the evolution of commercial malware development kits and colour-by-numbers custom malware
TRANSCRIPT
Computer Fraud & Security September 20084
The evolution of commercial malware development kits and colour-by-numbers custom malware
Gone too are the days of ego-boost-ing worms and all-or-nothing destruc-tive viruses. Today’s malware can best be described as open-platform attack engines – combining best-of-breed virus techniques with the latest vulnerabil-ity exploitation technologies – bound together like a Swiss army knife, and attracting third-party malware developers to author additional saleable plug-ins.
Birth of modern malware development kitsShortly after the first viruses and worms appeared on the PC, the first batch of virus creation kits appeared and started spreading. These free kits typically required the user to have above-average development skills, and required a lot of interaction to get them to work. By the mid-1990s there were almost as many kits as there were families of viruses, with the majority of the kits being offered for free download – including source code.
As we entered the new millennium, the kits moved beyond providing clas-sic classes of viruses to include more advanced features such as root-kit func-tionality, command and control net-
work interfaces and worm propagation libraries. The most popular kits were still largely distributed free, or adopted a shareware registration process.
At the same time as the security indus-try was largely overcoming the script-kiddie phenomenon, a new batch of malware creation kits began to appear. These kits were professionally developed, sold for a few hundred dollars, and designed to be used by purchasers who had little to no development experience. Their 'idiot proof ' kits offered tick-box malware feature selection, encryption customisation (e.g. password protect the newly generated malware’s backdoor), and included remote control features such as CD ejection, screen flipping, and system rebooting – features more inclined to be useful to would-be system administrators and pranksters.
By 2005 these malware kits underwent another change. The timing would be consistent with those first generation script-kiddies having gone to university or college and obtained computer sci-ence degrees, and now finding useful and profitable outlets for their new talents. This evolution of malware kits finally crossed over and made the transition to the criminal world with specialised
features such as encrypted command and control channels, built-in web services for hosting phishing content, man-in-the-browser proxy engines for identity theft, along with drive scanners for capturing saleable data such as email addresses and credit card details.
Current generation kits
The current generation malware crea-tion kits are now highly sophisticated crime-ware; supported by dedicated development teams offering guarantees and service-level agreements. Fierce competition between 'vendors' is now so common that they must protect their own intellectual property invest-ments in their malware kits – hence having to implement their own DRM systems. There is no honour amongst thieves.
With so many malware kits copying each other’s latest malicious technologies, differentiation now lies in the quality of their service offerings and purchase plans. For example, the Turkish Trojan generator kit called Turkojan (now in its fourth version) comes in three flavours – Bronze for $99, Silver for $179 and Gold for $249. The differences between them include the length of their replace-ment warranty (i.e. if it gets detected by any anti-virus software), level of techni-cal support (e.g. 24x7), as well as a few additional monitoring features.
Meanwhile, specialised 'point and click' malware creation kits for convert-ing a Trojan into a self replicating worm such as the Spanish TrojanToWorm kit
Gunter Ollmann, director of security strategy, IBM Internet Security Systems
In the last half-decade, the motivations behind malware creation have changed considerably. What was once attributed to solitary attention-driven individu-als working from their bedroom-office has now evolved into an international collective of professionally trained authors motivated by high profit. These financially driven conglomerates offer all manner of business models – buying, leasing, subscription and even pay-as-you-go malware financial schemes – all of which are competitively priced to attract prospective patrons.
MALWARE
September 2008 Computer Fraud & Security5
now also provide multiple language support – English, Spanish, Portuguese and Catalan – in order to reach wider markets.
While anti-virus technologies have matured and supplemented their signa-ture-based engines with more advanced heuristic and behavioural engines, new tools have been created to test and streamline the production of 'undetectable' malware. As serial vari-ant attack models such as the Storm Worm have already proven, having a pre-made cache of several hundred new malware variants and validated as being 'unknown' works to the attack-ers’ advantage. As long as they can sequentially release them faster than an anti-virus vendor can update their protection, customers of that anti-virus product will effectively be unprotected.
To aid this process, new tools and services have appeared that enable mal-ware authors to run their latest crea-tions and receive instant feedback as to whether any of the popular anti-virus products can detect them. Some tools even attempt to automatically tweak and modify the malware sample so that it bypasses the anti-virus products.
Parallel development trackAs the commercial malware development kits were maturing, new exploitation techniques and strategies were being developed in parallel, in order to stealth-ily deploy the malicious cargo.
The use of vulnerability exploits and web-based attack platforms have ushered in the current era of drive-by download vectors and thus have moved beyond having to rely upon poten-tial victims being socially engineered and fooled into clicking or executing the malware package before they are infected.
Coming in a diverse array of packages, these new web-based attack platforms are now available for lease, outright purchase, or any payment model in-between; and are fast becoming the pre-ferred vector for infection.
For example, the IcePack kit first appeared in July 2007 and came in two editions – 'IcePack Lite' and 'IcePack Platinum Edition' - selling for $30 and $400 respectively. The difference between versions lies in the number and type of exploits. Produced by the
Russian IDT Group, it has now been translated into English and French, and requires a registration license in order for it to work.
For those budding criminal malware authors who don’t want to go to the trouble of purchasing and installing their own attack platforms, a number of new managed service providers have appeared – allowing them to rent existing instal-lations to globally distribute their mal-ware. Some of these delivery providers even offer targeted delivery platforms and can charge on a per-click basis (e.g. operating under similar business models to those of commercial web advertising programs).
Phishing kits
While phishing attacks can be traced back to the mid-1990s when the banks moved online, it wasn’t until 2005 that specialised phishing kits began to appear.
Initially, the majority of phishing attacks were little more than classic man-in-the-middle deception attacks, with cloned online banking pages being hosted on a popular web server platform (e.g. Apache, Zeus, etc.), and making
Figure 1: Turkojan Figure 2: Multi AVs Fixer Beta
MALWARE
Computer Fraud & Security September 20086
use of open mail-relays to propagate the phishing spam emails.
By late 2005, the collection of tools necessary to conduct a phishing scam had been combined into specialised kits – employing their own libraries of fake bank-ing content, tools for creating one-of-a-kind phishing URLs (to bypass anti-spam technologies), along with site management and reporting tools. Shooting to fame, the Rock Phish kit had it all. It was, and still is, the benchmark for phishing kits.
Multiple clones of the Rock Phish kit have evolved over time and are propagated by what appears to be inde-pendent underground business groups. Depending upon the relative sophistica-tion of the phishing kit and whether it is part of a bundled service offering making use of fast-flux botnets for DNS registrations, these kits can retail for between $50 and $800, and extra cloned bank-site content can be acquired for a few additional dollars.
More recently, as online banks have deployed one-time password and out-of-band authentication technologies,
these phishing kits have also begun to adopt popular exploit-based injection techniques to install malware on their victims’ hosts.
Managed services
Not content with the sophistication of the individual malware components, new businesses have sprung up supply-ing managed services that extend the functionality and life of any malware purchase.
To protect the command and control channels of popular botnet malware and to keep malware delivery sites up and running longer, it is possible to lease the services of other specialised botnets that supply 'DNS integrity services' – i.e. sin-gle-flux and double-flux fast flux DNS management. The Asprox botnet is one such example.
Another important managed serv-ice revolves around the breaking of CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), used to protect popular
user-centric sites from automated brute-force and account-creation tools. These CAPTCHAs, typically consisting of a handful of morphed letters and num-bers, require a human to carefully enter the correct string of characters along with other account creation or login information, and are in use by almost all free email and content hosting providers.
Over the last twelve months all of the major CAPTCHA systems have been bro-ken as attackers and researchers have built sophisticated character recognition sys-tems to defeat them. Each of these 'break-ers' can be sourced without too much difficulty and integrated into the popular botnet malware platforms. In return, the operators of the sites have improved their CAPTCHA implementations and made them more difficult (for both the attacker and the legitimate user).
”Malware creation kits have come a long way since their first freeware versions.”
To overcome this problem, new man-aged service operators now provide cheaply sourced human labour to battle through CAPTCHAs. These predominantly Russian-operated sites offer pay scales rang-ing upwards of $1 per 1 000 CAPTCHAs broken, and provide an extensible API structure for easy integration into malware.
Going one step further, 'value added' service providers now tap these managed service providers, bulk-create new free email accounts at all the popular email providers, and will sell batches of new accounts (e.g. email address, user ID and password) for around $20 per 1 000 accounts, which can then be used by the purchaser to propagate or host the next batch of malware creations.
Malware 1-2-3
Malware creation kits have come a long way since their first freeware versions. Today’s kits bear little resemblance to them and, perhaps more importantly, an entire three-tier criminal industry has developed around them.
Figure 3: CAPTCHA
MALWARE
September 2008 Computer Fraud & Security7
Off at a Tangent – a discussion with Jeff Moss
CFS: Most years, it seems like you’ve had to pull a talk from Black Hat. It was Cisco in 2005, RFID last year, and Apple this year.1,2,3
JM: Since the Michael Lynn Cisco thing, the vendors now go directly to the speakers. They try to avoid us because they know we’ll try to whip up a big storm of media attention and let everybody know that they’re try-ing to influence what gets said. Each situation is different but the tension is that everybody wants to be shown in a positive light, and having a someone drop a big bug in your lap is not going to be very pretty.
With the Apple situation, there were just some engineers that wanted to come and show that Apple knew what they were doing and they were aware of the problems. They’ve got an engi-neering team. They’ve got a product life cycle. They’re just being proactive and they knew that the marketing
team would never let them answer any questions. So they weren’t going to take questions. Problem solved. That seemed like a pretty good compromise. There was no chance for them to screw up by getting an awkward question but in the end marketing didn’t like that and pulled their talk.
CFS: Apple can be a difficult com-pany to deal with in marketing terms.
JM: I think of it as where Microsoft was six or seven years ago. Just attack the messenger. Nothing’s wrong, there’s nothing to see here, move along. That will work for a while, but it doesn’t work in this community and this is a great opportunity where they could have engaged and really turned it into a positive thing. Somehow it got mis-managed, and it turned into a negative thing. I hope that it gets its act together again. We’d love to have Apple back. If it wants to figure this out and try again next year, that would be great. I’d love
for it to use my stage and tell the world about it.*
”The joke was that there wasn’t a vulnerability in Quicktime; the vulnerability was Quicktime. That’s what happens when you take a software from the nineties and ship it in the internet world.”
CFS: It must be weird when a com-pany goes through such a success cycle over five or 10 years, to try and manage the security problems that are inevitably going to crop up while grappling with cultural changes.
JM: Apple is a consumer company and so it thinks consumer as far as I’m con-cerned. It doesn't think enterprise and it doesn't think government. It thinks con-sumer: TVs, phones, and music players. Consumers don’t really care about secu-rity. They don’t know how to value it. They don’t know how to make informed risk decisions. They don’t know any of that. But the people who do run cor-porate IT need certain functions that Apple doesn’t provide. They need quick response times. They need to know what’s going on in their products.
Jeff Moss (aka Dark Tangent) is the founder of the Black Hat conference, and its sister event Defcon. Moss, who sold Black Hat to CMP in 2005 but who still owns Defcon, came from the early days of hacking, having organised the first Defcon in 1993. Computer Fraud and Security caught up with him at Black Hat’s US event in Las Vegas last month to discuss the continuing controversy over company relationships with Black Hat, changing attitudes to collaboration between vendors, and how things have changed since the early days.
On the bottom tier are the criminals who just use the kits to create the specific malware they need to conduct their target-ed crimes. Their technological skills don’t need to be particularly advanced; they just need the monies to purchase the tools and the knowledge of where to procure them.
On the middle tier are the skilled devel-opers and collectives of technical experts creating new components to embed within their commercial malware creation kits. Competition has driven them to increas-ingly turn their malware kits into attack
delivery platforms priced for different criminal markets, and to allow third-parties to extend the functionality of their tools.
On the top tier are the new managed service providers. They tap into the malware creation kit market and care-fully wrap new services around them to help accelerate the propagation of the criminal malware and make it easier for criminals to reach deeper into the cyber-world. Offering international support and delivery capabilities, they enable organised criminal gangs to conduct
fraud at a global level, and they feed their ill-gotten gains back into existing money laundering chains.
The future looks grim for those try-ing to combat the malware threat. Each new malware creation kit adds additional stealth and obfuscation technologies to its products, while new exploit wrappers and delivery vectors are trialled, and the managed service providers unleash new services designed to increase the robust-ness and scale of each new criminal endeavour.
JEFF MOSS