Mass-distributed malware reaches critical mass

Malware purveyors are now primarily in the mass-distribution business.

That has been the trend, and the Security Engineering Research Team (SERT) at managed security services provider Solutionary confirms it. Among the key findings of the team’s third-quarter report was that of the malware they analyzed, 92% was mass-produced.

That does not mean that targeted attacks have ceased, said Don Gray, chief security strategist at Solutionary. “If you’re the target, that’s a huge problem,” Gray said, but in general, for cybercriminals in the malware business, “the wider the net you can cast, the better.”

The report said the majority of mass-distributed malware samples were banking Trojans, malware that uses man-in-the-browser (MitB) keystroke logging to steal victim’s bank account information so that it can later be used to make fraudulent charges.

MitB improvements are a factor in the mass-production trend. Security vendor Trusteer reported last week the emergence of what they called the “universal” MitB, which is not limited to targeting specific websites.

Instead, it recognizes form fields on any site visited by an infected user, such as those for names, addresses, credit cards or passwords. It also eliminates so-called “post processing” by extracting the valuable data in real time.

[See also: Virtual analysis misses a third of malware]

The SERT team said the most common method of delivery used for the banking Trojans was phishing emails claiming to be from legitimate, using trusted brand names such as UPS delivery confirmations, Better Business Bureau (BBB) complaints, flight ticket confirmations and scanned documents.

“Once victims are lured to compromised websites, their browsers were redirected, unbeknownst to them, to a Blackhole Exploit Kit landing page, which then installed additional malware, such as Zeus or Cridex,” the report said.

Blackhole has recently improved as well — version 2.0 was introduced last month on the Russian site Malware don’t need Coffee.

The toolkit, which is popular among cybercriminals, contains a number of new features meant to avoid detection from antivirus software. One of the most effective, according to security experts, is the ability to generate short-term, random URLs pointing to malicious websites or hijacked sites that contain hacker-installed malware. That makes identifying malicious pages much more difficult.

“It’s less detectable — more stealthy and less obtrusive,” said Gray. “It sort of steps up the game.” He said Blackhole 2.0 also includes support for Microsoft’s next operating system, Windows 8. “They’ve broadened the base,” he said.

That would at least partially explain another major finding of the SERT team, which is that antivirus solutions were unable to detect 60% of malware in the wild.

“That’s probably a very conservative estimate,” Gray said. “With all the investment and sophistication put into anti-virus, it’s not getting the job done.”

Gray said while antivirus products should still be a part of a layered security system, and that he is also a fan of application whitelisting, it is still not enough.

“It’s a matter of when, not if” an enterprise will be compromised by malware attacks, he said. “It’s important to have a rigorous monitoring program that identifies when something has occurred as quickly as possible.”