Director of Technology Strategy at Sophos James Lyne expresses his vision of the way malware production has evolved over time, shifting from mostly prankish activities to the complex sophisticated cybercrime infrastructure that we’re seeing today.
Hello there, my name is James Lyne from Sophos, and today I am gonna be talking about how malware authors are winning the war. My job at Sophos is to focus on long-term technology trends: the next five years of things that are happening in IT, like mobilization, virtualization, de-perimeterization1, PSaaS2(-‘ization’) – you can basically apply it to anything. But I am also a bit of a geek. I love playing with malware and looking at the bad guys’ creations in the labs, and figuring out exactly what they are up to.
I’ve been at Sophos for more than seven years, and over that time I’ve seen a huge change in the nature of malicious code that we are having to deal with for our customers. We are now in what I like to call the third wave of malware.The first wave, about twenty years ago, was predominantly about pranks, about spotty teenagers sitting in basements, producing malicious code that was designed to get attention. There used to be the big green worm that would go across the screen eating all of your documents before defecating in the bottom left-hand corner.
That was the time when one of our PR people Graham Cluley, well known gentleman, annoyed virus writers so much that they put his face in the middle of the screen, you had to throw coconuts at him to be able to use your computer again. The first wave of malicious code was basically lots of fun.About eight or nine years ago, we moved into the second wave of malicious code. Things started to get serious. The spammers and the malware authors started to become financially motivated. We saw the rise of the ‘Brazilian banker’3: “Hi, I’d love to give you a billion dollars, just because I like your face”; or the Nigerian that happens to have inherited or otherwise acquired some money and would conveniently love to share it with you; or perhaps the Chinese shop that would love to sell you a Rolex for five dollars. Financial motivation became very much the key to malicious code, and we saw a significant change in the product that these guys were producing and how they were infecting people at large. And that’s largely what we have been living with up until 2010 or so.
The third wave of malicious code is far more serious. The third wave of malicious code is about organized criminals producing malware. And I believe that this change has not yet been appropriately recognized by the industry. People aren’t taking action to protect themselves against this escalated threat.
So, what’s changed in the third wave of malicious code? Firstly, a massive increase in the volume, the quantity of malicious code. At Sophos Labs, we now see 95,000 unique individual pieces of malicious code every single day. It’s an astronomical quantity of malware. Only a few years ago, we were dealing with on average 5000 pieces of malware.
And indeed, if you look back over the history of all time you can see that the dinosaurs didn’t particularly have a problem with malicious code. So, what is it that we are doing wrong? It is a serious issue.
What’s happened is the bad guys have brought professionalism to their trade. They’ve developed a black market economy. They are adopting the latest and greatest technology. And they are garnering more resource than most vendors and most public sector organizations, and governments can put towards this issue. That’s principally because they are not bound by law, they are able to steal these resources. It is easy for them to go out to the Internet, click their fingers and get 80,000 computers.They are using tools like polymorphism which enable them to create new pieces of malicious code at high speed. Security Tool – a fake antivirus product – was infamous last year for creating new versions of itself every minute and distributing them all over the web.
So the bad guys with their illicit economy have changed the game. As any economist will tell you, when you get a market, when you get people providing services, franchising, products – you get research, innovation, development and competition. And that is what is behind the significant escalation in the quantity and the quality of malicious code out there today.
It’s actually quite astonishing when you go and look at what these guys are now producing. Just to poke fun at SaaS, the ‘SaaSificationization’ of crime, crimeware as a service – all these ridiculous buzzwords, but underneath it there is a real trend.
There are lots of AV check sites on the Internet, all set up by the bad guys to provide services for people producing suspicious files. The idea is simple: you write a virus, a piece of malicious code that you are going to launch against a specific organization, and then you upload it to this cloud-based service. And the bad guys run your virus against twenty to thirty antivirus products, and they produce a nice little PDF report with pretty graphics and charts showing how your malicious code was detected. And they even give you tips on how better to avoid being detected in the future. It’s a cloud-based quality assurance service for malware authors. What the hell is wrong with the world? It’s insane.
These guys now are diversifying out into providing exploit toolkits4. Some of them even provide for relatively high price profiling of specific organizations that you want to target, so that your success rate when you go trying to knock on that door is very high. These services are an absolutely terrifying trend, and at one point they are starting to defeat the technologies that we’ve all relied upon for the past twenty years to keep ourselves safe.Now, I’ve talked about this provision of services, this trade, but it is also interesting to see how the bad guys are starting to modernize and diversify their business models. And one of my favorite examples of that is the Canadian Pharmacy. The Canadian Pharmacy has been around since 2003 – a long-standing threat. And the premise is simple: you go online and you are searching to buy Viagra or Cialis or some performance enhancing drug.
This is astonishing. You go online, you type in trying to buy your Viagra and you get redirected to a Canadian Pharmacy site through black search engine optimization, or perhaps, you know, if you are clicking on the link in a spam message. And for some reason, everyone trusts the Canadian, it’s a good place to buy drugs. You are typing your credit card details, click ‘Buy’, and the bad guys run off with those details, go and spend lots of money from your credit card. Your bank locks the card down, replaces it, and hopefully you’ve learned your lesson. That’s been the model for a very long time.
What we’ve seen over the last year that’s interesting is these sites have actually started sending out the product. So you can go online, type in your credit card details and they actually do send you, say, performance enhancing drug. And it works. And don’t ask, it was one of the most interesting tests we had to perform at Sophos Lab compared to conventional file analyses, but anyway… What they are sending you is a cheap Chinese knockoff, not the officially branded product. And they are sending it to you, you believe it is working, you believe that it is the premium product, and they are stealing money from you on an ongoing basis, a subscription theft model rather than a one-hit wonder, because they’ve realized that overall that’s far, far more profitable. So that’s a structured decision to use a different business model for profit. Quite a terrifying trend.
1 – De-perimeterisation is a concept/strategy used to describe protecting an organization’s systems and data on multiple levels by using a mixture of encryption, inherently-secure computer protocols, inherently-secure computer systems and data-level authentication rather than the reliance of an organization on its (network) boundary/perimeter to the Internet.
2 – PSaaS (Physical Security as a Service) is a security model based on the use of SaaS (Software as a Service) cloud-oriented software delivery principle for providing high degree of enterprise protection.
3 – Brazilian Banker is a financial Trojan that targets consumers of Brazilian-based banks and other banks in Latin America, stealing their banking credentials.
4 – Exploit toolkit is a peace of software which contains malicious code so as to exploit the vulnerability in an application.