Industrialization has been a common theme in discussions of cyber crime and the malicious software used by criminals for several years now, but what does industrialization mean in this context, and what are the implications? In this article I will examine these and related questions, starting with how you industrialize malicious software and why.
The “how” is the application of well-established industrial or commercial methods. I will consider five of them here: division of labor, specialization, markets, standardization and modularity. The “why” is to maximize profit, which I will illustrate with an ongoing threat, the ransomware attack that tries to frighten people into paying money to the Department of Justice.
In the early days of criminal malware – defined as code, like viruses and worms employed to steal from people and organizations – the malware author and the criminal were often one and the same. For a person to steal money or data using malware required multiple skills, from coding to network manipulation, marketing to money laundering. You had to come up with an effective way to trick people, write and distribute the code required, and then reap the financial rewards without getting caught.
Over time, a market-based economy has arisen to supply all of those skills, for a price. This means a criminally minded person can shop around to put together all the pieces of a cyber crime operation without personally possessing all of those different skills. This is a classic case of division of labor, which in turn fosters specialization.
Someone skilled at malware coding can get paid for that skill, and thus improve it, free from the distraction of developing a payment system, and also free from many of the risks inherent in crimeware deployment. The malware coder can sell his skills and output at the going rate in a thriving underground market, but the industrial malware model does not end there.
Driven in part by the law enforcement and internet service provider crackdown on spammers in the last decade, malware authors perfected the technology with which to secretly control large numbers of infected/compromised computers working together as a botnet. Economies of scale drove the very logical evolution from the single-purpose botnet, perhaps deployed for either spamming or denial-of-service attacks, to the multipurpose botnet, the modular design of which allowed different tasks to be pushed to the same collection of compromised machines without having to repeat the infection process.
Here is how ESET malware researcher Jean-Ian Boutin describes Win32/Gataka, an information-stealing trojan that can read all of your web traffic and alter the balance displayed on your online banking page to hide fraudulent transfers: “It exhibits a modular architecture similar to that of SpyEye, where plugins are required to achieve most of the malware functionality.”
In other words, the infection process can be perfected separately from the exploitation process. and efficiently leveraged through markets. A person might choose to make money from selling or renting infected machines which are then exploited by someone skilled at cashing in on any one of the many possibilities that a botnet presents: distributed denial-of-service (DDoS), data harvesting, spamming, spying, fraudulent bank transactions, and so on.