A short history of crimeware

George Orwell, in his classic vision of the future “Nineteen Eighty-Four,” foresaw a totalitarian state filled with devices termed telescreens that were the state’s means of monitoring citizens. Today, with our dependence on modern technologies such as PCs and mobile devices, and the widespread availability of crimeware, we’ve exceeded anything Orwell could ever have imagined. Crimeware is a class of malware that is specifically designed to automate large-scale financial crime. We now carry our own version of Orwell’s telescreens with us—termed mobile devices—having cameras, microphones, GPS, and containing all our interactions. Instead of Orwell’s vision of a totalitarian state monitoring citizens’ lives, we now have a limitless number of individual criminals or hostile states from around the globe capable of using crimeware within our technologies to track our every movement, conversation and action.

With the widespread proliferation of crimeware, we virtually broadcast our very lives around the world for criminals, competitors, and enemies to do with what they will. There is no longer any notion of yesteryear’s security, let alone the fatigued concepts of privacy or anonymity.

There are few viable options to combat crimeware’s success in undermining today’s technologies. One proposed approach fights fire with fire, using malware’s own techniques in hand-to-hand combat for the ultimate control of processors. This anti-crimeware approach defeats crimeware by disabling its methods of harvesting data from within PCs, but makes no actual inroads into removing crimeware. Intel and McAfee recently proposed scrapping current processor technology and starting again to design new impenetrable processors [PDF link]. One can only imagine the time and cost necessary to replace and update our entire processor infrastructure. In either case, it is important to know how seriously crimeware has undermined our technologies and the radical thinking required to fight crimeware.

Crimeware: Foundation of Today’s Telescreens

From its origins in 2003, crimeware (also termed financial malware, stealth malware, or banking Trojans) evolved through a series of advancements that outpaced any and all traditional security defenses, including the foundational Internet defense triad of SSL encryption, anti-virus, and two-factor authentication. The result of these advancements is an efficient attack tool—ZeuS and SpyEye being the leading examples—capable of collecting large volumes of highly-sensitive authentication data. While no application is immune, criminals, as expected, are focusing their attacks on those applications that give them the most direct payoff—online banking accounts.

While it is difficult to estimate how thoroughly crimeware has infested our technologies, the most telling way to demonstrate the effectiveness of crimeware is to obtain a copy of Zeus or SpyEye, generate a fresh variant to infect a PC, and then check whether PC security technologies detect and remove the crimeware. In most cases, the impact of fresh variants of crimeware are so effective and so devastating that the only way to guarantee its removal is to rebuild the machine from scratch.

Crimeware’s Advance

Crimeware was founded on three core technologies: 1) botnet controllers capable of handling hundreds of thousands of bots; 2) sophisticated Trojans that are updateable; and, 3) highly-effective data collection. Subsequently, there are eight major advances since 2003 that have contributed to the invincibility of crimeware. Advancement #1: Form-grabbing for PCs running IE/Windows

Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers. Prior to 2003, malware employed a variety of hook-based key-logging techniques to collect keystrokes from compromised PCs. The 2003 deployment of form-grabbing against PCs running IE/Windows (browser/OS) avoided the pitfalls of key-logging (e.g., backspaces, corrections, misspellings, etc.), allowing criminals to harvest large numbers of online bank account IDs and passwords.

In response to criminals’ large-scale harvesting of banking credentials, the Federal Financial Institutions Examination Council (FFIEC) in 2005 declared password-based authentication (single factor) to be insufficient for online banking and required banks to transition to more sophisticated authentication techniques such as two-factor authentication (something you know, something you have) to access online bank accounts. Crimeware quickly evolved to overcome even two-factor authentication.

Advancement #2: Anti-detection (also termed stealth)The rise of anti-forensics.]

A fundamental advance in crimeware was its ability to evade detection by anti-virus software and other security technologies. Crimeware anti-detection capabilities (sometimes termed stealth) prevent detection by either signature-based (i.e., anti-virus) or behavioral-based (i.e., intrusion detection/prevention) techniques. Crimeware achieves this by varying any feature (registry locations, file names, CLSIDs, signatures, protocols, etc.) that could be used to detect the crimeware. Stealth techniques have all but rendered traditional anti-virus products useless since it is impossible for them to detect and remove tens of millions of variants that are generated each year. [Also see

Advancement #3: Web-injects (also termed man-in-the-browser)

In 2009, Crimeware added the capability of performing web-injects (also termed man-in-the-browser attacks) for PCs running IE/Windows. This capability fully defeats the FFIEC-considered two-factor authentication by allowing criminals to take over authenticated connections from within compromised PCs. Web-injects subvert key-entry based authentication techniques. In essence, the criminal is real-time monitoring PCs from within and can manipulate any entered data. While a user may believe he is entering authentication data directly onto a bank’s server, in reality, the crimeware is capturing the authentication within the PC, and then forwarding the authentication data itself. The crimeware now controls the user’s connection to the bank from within the PC.

Advancement #4: Expanded Browser/OS Support (Chrome, Opera, Safari, and Apple OS X)

Crimeware in 2010 expanded beyond PCs running IE/Windows. In March 2010, crimeware expanded its support to include PCs running Firefox with Windows OS. In July 2010, Crimeware developers deployed upgrades to support man-in-the-browser attacks against the Firefox browsers on Windows OS. This support greatly increased the number of PCs susceptible to crimeware. Crimeware susceptible platforms have since expanded to include even more browsers (Chrome, Opera, and Safari) and operating systems (Apple OS X).

Advancement #5: Source Code Availability/Release

The source codes for ZeuS and SpyEye, among the most sophisticated crimeware, were publicly released in 2010 and 2011, respectively. This enabled other developers to exploit the mechanisms that ZeuS used to subvert PCs. As a result, other crimeware and malware programs have been modified to include ZeuS and SpyEye advanced capabilities (stealth, form-grabbing, and web-injects).

Advancement #6: Disabling/Circumventing of Anti-Crimeware

Crimeware in 2010 deployed the capability to disable anti-malware products not themselves employing stealth techniques. Crimeware may also circumvent such anti-malware products to break their functioning even though the product would appear to be functioning normally. In essence, anti-crimeware products themselves needed to employ stealth capabilities.

Advancement #7: Mobile Device Support (also termed man-in-the-mobile)

In 2011, as banks increasingly turned to out-of-band authentication techniques to validate online banking transactions, new crimeware became available that subverted the mobile devices banks used to validate online banking transactions with customers. Termed man-in-the-mobile attacks, when out-of-band messages are sent to mobile devices to validate web-based banking transactions, man-in-the-mobile attacks both suppress the user from seeing validation requests while covertly validating the transaction without the user’s awareness.

For example, a text request from a bank for a customer to authenticate a fraudulent online banking transaction would not be shown to the mobile device user, but the mobile device would validate to the bank that the transaction was valid without the mobile device user’s awareness.

Advancement #8: Anti-removal (also termed persistence)

As security solutions struggle to detect and remove crimeware from compromised PCs, malware authors are updating their code to permit it to re-emerge on PCs even after its supposed removal. Once a PC is compromised, the objective is for the PC to remain compromised.

Combatting Crimeware

We are in an era where PCs, mobile devices, and the Internet are no longer trusted. Crimeware is devastating our security, our privacy, and our anonymity. It has jumped across browsers, operating systems, and even devices, to endanger all current technologies.

There are likely three actions that might be taken.

First, we need to know how thoroughly crimeware has infested our technologies and what losses and damage are attributable to crimeware. In short, we need to know where we stand. Is crimeware being used to control our stock markets, our banks, and our government?

Second, we need to contemplate new approaches to controlling the handling and distribution of crimeware – it is no less dangerous than weapons, cryptography or wiretapping. After all, if it isn’t dangerous, why do they call it cyberwar?

Third, the Federal Government could counter crimeware with an anti-crimeware program—disabling crimeware functionality on a broad scale instead of attempting to detect and remove crimeware from compromised PCs. Its time US cyber defenses extend their reach to shelter citizens and their technologies.

It’s unlikely that George Orwell or anyone else could have envisioned either the widespread availability of crimeware or the proliferation of our generation’s hand-carried telescreens. We have entered a new phase of security, unprecedented in its susceptibility to crimeware and international monitoring. As of yet, there is no magic technology around the bend that can fix the situation. For the foreseeable future, we are left with hand-to-hand software combat for the control of our processors.

Philip T. Mellinger is currently Chief Scientist for Trusted Knight Corporation, creating anti-crimeware solutions for the financial industry. He received graduate computer science degrees from Johns Hopkins and George Washington Universities, holds seven patents for anti-fraud technologies, and has served with the National Security Agency, the North Atlantic Treaty Organization, the US Air Force, and two Federal think tanks.