The Evolution of Malware and the Underground Economy

When I first started working in the information technology profession back in the early 1990’s, there was not really a defined field specifically for security professionals.  Network and system security was handled by the system and network administrators responsible for the general management of the networks.  Most security concerns revolved around viruses and basic access controls.  The term malware had not even entered the general IT lexicon.  Fast forward 15 years and the situation has changed dramatically.  The hacker underground has gone from young kids defacing websites for fame and glory to a sophisticated, financially motivated network that involves several different layers of actors and groups often including organized crime rings.

In the last few years the way in which malware is used by criminal elements has changed drastically.  Just 5 years ago a single hacker working with one or two friends would create a virus or trojan, distribute it to unsuspecting users via email and utilize the information gathered for their own personal gain.  But things are much different now.  The malware developers are content to sell their software for others to use, reducing their risk of being caught and allowing them to concentrate on the technical work they do best. And they have gone a long way to improve their products.  Far from simply selling malware on the underground marketplace, hackers have begun to sell a service providing easy access to information and allowing criminals to “rent” infected computers for a period of time.

Witness the 76service web site.  This site provides a web interface to information gathered from all the machines that are part of the hackers’ botnet.  Criminals pay a fee to access the web site for a period of time which allows them to easily obtain personal information from the people using the infected computers.  The malware is able to collect information typed into forms including usernames and passwords, gather bank account information and intercept keystrokes among other things.  All of this information is sent back to the 76service web server where criminals login and use the information to steal money, obtain credit and make fraudulent transactions while the person with the infected host is left wondering why their bank account is shrinking and credit card balance is growing.

Another such service allows criminals to rent the use of all or part of a hacker’s botnet.  The botnet can be used to send spam or orchestrate DDOS attacks against another network.  The storm worm botnet is a good example of this type of service whereby the creators of the botnet have been known to rent portions of the network to criminal elements.  All of this suggests that the underground economy is changing whereby multiple players are involved and criminals have easier access to tools that will allow them to obtain valuable information to commit fraudulent activities.  I expect to see more such services in the future with improved methods for delivery of information.  Imagine a database filled with personal information, constantly being updated by bots and automatically distributed to paying customers via encrypted channels.  This is possibly the direction that malware is headed as hackers continue to evolve their products and services.

Comments are closed.