2013 In Malware

As an end of year article, I though it might be a nice idea to review some of the interesting (to me) malware related events of this year. There's no specific order to the list, but I'll try to include dates for all. 

In the past few years malware has evolve rapidly, we've seen rootkits move from user-mode to kernel-mode and even dominate 64-bit platforms with bootkits loading unsigned drivers. The malware world and fraud world were brought together by popular banking malware, such as Zeus, leading to a huge demand for banking malware and a financially driven malware arms-race. In the last quarter of 2012, something strange happened. All the key malware developers slowly started leaving, retiring, or ending up in jail. By early 2013 the $40,000 Carberp Trojan was just about the only professional malware still on sale, however once sales stopped fraudsters were left with nothing. 

Throughout 2013 there was a huge demand for banking malware but little was seen, from time to time sellers would pop up with simplistic Zeus modifications looking to make a quick buck, but nothing serious was sold during the year. This malware shortage gave security companies an opportunity to catch up, with the discontinued Zeus Trojan still leading the way, it wasn't difficult for anti-viruses to detect and prevent the methods it used. For most of this year botmasters have been fighting a losing battle to maintain large botnets using old and detected technologies, which probably lead to a drop in the average size of botnets. 

Contrary to what fool like trojan7sec will try to tell you, 0-day exploits are rare on the blackhat scene (For those who don't know, 0-day exploits are exploits that are currently unknown to developers and therefore not patched). Due to their difficulty to find and develop, an 0-day exploit can sell for upwards of $2,000 depending on the nature of the exploit. 0-day exploits used for remote code execution (commonly used in exploit packs) will generally sell for upwards of $40,000.

If someone was trying to spread malware using an exploit pack, it's likely the exploit pack would be discovered and reported on by security researcher, which would inevitably lead to any 0-days being quickly patched. From the point of view of someone trying to create a botnet, it would be much more cost effective to buy a handful of recently patched exploits for a small price, rather than spend $40,000+ per an exploit. In most cases people don't update their browser and software weekly or even monthly, so even patched exploits are likely to still be un-patched on a huge amount of targets (this is the reason nearly all exploit packs in existence use already patched exploits). 

Bug bounties are nothing new, but this year google (and others) have continued raising the rewards for researchers submitting 0day exploits. With the bounty for some exploits way into the $100,000 range, there is less incentive for hackers to struggle selling exploits on the black market, when they can quickly, easily, and legally sell them to the companies developing the software. Bug bounties have created a whole new culture, as well as encourage a few other companies to create bug bounty programs of their own.

Probably one of the biggest malware related news stories of the year: After a dispute between Carberp group members the Carberp source code (including bootkit) is mass sold on underground forums, this inevitably leads to a pyramid of resellers with lower and lower prices, until the code is eventually leaked and falls into the hands of the public (24th june). At the time the leak seemed like a serious problem, but due to the advanced nature of the code it has been too complex for most malware developers to make use of, resulting in very few Trojans incorporating the bootkit. Carberp still remains the most advanced commercial banking Trojan and the most advanced malware source code to ever be leaked. 

A new type of malware starts showing up around the world. Point of Sales (POS) malware is a special type of Trojan designed for POS systems such as shop checkouts, the malware resides on the system and logs card details whenever a shopper pays by card. Because POS systems are internet connected and can process hundreds of cards per a week, POS malware poses a real big risk to card users. Although the malware is still not hugely widespread, it's something that's likely to become more and more widespread across 2014. 

This isn't the first time fraudsters have started targeting centralized systems instead of individual home computers: During the past few years we've seen a rise in ATM skimmers, which are special hardware fitted to ATM devices in order to log card details on use. 

On October the 7th news emerged that paunch, the create of the blackhole exploit pack, had been arrested in Russia. Although people remained skeptical, the arrest was confirmed almost 2 months later. 

Blackhole was the most widely used exploit kit on the market, it has even been used by huge cybercrime groups such as those behind Carberp, ZeroAccess and TDL. Paunch's arrest saw some criminals switching back to older spreading methods such as email spam, whilst others moved over to lesser known exploit kits. Paunch also maintained a second exploit kit known as "Cool EK", which was a $10,000 month pack that included newer exploits and sometimes even 0-days. 

On December the 5th Microsoft coordinated an attack against 18 IP addresses used by the ZeroAccess botnet. The attack was another of Microsoft's "look at how powerful we are" publicity stunts, the targeted IP addresses were C&C servers associated with the click-fraud component and not the actual bot. Due to the fact the actual botnet is peer-to-peer the attack has little effect and cannot actually take down the network, however it did lead to the botmasters sending a command containing the text "WHITE FLAG" and ceasing click-fraud. It's important to note that the botnet is still alive and can send out new commands at any time, only it is not performing click-fraud anymore. 

Based on the amount of time, cooperation, and effort it takes to acquire warrants for all of the C&C servers, it would seem that someone has too much time on their hands. This isn't the first waste of time operation Microsoft has executed: In 2012 Microsoft filed a lawsuit against a bunch of aliases and email addresses in order to seize domains and servers associated with various Zeus botnets. It takes weeks to obtain a warrant and only a few minutes for a criminal to setup a new server or domain, time could be better spent. 

Rovnix bootkit - Probably some of the most interesting code I've seen: Stores components outside of the filesystem to make them almost invisible, uses custom TCP/IP stack to bypass firewalls, modifies OS image in memory to load unsigned 64-bit drivers, and capable of starting before any antivirus. 

Kins - both blackhats and whitehats alike spent months ranting about the amazing new banking Trojan known as kins, calling it "the new Zeus" and "a professional-grade banking Trojan". Of course it just turned out to be a Zeus modification with some other leaked code copy and pasted in. 

the "Malware Must Die" group - Doing their best to help fight malware in their free time, with limited resources. They were a big part of the Kelihos take-down operation as well as other smaller operation. Keep up the good work!

Trojan7sec - I'm not sure where to start. Claiming to be a security researcher whilst engaging in blackhat activities, attempting to post the personal information of real security researchers, pathological lying with claims of being a millionaire and ex-superhacker, misleading beginners with false information while trying to seem like an expert, insulting and trying to contradict people who do know what they're talking about, the list goes on. He wins lamer of the year by far and probably lamer of century too. 

Cryptolocker - Puts the mal back in malware, seems the common methods of monetizing computers were too mainstream for these guys, so they decided to make money by encrypting people's files then selling them back.