One could never have imagined the evolution of crimeware over the last couple of months could follow defined patterns within an established ecosystem. Malware creation groups, very much follow the model and organization of their legitimate counterparts, finding everyway possible to make profit.

It began a year or so ago with a shift in the very nature and principles of malware creation to that of being economically driven. We can see that there are several stages within this evolution that have contributed to the present day situation:

- A shift from curiosity to profit gain.

- Malware creation becomes more organized towards one goal: financial gain through illicit means.

- Malware authors begin to follow common trends in business and commerce in order to take advantage of their victims (i.e. iPhones, etc).

- The first ever cyber-crime for sale is available through various Russian hacking forums.

- Malware authors change tactics to saturating security labs with an ever increasing pace of new malware in hopes to create a sustained denial of service against resources.

- Targeted attacks focusing on specific user populations, entities, etc begin to rise (monster.com, facebook, salesforce.com, etc).

- Banker Trojans emerge utilizing complex means of injecting HTML into browser sessions to capture credentials.

- Banker Trojans further evolve to include capabilities of diverting funds in mind-transfer to hiding its actual code within a remote server in the cloud.

For example there is a high volume of banker Trojans currently affecting consumers abroad using a wide range of techniques to capture confidential information associated with banking such as pin numbers and other data.

This information is then used illegally in several ways: credit card scams, printing fake ATM cards, purchasing goods with stolen credit cards and then selling it at discounted prices and a host of other scams.

These Trojans are designed to work with the authentication mechanisms incorporated by the bank. For example a number of these Trojans inject non-existent fields into the live banking session to capture additional information that the bank normally would not ask for.

There are even some cases of Trojans hi-jacking sessions in real-time and sending funds to accounts other then originally intended. While this all may seem like a bleak outlook in regards to the current state of affairs; it happens to be the reality that we live in today.

So you may be asking the question at this point as to how wide spread this problem really is. In fact over 50% of our detections within PandaLabs are related to Trojans of some form or another (mostly banker Trojans) designed to steal confidential information.

The methods and vectors for attack have also evolved from the early simplistic means (email or very basic phishing) to complex targeted attacks with multiple vectors in play.

We can also see there has been an evolution from the basic common delivery mechanism to complex targeted delivery mechanisms:

- Network self propagation as seen in complex network worms such as MyDoom, Blaster, Sasser, etc (these worms were seen at the tail end of the massive epidemics of 2004 and 2005).

- Malware propagation through email attachments, mime vulnerabilities, etc.

- Basic email phishing campaigns targeting specific banks (usually PayPal, Bank of America and host of European and Brazilian banks).

- Targeted “spear” phishing campaigns focusing on specific entities and specific user populations.

- Lacing legitimate web-sites with iFrame tags referencing several MPack servers.

IT Security vendors at one point warned their customers against visiting “the dark side” of the Internet in order to avoid becoming infected, thus a whole business of Internet content filtering was established to help organizations enforce acceptable use policies.

However; this warning is no longer valid as a good majority of legitimate

You do not have flash or javascript support.

Average (1 vote)

Reply