Malware authors’ hard-fought “professionalism” impressive, frightening: researcher

Malware authors have become so good at seeding exploits en masse that their monitoring, customer service, marketing and Australian localisation strategies have come to resemble professional business operations, a senior Trend Micro security researcher has observed.

Noting the significant jump in malware variability that became possible thanks to exploit kits during 2011 and 2012, senior threat researcher Jon Oliver said malware authors had put in enough trial and error over the past decade to qualify as experts under the 10,000-Hour Rule – a theory posited by author Malcolm Gladwell that says mastering any field takes around 10,000 hours of practice.

Modern malware hackers are already showing the signs of having achieved this level, Oliver said in a presentation at this week’s Evolve 2013 security conference in Melbourne.

“By digging into some of the detail of our regular reports, we can really see the professionalism that cyber criminals are using,” he explained. “They’ve had about ten years to clock up the 10,000 hours, and there was a big leap in professionalism when they brought in the exploit kits.”

Blackhole-delivered spam exploits accounted for 27% of all exploits during 2012, figures from the Sophos Security Threat Report 2013 suggest, with Australia ranked as the sixth safest country in the world in terms of threat risk.

Yet the ingenuity of the exploit kit isn’t the technology – which interacts with client browsers to find out what version of what operating system and browser they’re using, then feeds them an appropriate exploit to ensure compromise of the system – but the way it has been bundled into a full suite of hacking tools that is being sold for great profit to online miscreants.

“It’s not especially new technology,” Oliver said, “but it’s the professionalism by which they went about it – to the point of offering customer service to customers, and writing release notes where they discuss how they’re avoiding security vendors’ tools.”

Blackhole even has a professional-looking dashboard that tracks infection success rate by operating system, browser, country, and so on. Java, in particular, enjoys considerable prominence as a preferred penetration method, thanks to its recent history of high-profile exploits.

A screenshot of the dashboard, displayed by Oliver during his presentation, showed an overall success rate of 14.61%, with 83.36% of the successful attacks being launched against Java systems. Chrome was the least frequently penetrated, with a success rate of 0.46%, while Opera (at 15.91%) was the most frequently compromised, followed closely by Microsoft Internet Explorer (15.51%) and Mozilla Firefox (13.97%).

“They are attacking everything,” Oliver explained. “They track everything, and optimise every aspect of it just like marketing people are optimising every aspect of a campaign, working with Google to get their keywords up to the top.”

“Cyber criminals are doing the same: up on the top of the page, they’ve got ads for other cybercriminal services. They even schedule holidays: last Christmas we noted very particular holiday periods in their spam runs, and they don’t go back until the first Monday of the new year.”

While such attacks enjoy particularly high profile for security researchers, however, Oliver was quick to point out that the biggest problem is not the professionalism by which spam and botnets are being managed – but the fact that similar techniques are being used to manage targeted, advanced persistent attacks.

“The lesson we’re learning here translates across to the targeted attacks space,” he said. “Those attackers are doing exactly the same things – but it’s not visible, and it’s not available for rent. So, we’ve got to take lessons from this and apply them to the targeted threat arena. The whole thing is a very professional situation, and it’s a truly frightening scale of legitimacy that they put around their attacks.”

Tags malwareTrendmicroevolve security conference 2013Sophos Security Threat report 2013Blackhole apm exploits

Show Comments