Industrialization has been a common theme in discussions of cyber crime and the malicious software used by criminals for several years now, but what does industrialization mean in this context, and what are the implications? In this article I will examine these and related questions, starting with how you industrialize malicious software and why.
The “how” is the application of well-established industrial or commercial methods. I will consider five of them here: division of labor, specialization, markets, standardization and modularity. The “why” is to maximize profit, which I will illustrate with an ongoing threat, the ransomware attack that tries to frighten people into paying money to the Department of Justice.
In the early days of criminal malware – defined as code, like viruses and worms employed to steal from people and organizations – the malware author and the criminal were often one and the same. For a person to steal money or data using malware required multiple skills, from coding to network manipulation, marketing to money laundering. You had to come up with an effective way to trick people, write and distribute the code required, and then reap the financial rewards without getting caught.
Over time, a market-based economy has arisen to supply all of those skills, for a price. This means a criminally minded person can shop around to put together all the pieces of a cyber crime operation without personally possessing all of those different skills. This is a classic case of division of labor, which in turn fosters specialization.
Someone skilled at malware coding can get paid for that skill, and thus improve it, free from the distraction of developing a payment system, and also free from many of the risks inherent in crimeware deployment. The malware coder can sell his skills and output at the going rate in a thriving underground market, but the industrial malware model does not end there.
Driven in part by the law enforcement and internet service provider crackdown on spammers in the last decade, malware authors perfected the technology with which to secretly control large numbers of infected/compromised computers working together as a botnet. Economies of scale drove the very logical evolution from the single-purpose botnet, perhaps deployed for either spamming or denial-of-service attacks, to the multipurpose botnet, the modular design of which allowed different tasks to be pushed to the same collection of compromised machines without having to repeat the infection process.
Here is how ESET malware researcher Jean-Ian Boutin describes Win32/Gataka, an information-stealing trojan that can read all of your web traffic and alter the balance displayed on your online banking page to hide fraudulent transfers: “It exhibits a modular architecture similar to that of SpyEye, where plugins are required to achieve most of the malware functionality.”
In other words, the infection process can be perfected separately from the exploitation process. and efficiently leveraged through markets. A person might choose to make money from selling or renting infected machines which are then exploited by someone skilled at cashing in on any one of the many possibilities that a botnet presents: distributed denial-of-service (DDoS), data harvesting, spamming, spying, fraudulent bank transactions, and so on.
Consider how ESET senior malware researcher Aleksandr Matrosov describes Win32/Festi, one of the three most active spam botnets worldwide in May of 2012: “Thanks to plugin modules, Win32/Festi is capable of being used for DDoS attacks. The malware's kernel-mode driver implements backdoor functionality and is capable of updating configuration data from the command-and-control server (C&C) and downloading additional dedicated plugins.”
One further evolution now emerging is the standardization of code so that it can be deployed on different botnets. Consider the art of HTML injection or WebInject, which can be used to insert rogue form fields in an otherwise legitimate web page, thereby harvesting additional data from the target. In his most recent post about Win32/Gataka, ESET's Boutin notes, “In one campaign we have followed, Win32/Gataka botnet operators make use of advanced WebInject configuration that can be used by different types of malware...people specializing in writing WebInject configuration files are able to sell their work to a larger customer-base and are not tied to a particular type of malware. By allowing the script itself to communicate with the control panel, it is easier to implement compatibility with a wide range of information stealing malware.”
We are now seeing the cumulative effects of these industrial factors of standardization: specialization, modularity, division of labor and markets. Better malware can now be deployed faster, and evolved faster to evade detection and improve profitability. Consider the current plague of ransomware that presents victims with a fake FBI demand for money. The design of the ransom page is of a higher quality than the average scam. The way the malware takes over the victim's PC is very effective. The malware delivery mechanism is hard to avoid. The malware itself is difficult to remove. The overall scheme has been tested and improved over time through deployment in multiple countries. The result is: Until the perpetrators are apprehended we are likely to see more of the same profitable and relatively low-risk criminal activity, as sophisticated miscreants exploit the benefits of industrialized malware.