The challenge of custom malware from advanced attackers
The challenge of custom malware and targeted attacks is a bi-product of today's rapidly evolving attacker.
The problem with ‘custom malware' was mentioned to SC Magazine a year ago by Stephen Howes, CEO of GrIDsure, who said that he thought ‘one of the problems that the industry faces is that malware authors can come up with incremental ways of breaking the system'.
In September last year, he said: “This is more than malware, you can buy gizmos that capture keystrokes so a cleaner can plug one into a computer and at the end of the week they will collect it with the details recorded.”
Speaking at the recent Symantec Vision Conference, Francis deSouza, SVP of Symantec's security group, said that attackers have eclipsed hackers as the largest threat to organisations as they become more professional. Looking at modern malware such Stuxnet, he said it was clear that this evolved threat is now commonplace. He said: "Stuxnet is several man years of work involved in putting it together and involved a collection of skills."
Asked if custom malware is going through an accreditation process for development, deSouza said: “It is very clear that people in the malware industry, both on the good side and the criminal side, learned from Conficker. People took lessons in how it worked and it followed with the industry as a whole learning from it.
“What we are also seeing is that as you break down the breaches there are four stages: incursion (how to get in); discovery (once in how map out a network and figure out where information assets are and how well protected they are); capture (trade off on how value information is and how well it is protected); and excavation (how to get data out). We find that different skills are employed in each of these stages; in fact it is different people within the gang or across different gangs that are involved in each of the stages.
"The first two stages have to be very 'stealthy', as are the techniques used, as they don't want to be discovered on the way in and in most cases the infiltration can last up to a year, but the third and fourth stages are over in minutes and tend to be messy and loud because criminals don't care about being noticed at that stage – they know most organisations can't react fast enough at that stage even if they are discovered.”
Rik Ferguson, senior security advisor at Trend Micro, said that custom malware was something he had been talking about for years but targeted attacks remain a threat worth considering.
“It is criminal, it is advanced, it is written by professional coders who get money for it and the more targeted it is the more difficult it is to detect,” he said.
"The biggest problem for the security industry is that we have to play with an open hand because we make products that are available for purchase and we have to tell people about them and criminals can also purchase them, do their thing and test it until it is not detected. That is the big difference."
Matt van der Wel, manager of investigative response at Verizon Business, said: “Criminals are stealing but not selling data. They are waiting for the price to rise and if they sell it and someone uses it then it alerts the fraud authorities. The problem with cyber crime is that it is not a mafia model and not terrorists, they are like small to medium businesses, as you can hire them for a service and the cyber criminal can have the right management team to do the job. It is difficult to catch a group and say that they are to blame for developing software.”
The evolution of threats is well covered both online and in print and is something to consider, but just how advanced the techniques are is a cause for concern for all. On the bright side, there are some very clever people working for the greater good.