A short history of crimeware
Phil Mellinger looks at eight major advances in crimeware technology as malware authors strive to circumvent traditional defenses
By Phil Mellinger
November 04, 2011 — CSO — George Orwell, in his classic vision of the future "Nineteen Eighty-Four," foresaw a totalitarian state filled with devices termed telescreens that were the state's means of monitoring citizens. Today, with our dependence on modern technologies such as PCs and mobile devices, and the widespread availability of crimeware, we've exceeded anything Orwell could ever have imagined. Crimeware is a class of malware that is specifically designed to automate large-scale financial crime. We now carry our own version of Orwell's telescreens with us—termed mobile devices—having cameras, microphones, GPS, and containing all our interactions. Instead of Orwell's vision of a totalitarian state monitoring citizens' lives, we now have a limitless number of individual criminals or hostile states from around the globe capable of using crimeware within our technologies to track our every movement, conversation and action.
With the widespread proliferation of crimeware, we virtually broadcast our very lives around the world for criminals, competitors, and enemies to do with what they will. There is no longer any notion of yesteryear's security, let alone the fatigued concepts of privacy or anonymity.
There are few viable options to combat crimeware's success in undermining today's technologies. One proposed approach fights fire with fire, using malware's own techniques in hand-to-hand combat for the ultimate control of processors. This anti-crimeware approach defeats crimeware by disabling its methods of harvesting data from within PCs, but makes no actual inroads into removing crimeware. Intel and McAfee recently proposed scrapping current processor technology and starting again to design new impenetrable processors [PDF link]. One can only imagine the time and cost necessary to replace and update our entire processor infrastructure. In either case, it is important to know how seriously crimeware has undermined our technologies and the radical thinking required to fight crimeware.
Crimeware: Foundation of Today's TelescreensFrom its origins in 2003, crimeware (also termed financial malware, stealth malware, or banking Trojans) evolved through a series of advancements that outpaced any and all traditional security defenses, including the foundational Internet defense triad of SSL encryption, anti-virus, and two-factor authentication. The result of these advancements is an efficient attack tool—ZeuS and SpyEye being the leading examples—capable of collecting large volumes of highly-sensitive authentication data. While no application is immune, criminals, as expected, are focusing their attacks on those applications that give them the most direct payoff—online banking accounts.
While it is difficult to estimate how thoroughly crimeware has infested our technologies, the most telling way to demonstrate the effectiveness of crimeware is to obtain a copy of Zeus or SpyEye, generate a fresh variant to infect a PC, and then check whether PC security technologies detect and remove the crimeware. In most cases, the impact of fresh variants of crimeware are so effective and so devastating that the only way to guarantee its removal is to rebuild the machine from scratch.
Crimeware's AdvanceCrimeware was founded on three core technologies: 1) botnet controllers capable of handling hundreds of thousands of bots; 2) sophisticated Trojans that are updateable; and, 3) highly-effective data collection. Subsequently, there are eight major advances since 2003 that have contributed to the invincibility of crimeware.
Advancement #1: Form-grabbing for PCs running IE/Windows
Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers. Prior to 2003, malware employed a variety of hook-based key-logging techniques to collect keystrokes from compromised PCs. The 2003 deployment of form-grabbing against PCs running IE/Windows (browser/OS) avoided the pitfalls of key-logging (e.g., backspaces, corrections, misspellings, etc.), allowing criminals to harvest large numbers of online bank account IDs and passwords.
In response to criminals' large-scale harvesting of banking credentials, the Federal Financial Institutions Examination Council (FFIEC) in 2005 declared password-based authentication (single factor) to be insufficient for online banking and required banks to transition to more sophisticated authentication techniques such as two-factor authentication (something you know, something you have) to access online bank accounts. Crimeware quickly evolved to overcome even two-factor authentication.
Advancement #2: Anti-detection (also termed stealth)
A fundamental advance in crimeware was its ability to evade detection by anti-virus software and other security technologies. Crimeware anti-detection capabilities (sometimes termed stealth) prevent detection by either signature-based (i.e., anti-virus) or behavioral-based (i.e., intrusion detection/prevention) techniques. Crimeware achieves this by varying any feature (registry locations, file names, CLSIDs, signatures, protocols, etc.) that could be used to detect the crimeware. Stealth techniques have all but rendered traditional anti-virus products useless since it is impossible for them to detect and remove tens of millions of variants that are generated each year. [Also see The rise of anti-forensics.]