Malware gangs have test labs that adapt their polymorphic Trojans to deadly effect. 'Crime as a Service' is heading your way...By Rob Buckley.

To many ISPs looking after enterprise security, anti-virus or anti-malware software is a simple box that needs to be checked before moving on to more pressing concerns. Stick AV software on the gateway and on client machines, make sure it has a robust auto-update schedule and that's most of the work done. Provided everything's kept up to date, malware is more of a consumer issue than an enterprise issue, surely?

Contrary to popular belief, most Trojans are now produced by criminal gangs whose technical expertise far surpasses that of lone ‘script kiddies' working in their bedrooms. Modern Trojans, such as Zeus 2.0, Torpig and Clampi, are ‘polymorphic' – they can be changed to look like different programs. The gangs behind the Trojans, who will sell them complete with customisation kits for $500-$3,000, have their own testing labs that can determine how well a variant does. If it gets detected, a click of a button on the customisation program can alter Zeus until it can slip past the AV software: a two-byte change to Zeus was all that was needed in January to bypass all current AV software's signatures, says Rodney Joffe, senior technologist at Neustar and director of the Conficker Working Group.

Once installed, Trojans can steal data through keyloggers or simply uploading files; they can redirect information sent through web forms so that security questions such as date of birth and mother's maiden name can be found out easily; add extras fields to online banking sites's logon forms to find out additional information, such as ATM card PINs; and hijack banking sessions, even those that use two-factor authentication, and set up bank transfers that won't appear on the infected machine's online banking displays. They can disable AV programs' auto-updates; they also have their own auto-update mechanisms, so they too can stay up-to-date and avoid detection.

Depending on whom you talk to, the efficacy of AV software in fighting this new breed of Trojans varies. The likes of Graham Cluley, senior technology consultant for Sophos, argue that a combination of signatures, the company's research labs and heuristics designed to spot typical malware behaviour rather than their file signatures, means that known Trojans get spotted quickly – and unknown Trojans, too. “It's something of a conveyor belt. There's so much new malware – we see 50,000 new examples every day, but 90 per cent of malware we're detecting proactively.”

Cluley says that with a new variant of an existing Trojan, there are “enough boxes checked” that it will usually be spotted, and a specific defence against it within half an hour of the malware's arrival in the research labs.

Joffe says even AV programs with heuristic capabilities have limitations. “They can be gamed, they still miss things.” He likens AV vendors' struggles with Trojan developers to a game of ‘whack a mole'.

SentryBay COO Marcus Whittington agrees that even up-to-date AV software can miss all the variants of Zeus. “This type of polymorphic Trojan continually evades signatures, but also changes its method of behaviour to outsmart heuristic-based solutions. AV and internet security suites are continuously chasing their tail – they cannot keep up.” He says SentryBay research shows that up-to-date AV software can only detect 69 per cent of confirmed versions of Zeus, but believes that if you take the latest variants into account, “it is less than 50 per cent”.

Figures about malware infections seem to back this up. Despite the widespread use of AV software, the past year has seen a huge increase in the number of PCs infected with Trojans. Uri Rivner, head of new technologies at RSA, estimates that the total number infected is equal to all previous years' infections combined. The rise has come from ‘drive-by downloads': criminal gangs have sought out popular websites with security vulnerabilities on the hosting servers, including the innocuous paulmccartney.com, and installed ‘bugs' into web pages. These are typically one-pixel wide <iframe> tags which link to html on another server. Scammers have inserted malicious code into adverts on conventional web pages, which is how the New York Times' home page was infected in September 2009.

Machines with unpatched web browser vulnerabilities can be infected directly by these scams, without the user being notified; those machines that are up-to-date will typically be prompted to install a piece of software that claims to allow a video to be played or even that will protect against a virus that the site claims to have detected. If the user does as asked, a Trojan will be installed.

If Trojans have such advanced capabilities, how can enterprises defend themselves? Locking down desktops is one option, since it can prevent some malicious software being installed. Dave Hartley, security consultant with Activity IM, says that all businesses should implement a formal security patch management process to ensure that all identified software updates are in place. He adds that to help counter the threat posed from a drive-by-attack, web-proxy content filtering technology can be used to block URLs that host malicious code or filter it out altogether. Sophos's Cluley advises running such filtering software on both the desktop and at the gateway, with mobile workers' laptops potentially configured to use the same web filtering servers when they're off the network as when they're behind the firewall.

A network access control solution that dictates how much access a device has to the network, depending on whether they have AV running with up-to-date definitions, as well as policies on USB-stick usage, can also help. “If the AV software has been disabled somehow, the computer won't be compliant with policy, the NAC system will realise this and force a download before anything else can be done. Then, if it's still not compliant, it can't get onto the network.”

However, says Joffe, “there's no virus protection for stupid”. People will bypass systems and bring USB drives to work from home with pictures – and Trojans. He advocates a layered approach that isn't reliant on just one vendor. “You need to make use of one or two heuristic systems as well.” Even such an approach still means only 99 per cent of malware will be detected and stopped, he adds.

Henry Harrison, technical director of Detica, says “a particularly valuable tool is analysis of machines' network traffic to detect behaviour that is unusual – or consistent with likely malware infection”.

According to Simon Heron, internet analyst for Network Box, often vulnerabilities come from badly configured networks, such as data accidentally being misrouted round a firewall. “It's not enough to stick AV onto desktops. IT teams have to plan how applications are used and close holes in the networks so new apps – IM is a good example – don't find a way round security systems because they're not set up properly.”

He says prevention is the best strategy, but if an organisation does come under attack, there must be a plan in place to decontaminate infected computers or prevent them from giving away too much information. However, “once a machine has been compromised, it can be very difficult to ensure that it is clean again. The best belt-and-braces policy is to quarantine the machine in question, carry out forensics to try and find when it was infected or compromised, so that the attack vector is known, then format and reinstall the system.” Even then, says RSA's Rivner, some Trojans can install themselves in a disk's boot sector and survive a standard reformat.

Enterprises need to accept that they are likely to get infected at some point, even if they have AV software with up-to-the-minute updates. With the latest Trojans, it is not enough to assume prevention will work – a plan to spot their presence on a network and decontaminate it is now a necessity.

The ‘dark cloud' approaches

Over the past few years, ‘Crime as a Service' has begun to develop, with criminal gangs offering their talents to other gangs for a fee. Those who specialise in developing Trojans might sell their services to a group with no technical expertise but which can launder money stolen by Trojans.

So far, this cloud computing of crime has been focused on consumers. However, there are signs that business is now being targeted directly.

“We are seeing five to six enterprises a day recording losses of $200,000 from just one gang in the US,” says Rodney Joffe, senior technologist at Neustar and director of the Conficker Working Group. “A similar thing is happening in Europe.”

Joffe says these gangs typically use social engineering to target enterprises directly. “They look for mid-range companies that have a significant amount of money on account but not so large they have their own IT security department. They use Google to work out the format of email addresses and the 20-30 executives they want to target – and send them emails. These might pretend there's a dispute and the firm will end up with a negative record as a result. Then they include a link so the company can comment. The exec panics and clicks on it.”

Once at the fake site, the executive's machine gets infected with a Trojan. That looks for other machines on the internal network, with names such as ‘finance' or ‘payroll' and tries to exploit unpatched vulnerabilities to infect them with a keystroke logger. This waits until it spots signs of the user logging onto an online banking system.

It was via this kind of technique that a school in Albany, New York, was defrauded of $4 million, only $3.5 million of which was recovered.

Other gangs that have so far only been looking at ways of automating the exploitation of home users are now beginning to look at enterprises. Uri Rivner, head of new technologies at RSA, says that many enterprises have become inadvertently infected with Trojans: employees' laptops get infected when outside the perimeter, then are brought inside.

With the keystroke logging from Trojans sending terabytes of data back to the criminals, they now – by accident – have considerable amounts of corporate data. At the moment, the gangs are doing little more than mining the data, rather than using it or developing enterprise-specific Trojans that target systems such as SAP or Sage.

“I don't see evidence of a kind of eco-system yet. It will take a couple of years to reach this,” says Rivner. He predicts an impact date of mid-2011 for ‘Crime as a Service' to target enterprises directly, after criminals find a way of monetising the approach. “It's only a matter of time,” he says.