Part two of our three part series Anatomy of a Crimeware Syndicate. In part one we talked about the hierarchy and operations of a crimeware syndicate. Today we’re going to talk about the threat landscape that sustains crimeware and part three will look at solutions organizations can implement to reduce their risk.
Crimeware syndicates aren’t going away anytime soon. In short, it’s way too profitable–crimeware equals high returns and almost zero risk for its creators.
And up until now, approaches to mitigate or prevent crimeware on a grand scale have been insufficient at best.
“Stopping what’s going on today constitutes a never ending game of Whack-a-Mole,” says Derek Manky, senior security strategist at Fortinet. “Once the malicious software code is out there, it’s incredibly difficult to put that genie back in the bottle.”
Meanwhile, cybercrime syndicates are well equipped with armies of workers to rapidly help refine, create and evolve malware at a rate that far outpaces the time it takes to create a countering security solution. (Fortinet, for example, processes millions of samples monthly, now at a load about 3x greater than December 2008.)
And that’s a problem: the volume of malware is rising exponentially with limited means for any kind of comprehensive prevention.
“The sad fact is that the researchers and white hats can’t stop everything,” Manky says. “No one’s figured out a silver bullet to this.”
However, in recent years there have been some encouraging steps in the right direction with several successful botnet takedowns, Manky points out.
For example, task forces- working groups comprised of law enforcement, government officials and security industry personnel– were assigned to the Conficker/Mariposa botnet, ultimately contributing to its demise.
Other success stories include the:
Butterfly/Mariposa takedown in March 2010: infecting 12 million PCs, more than half of which were Fortune 1,000 companies and 40+ major banks (1 developer arrested, 5 associates arrested).
Zeus/Zbot takedown in September of 2010: 11 Eastern Europeans and 73 money mules around the world were charged, 37 of which were alleged to have transferred more than $3 million USD, while 36 alleged to have transferred $860,000 USD from 34 corporate and individual victims.
Bredolab takedown in October 2010: one Armenian man arrested who had control of 143 servers commanding 29 million infected PCs. Dutch prosecutors allege he was making $139K per month on spam rentals alone.
Koobface takedown in November 2010: This botnet came back online four days after it was taken down due to technology that allowed the operators to rebound quickly. However, no arrests were made, so the operators are still at large.
Another technique that has been successful is preventing cyber criminals from registering bad domains. For example, Manky says that China has taken initiative in this way by going “low-tech”– using paper based registration forms to better screen and maintain quality over their domain registration process.
But while there are also are many individual CERT teams (computer emergency response team), they are generally limited to incident response in their own geographic jurisdiction, Manky adds. And when an incident is waterfalled to a region where the appropriate law-enforcement agencies can work on it, it’s often discovered that the officers are poorly trained and/or don’t have adequate resources to follow through.
“At the highest level, you need a central reporting channel where the private sector can feed their research,” Manky says. “Anything that’s done has to be done on a global basis.”
Leave a reply