Chapter 3 - Crime Areas

3.2 Malware - Overview

One of the fundamental services provided by cybercriminals is the design, development and distribution of malware – arguably the key primer for the majority of downstream cybercrime. Malware-as-a-Service (MaaS) is becoming increasingly professional, mirroring legitimate commercial software development companies by providing functionality such as 24/7 customer support and frequent patches and updates to continually refine their product and increase its capability and competitiveness in the malware marketplace. As such, MaaS is becoming an essential component of the underground economy.

Attack vectors

Exploit kits represent one of the most common methods of infection with more than 80% of online threats detected in 2012 associated with infected websites [20]. Current popular kits include the Pony, (Sweet) Orange, Magnitude and Nutrino exploit kits. Java and Adobe products remain primary targets to exploit, with up to 90% of exploits working through vulnerabilities in Java [21].

The Blackhole Exploit Kit (BEK) was a very successful implementation of Malware-as-a-Service. The BEK was available for rent to deliver everything from fake antivirus and ransomware to Zeus and the infamous TDSS and ZeroAccess rootkits, attacking Windows, OS X, and Linux. The BEK’s authors offered free updates for the life of the subscription and customers who wanted to run their own Blackhole servers could purchase longer licences.

Watering Hole attacks are an increasingly popular social engineering attack method for criminals targeting specific industries or organisations. This methodology was used to breach several prominent Internet companies in 2013 including Facebook, Twitter, Apple and Microsoft [22].

Spam, although on a general downward trend, is still a major threat representing approximately 70% of all inbound email traffic [23]. A blunt tool in a cybercriminal’s hi-tech toolkit, spam relies on sheer numbers, despite low success rates, to distribute malicious URLs and attachments to infect unwitting victims. That is not to say that spam is not the weapon of choice for the malware developers at the forefront of contemporary malware; a massive spam operation was used to launch the Cryptolocker campaign of late 2013.

Most mobile devices are permanently on - giving attackers much larger windows of opportunity to attack or exploit a particular device. Mobile devices share a number of infection methods, though many are unique to the platform:

SMS spam - luring potential victims to click on malicious links which will download malware to their device.
Spoofed/Trojanised apps - victims install free, discounted or cracked versions of popular apps, however in reality the apps are malicious and download malware to their device.
Adware - Victims will download an innocuous app APK in which the criminals control the in-app advertising. Once enough potential victims have downloaded their app, criminals will change the advertising to direct victims to infected websites.
Infected Updates - Victims download a non-malicious, free app to which attackers push an update which carries the malware payload.

Infected mobiles have the potential to act as an infection vector for other platforms and devices. Some emerging malware variants are capable of propagating themselves (along with other malware) to other devices via Bluetooth. Other malware is designed to spread to desktops via infected smartphones and tablets once connected via USB [24].

Malware functionality

Malware serves a multitude of malign purposes. This ranges from logging keystrokes to steal sensitive user data, to sophisticated and professional malware which can intercept and alter data or hijack the victim’s user session. ‘Ransomware’ typically disables a victim’s device until a fee is paid to release it. Other malware simply provides a ‘backdoor’ for attackers to access the infected device. Compromised devices can also be used as malicious web servers to host illegal content or child abuse material.

Although cryptoware originated in 1989 [25], 2013 witnessed a resurgence of this threat with a spam campaign spreading the Cryptolocker malware. Cryptolocker identifies files likely to be of value to the victim (photos, videos, text documents, etc.) and encrypts them, rendering them effectively irretrievable without the decryption key. Payment of the ransom results in the provision of the decryption key, although the malware will remain on the victim’s device unless removed by the victim. As ransomware potentially renders the victim’s device unusable it is often used as a ‘final stage’ attack, deployed only once other exploitation opportunities have been exhausted [26].

Ransomware remains a lucrative venture for cybercriminals. Once deployed, each successful extortion represents a direct payment to the attacker. Furthermore, a relatively unskilled cybercriminal can initiate a campaign by taking advantage of the pay-per-install services or crimeware kits readily available as products or services in the digital underground economy [27].

The majority of mobile malware takes advantage of a mobile’s direct access to funds in the form of the victims account credit. Approximately half of mobile malware are premium service abusers or chargeware. These send SMSs or subscribe their victim to premium services without the victim’s knowledge.

Some malicious apps either work in conjunction with malware already present on the victim’s PC or spoof legitimate mobile banking apps in order to steal login credentials but with the added function of being able to intercept the mobile transaction authentication number (mTAN) required for two-factor authentication and transmit it to the attacker [28].

Approximately a quarter of mobile malware harvests the second most valuable commodity to cybercriminals after cash – data. SMS content, call logs, IMEI numbers, WiFi network details and lists of contacts and installed apps are harvested from infected devices, transmitted to the attacker and traded to facilitate further fraud. SMS related information databases are some of the best-selling data sets in the underground [29].

Mobile malware is increasingly mirroring the functionality of its desktop counterpart - unsurprising as smartphones are now comparable in processing power to desktop computers from 2010 [30]. There are already examples of mobile malware being used to (inefficiently) mine cryptocurrencies [31]. Smartphones are also ripe targets for ransomware. 2013 saw the first examples of mobile ransomware, and variants of mobile cryptoware (SIMPLOCKER) began appearing in June 2014 [32] - only six months after the emergence of Cryptolocker.

Criminal botnets

In addition to what can be obtained from an individual machine, once infected, a victim’s device may become part of a botnet. Comprised of thousands if not millions [33] of infected machines or ‘bots’, botnets can be used for a variety of functions including spam campaigns, adware, spyware, ClickFraud or DDoS attacks on other networks and systems. An infected mobile device can also become part of a botnet. Mobile botnets can similarly be used to send SMS spam in order to reach new victims.

A recent development in botnets, as seen with GameOver Zeus, is the use of peer-to-peer (P2P) networks such as TOR to communicate with the command and control (C&C) architecture in an encrypted and anonymised way. This makes it difficult for law enforcement to locate C&C servers, thereby making the botnet more resistant to any take-down attempts.

There are two prominent categories of malware reflected in the cases encountered by law enforcement in Europe - ransomware and banking Trojans. Both attacks are profit making engines for attackers and are therefore likely to represent the majority of malware campaigns.

Ransomware

Roughly 65% of European law enforcement has encountered some form of ransomware, and mainly police ransomware. This bias in reporting is most likely due to the police-orientated composition of the attack, increasing the likelihood that it would be referred to law enforcement. Although the majority of these attacks follow the typical attack modus operandi of blocking access to and the functionality of a victim’s device, examples of police ransomware using encryption are starting to emerge.

Despite heavy reporting in the media, cryptoware did not feature as a significant current threat for EU law enforcement in comparison to other malware attacks. Still, several Member States were subject to cryptoware campaigns from attackers deploying either Cryptolocker or CryptoBit.

Banking Trojans

Banking malware remains the cyber workhorse of the digital underground, harvesting victims’ credentials and logins, and providing attackers with access to their accounts. Over half of EU Member States reported cases relating to banking Trojans. Of these the Zeus (including more sophisticated P2P variants) and Citadel campaigns were the most common. To a lesser degree SpyEye, Dexter, Qadars and Torpig were also encountered.

Member States were additionally plagued by a mixed bag of other malware attacks with Remote Access Tools (RATs), such as the Blackshades malware also commonly reported.

Today the ability to launch a successful malware campaign is enhanced and propagated by the Crime-as-a-Service business model of cybercrime. Crimeware packs and kits for launching malware campaigns are readily available on the illicit forums that cybercriminals frequent. Malware is often supplied by resellers rather than the original developers indicating further niche roles in the marketplace.

Many attacks are customised to target specific jurisdictions. With ransomware for example, ransoms are demanded in national currencies or languages. Poor translation suggests that campaigns often originate from outside the victim’s jurisdiction.

Facilitators and relevant factors

A major enabler for malware is a lack of awareness and education on the part of the victim. The weakest link in cyber security is often the user, meaning that even the most effective and sophisticated security solutions rely on the user’s understanding of how to stay safe online. Users leave themselves additionally vulnerable by running unpatched and outdated software.

The digital underground supplies a number of services which support and complement the successful development and deployment of a malware product. Coders are required to write the various injects and plugins which can give malware-specific or unique functionality (such as targeting a specific URL or grabbing credit card details). Encryption services are essential to obfuscate the source code of malware to allow it to bypass detection by antivirus software. Others sell traffic - directing potential victims to compromised URLs - or offer pay-per-install services, receiving payment for each new victim they are able to infect for your customer.

Counter-antivirus services are another key support service. These allow malware developers to anonymously upload files to scan them against a range of commercial antivirus products in order to determine their resistance to antivirus products.