For a few hundred dollars in start-up money and a few hundred more a month, anyone can buy the tools and services they need to build and run a malicious botnet. That's just one of the reasons the cyberlandscape is so hard to police.
For a few hundred dollars in start-up money and another couple hundred each month in fees, anyone can get the software tools and even 24/7 call center support services they need to build and run their own malicious botnet that allows them to surreptitiously control a network of computers. The computer owners have no idea their machines have been turned into zombies in the service of others.
In 2009, these types of exploit kits cost as much as $2,000, but now they can be had for a few hundred in start-up and monthly fees, explained Max Goncharov, senior threat researcher at Trend Micro, a cybersecurity firm. He spoke at a press briefing on cyberthreats that the company held March 27.
That’s just one of the problems companies and governments are up against as they traverse today’s cyberterrain. Modern attacks are all about making money, and cybercriminals are pretty good at marketing products to each other that further that objective and put companies at even greater risk. And catching the bad guys isn’t easy because many of the countries they operate from are not motivated to stop them.
Some governments even consider them useful. China and Russia, for example, reportedly let these rogue groups operate freely so that they can use them and their botnets to launch attacks on enemies. Those attacks then cannot clearly be traced back to the state. That practice has muddied the waters about what counts as a state-sponsored attack. “In lots of things we are seeing now, we are not sure whether it is state sponsored or just a cybergang,” said Raimund Genes, Trend Micro’s chief technology officer.
Genes started by giving a brief history of the evolution of cyberattacks. He noted that while people still refer to companies like his as anti-virus (and that they refer to themselves that way, as well), the last true virus was in 1999. After that came worms and other malware. Around 2003, Eastern European gangs were the first to figure out how to make money from cybercrime. As attackers were becoming more driven by monetary objectives, they were also learning to be more stealthy. Around 2005, botnets evolved that could hide their origins. Around 2007, researchers started to see targeted phishing attacks. Now the focus is on persistence—attacks that can come into a corporate computer and avoid being detected for long periods of time, during which the malware steals valuable data. The average time an attack goes undetected is 210 days.
The number of new types of malware that appear daily is staggering. The industry works together, said Genes, sharing threat samples with each other. Of about 300,000 daily samples that are shared and reviewed, about 150,000 are judged new. On average, Trend Micro says that it creates 60,000 signatures daily to fight those. But that doesn't count the targeted attacks that fly under the radar. Good cybercriminals know how to write code in malware that tells it only to activate when it gets inside the company that is targeted, and they know how to have it mimic the corporate environment. “And with this you ensure that it’s not visible for quite a while,” said Genes.
The criminals have many ways of tricking users into helping them get inside. There’s always an e-mail attachment, but that leaves a forensic trail because investigators can retrieve the old e-mail when the problem is detected and study the attachment. A more popular method today is to include a URL in an e-mail and get the “mark” to go to a Web site where he or she will be tricked into letting malware into the corporate network, explained Genes. The phishing e-mail might say something like, “I think we went to high school together. Is this you in this picture?” It will have a URL link. When the recipient clicks on the URL, it goes to the malicious Web site. The attacker gets the advantage of knowing that the mark clicked on the URL, “so you know you infected the target,” said Genes. And if detected, the bad guys just discontinue or “nuke” the Web site, leaving no evidence behind. They usually research the target ahead of time via social media to make the “come on” more effective.
The use of mobile devices has created yet another vector of attack. Trend Micro said that there were 350,000 malware attacks against Android phones in 2012 and it expects more than 1 million in 2013. The targets for now are typically in Japan and China—and that’s still low compared to the 300,000 daily attacks against Windows machines. The rise of mobile devices and the potential for infection via those devices should be on every company’s radar as a consideration.
More broadly, the really important change for corporations has been that the old model of protection—having a strong perimeter and securing the corporate intranet—just doesn’t work anymore.
“The fact is, if somebody wants to get in, he’s getting in,” said Genes. So instead of thinking that you can build a stronger wall, “you have to accept that somebody is within your perimeter,” and “you have to detect the event and protect the data,” he said. Companies that have suffered incidents are starting to understand this new paradigm. It means using encryption and using active processes to monitor for signs of an intrusion or signs of data extraction.
One of the ways that Trend Micro tackles the issue is to constantly study the cyber lures that criminals put out in the wild, whether via spam or targeted phishing e-mails or infected Web sites. Trend Micro harvests the information by mimicking user behavior. In other words, if it’s a link designed to trick the user to click on it, the researchers intentionally click on it, get the files, and analyze them to determine what they are attempting to do.
It might be e-mail that purports to be an account statement from your bank but in fact is a link to a DNSChanger, a type of malware that will send your computer to an alternate Web site (you’ll think you’re going to the bank when you are going to the site set up by the hackers to steal your information or to trick you into downloading malware into the company’s network.)
Where appropriate, Trend Micro shares the findings with law enforcement so that those agencies can go after the criminal gangs, rather than just having customers fend them off one attack at a time. It was that type of intelligence that helped the U.S. FBI bring down a criminal enterprise in Estonia in 2011 that had infected 4 million machines in 100 countries and stolen $14 million from victims.
As for what the future holds, there are faster and faster development cycles, so there are more and more vulnerabilities. And security remains an afterthought. Add to that the fact that everything from your hotel key to your car and your home TV is becoming “smart,” which means computerized and connected. And that means that everything can—and will—be hacked. It’s already been done to keys in hotels and now it’s being done to smart cars, many of which use software with lots of known but unpatched vulnerabilities. Popular Photography magazine has an article on how cameras with wifi are also being hacked. Trend Micro predicts that a hack of smart TVs is probably not far behind.
On the solution side, private companies like Trend Micro are reluctant to reverse attack botnets to give them a kill order. It’s technically possible but legally risky, they said. Governments have also been slow to take actions that could slow down cybercriminals. Japan and Australia are starting to hold ISPs responsible, but privacy advocates object in many countries. Without legislation, however, the ISPs don’t have much incentive to refuse to host the bad Web sites, says Trend Micro.
On the private-sector side, what companies and individuals can do is try to keep their own computers clean, both for their own sake and to protect the Internet at large from legions of zombie machines.
Photo of students from flickr by Extra Katchup