
鈥淚NTERESTED in credit card theft? There鈥檚 an app for that.鈥 So says , a security researcher at Damballa, a company based in Atlanta, Georgia. He and others are warning of a burgeoning cybercrime service industry, one which lets people with next to no programming skills steal a fortune in cash or get hold of sensitive government documents.
Would-be hackers have long been able to buy rudimentary software packages that can be used to build malware, such as code that can steal online banking passwords. Now these hacking tools are being supported with a range of services, some with a money-back guarantee, that makes it easier than ever to create and spread malware.
鈥淭here used to be only a small number of clever criminals who could pull off these attacks,鈥 says of online security company Cisco in San Bruno, California. 鈥淣ow there is a much lower barrier to entry.鈥
Advertisement
One such software kit, known as Zeus, epitomises the commercialisation of the malware services industry. Like other malicious software, Zeus can easily be bought online, in this case for between $400 and $700. Detailed instructions on how to use it are readily available, too.
What sets Zeus apart is that it enables someone with minimal computer skills to create sophisticated malware that can be used to steal online banking credentials or sensitive documents. 鈥淚t represents a sea change in innovation, beyond anything we鈥檝e seen before,鈥 says Peterson.
As an example of what is possible using Zeus, one recent attack netted sensitive US government documents, reports , a security researcher at the Munk Centre for International Studies at the University of Toronto, Canada. The began in February with a series of emails sent to senior officials in the US military, the Federal Aviation Administration and other government agencies, purporting to contains links to vital security information.
In reality, clicking on the links resulted in malware built with Zeus being installed on the user鈥檚 machine. The attack was sophisticated enough to dupe some of its targets, and as a result 81 machines were compromised. Villeneuve was able to identify 1533 documents from the compromised machines that ended up on a computer in Belarus, including defence contracts, documents relating to biological and chemical terrorism and the security plan for a US airport. The identity of the person who siphoned off the documents is unknown.
The ease with which Zeus can be used has been enhanced by the support services, including customised hacking tools, that have grown up around it, Ollmann says. If, for example, criminals know that the computer they are targeting is in Spain, they can plug in additional software designed to mount attacks on Spanish banks. Plug-ins like this are available online for around $30, Ollmann says.
The key to successful malware lies in tricking users into unwittingly installing it. And now even dilettante hackers can spread their malware by paying more technically adept criminals to do it for them.
Peterson cites the example of , a sophisticated piece of software he first observed last summer. Fragus is deployed initially by skilled hackers, who break into web servers and install it. Once in place, it searches for vulnerabilities in the browsers used by visitors to these websites. If it finds a way in, Fragus can be programmed to covertly send a piece of Zeus-created malware to the visitor鈥檚 computer. This allows hackers to sell malware installation as a service to less skilled criminals.
Fragus also delivers feedback on which browsers it has cracked and where the users of those browsers are based. 鈥淭hat data can be used to target a particular country,鈥 says , a colleague of Peterson鈥檚 at Cisco. Stern says he is currently aware of a few dozen websites infected by Fragus, and that it had previously been used to deliver malware to people accessing websites belonging to a widely read US newspaper.
Zeus and Fragus can be reined in (see 鈥淗itting back at hackers鈥), but even here the malware service industry is trying to stay one step ahead. So while many companies provide software that, for example, can detect the presence of malware built with Zeus, another layer of cybercrime activity is devoted to finding ways to bypass those protections.
To check whether a piece of malware is on the security companies鈥 blacklists, hackers can send their creations to websites such as , which for just $1 will try the code out on more than 20 antivirus products. If the malware fails the test, would-be criminals can simply upload their malware to another site that will tweak it to render it unrecognisable.
鈥淗ackers can upload malware to a site that will make it unrecognisable by antivirus software鈥
The online security industry is warning that this profileration of 鈥渕alware as a service鈥 products is likely to result in far more potent attacks. There is already anecdotal evidence that hackers are paying more attention to company rather than personal bank accounts, for example, and to breaching government computers, says Villeneuve.
Hitting back at hackers
There is no anti-malware magic bullet, but a range of techniques are emerging that can help limit the damage malware causes.
For example, nobody should accept friend requests on online social networks from people they do not know. Hackers have created fake profiles and used these to persuade workers at several large firms to follow a link that installs malware. And, of course, you should never click on a link in an email unless you are certain the message comes from a trusted contact.
Companies and other large organisations are vulnerable, however, because employees are likely to slip up at some point. To protect against that, in-house security teams should be thinking about going beyond standard antivirus protection, says , a director at the IT security firm McAfee, in Austin, Texas. One option, called session-based analysis, involves monitoring all computer traffic into and out of a company. The aim is to spot suspicious patterns of activity, such as data flowing to a computer in a country that the company does not do business with. Pirc says that the approach can pick up danger signs even if no identifiable piece of malware has been detected.