For a few hundred dollars in start-up money and another couple hundred each month in fees, anyone can get the software tools and even 24/7 call center support services they need to build and run their own malicious botnet that allows them to surreptitiously control a network of computers. The computer owners have no idea their machines have been turned into zombies in the service of others.
In 2009, these types of exploit kits cost as much as $2,000, but now they can be had for a few hundred in start-up and monthly fees, explained Max Goncharov, senior threat researcher at Trend Micro, a cybersecurity firm. He spoke at a press briefing on cyberthreats that the company held March 27.
That’s just one of the problems companies and governments are up against as they traverse today’s cyberterrain. Modern attacks are all about making money, and cybercriminals are pretty good at marketing products to each other that further that objective and put companies at even greater risk. And catching the bad guys isn’t easy because many of the countries they operate from are not motivated to stop them.
Some governments even consider them useful. China and Russia, for example, reportedly let these rogue groups operate freely so that they can use them and their botnets to launch attacks on enemies. Those attacks then cannot clearly be traced back to the state. That practice has muddied the waters about what counts as a state-sponsored attack. “In lots of things we are seeing now, we are not sure whether it is state sponsored or just a cybergang,” said Raimund Genes, Trend Micro’s chief technology officer.
Genes started by giving a brief history of the evolution of cyberattacks. He noted that while people still refer to companies like his as anti-virus (and that they refer to themselves that way, as well), the last true virus was in 1999. After that came worms and other malware. Around 2003, Eastern European gangs were the first to figure out how to make money from cybercrime. As attackers were becoming more driven by monetary objectives, they were also learning to be more stealthy. Around 2005, botnets evolved that could hide their origins. Around 2007, researchers started to see targeted phishing attacks. Now the focus is on persistence—attacks that can come into a corporate computer and avoid being detected for long periods of time, during which the malware steals valuable data. The average time an attack goes undetected is 210 days.
The number of new types of malware that appear daily is staggering. The industry works together, said Genes, sharing threat samples with each other. Of about 300,000 daily samples that are shared and reviewed, about 150,000 are judged new. On average, Trend Micro says that it creates 60,000 signatures daily to fight those. But that doesn't count the targeted attacks that fly under the radar. Good cybercriminals know how to write code in malware that tells it only to activate when it gets inside the company that is targeted, and they know how to have it mimic the corporate environment. “And with this you ensure that it’s not visible for quite a while,” said Genes.
The criminals have many ways of tricking users into helping them get inside. There’s always an e-mail attachment, but that leaves a forensic trail because investigators can retrieve the old e-mail when the problem is detected and study the attachment. A more popular method today is to include a URL in an e-mail and get the “mark” to go to a Web site where he or she will be tricked into letting malware into the corporate network, explained Genes. The phishing e-mail might say something like, “I think we went to high school together. Is this you in this picture?” It will have a URL link. When the recipient clicks on the URL, it goes to the malicious Web site. The attacker gets the advantage of knowing that the mark clicked on the URL, “so you know you infected the target,” said Genes. And if detected, the bad guys just discontinue or “nuke” the Web site, leaving no evidence behind. They usually research the target ahead of time via social media to make the “come on” more effective.
The use of mobile devices has created yet another vector of attack. Trend Micro said that there were 350,000 malware attacks against Android phones in 2012 and it expects more than 1 million in 2013. The targets for now are typically in Japan and China—and that’s still low compared to the 300,000 daily attacks against Windows machines. The rise of mobile devices and the potential for infection via those devices should be on every company’s radar as a consideration.
More broadly, the really important change for corporations has been that the old model of protection—having a strong perimeter and securing the corporate intranet—just doesn’t work anymore.