by rewriting the “hosts” file or hooking into the
domain name resolution service. It quickly became clear that the same
technology can be used by the botnet operator to target enterprise systems
rather than personal banking accounts. In particular, if the domains to be
controlled (which are downloaded as a configuration file after first infection)
are chosen to be cloud-based enterprise applications like SalesForce.com,
NetSuite, SilkRoad, and the like, an attacker can gain access to corporate
information stored at these systems and accessed by infected computers.
Moreover, these cloud-based services may be accessed by mobile devices (in
particular, laptops) from outside the enterprise perimeter, leaving no trace of
This is just one example that leads us to believe that next
year we will see more enterprise data being affected by malware originally used
for other malicious activities. This is going to be driven by the following:
- Existing commercial banking malware technologies
can seamlessly be applied to the compromise of cloud enterprise data.
- Cloud enterprise data is mostly used by
organizations with a large mobile work force, which, in time, is more
susceptible to compromise.
- Attackers are always looking for new revenue streams
based on existing technologies.
Attackers have always followed the path of least
resistance. Considering that antivirus has
not been effective in preventing infections from modern malware, this trend
should surprise no one. Enterprises who fail
to adopt a data or file-centric security approach will be caught with their
pants down. Investing in the right “ears
and eyes” to monitor the access of servers, databases and files, to make the
detection of such attacks easier.