Crimeware involves a complex ecosystem, including criminal organizations and individuals, botnets (networks of trojan-infected computers exploited by a remote attacker), and ever-increasing attacks on individuals, companies and systems.
Whether the profit is made directly (using scams or bank trojans), indirectly (via spyware and botnets, among other approaches), or by the theft of confidential information, any of these objectives is motivation enough to create malware and endanger the user, their money, and their data.
It is believed that during 2010 the highest threat based on malicious code will be crimeware; specifically, malware specially developed with the intention of making a profit and that can cause harm to the user’s financial well-being or valuable information.
The term crimeware herein identifies any illegal activity committed using a computer or other information technologies, or when the computer or information resource is the target of the criminal activity. Many of the offenses that have existed in some form since ancient times are performed today using computer resources, but there are also crimes that are more or less specific to the online world. Malicious code may be among the most valuable resources available to a criminal, and it may be applicable in both these areas.
High propagation rates – the ability to control computer systems remotely and steal information through botnets – along with the ability to modify the configuration of target systems, are among many other actions that malware may perform. All of these factors make it possible to commit serious crimes, in particular those involving the theft of online data or money.
It is therefore expected that malware falling into this category will increase in overall quantity, but also in proportion to other types of malicious code.
Social engineering: public enemy number one
Many existing computer threats have complex technical components. However, the use of social engineering has been a hugely successful strategy for malware developers – and will continue to be so.
As operating systems and eventually applications become more secure through sound patching implementation, the easiest way to steal money or install malicious software will be to trick people into taking dangerous actions.
A very common use of social engineering in the context of malware is to attract the attention of the potential victim sitting in front of the computer. A particularly effective way of achieving this is to make use of topics that have importance in people’s lives, or which currently preoccupy the media, or even to invent eye-catching stories.
Topical issues such as public holidays, current news items (real or fabricated), high-profile events such as the World Cup, and persistent news outlet preoccupations will continue to be used as hooks on which to hang social engineering attacks.
Advertising and malvertising
Online advertising allows the promotion of malicious sites on various web pages. The popularity of this attack among cybercriminals is demonstrated by the increasing appearance of malicious code advertised on legitimate web pages or flagged by popular search engines.
Also known as malvertising, the abuse of advertising to promote malicious content will increase during the next year. In 2009, this technique was most frequently used in the purchase of publicity material made with Adobe Flash, using malicious scripts to exploit vulnerabilities in certain versions of the Flash Player.
Broadly speaking, malvertising consists of placing publicity material on websites or social networking sites incorporating a direct or indirect link to the installation of malicious software. In this way, each person visiting the website where the online advertisement was placed becomes a potential victim.
Randy Abrams, director of technical education at ESET, tried to answer the question: If these attacks are being propagated through known and trusted websites, then what constitutes the best line of defence, particularly in the face of rapidly changing threats that may be unrecognized by security software?
Abrams suggested that in addition to being very picky about what you believe, download or run, it is important to keep your operating system and all third-party applications patched. Programs like iTunes, QuickTime, Flash and Acrobat are not Microsoft products, but frequently have had vulnerabilities that can compromise of your computer, just as surely as an operating system vulnerability. He recommends regular scans for home users, to make sure they know what they need to patch.
He continued: “Sometimes these attacks are propagated through trusted websites. The advice to stick with known and trusted websites is still excellent advice, but you have to realize there is always some degree of risk. It’s great advice not to drink and drive, but it doesn’t mean that you avoid all accidents by following that advice. Keep in mind that when you visit a trusted site and click on an advertisement, you are leaving the trusted site. Keeping informed about the latest threats and how to avoid them makes a lot of sense.”
Make sure that your security software is updated regularly and automatically, but don’t assume it will protect you from everything, and don’t rely purely on antivirus software: multiple threats need multilayered protection, like a full-blown security suite.
Keep your system and applications updated: Change your passwords frequently. Use different passwords for different accounts and resources. Back-up your data.
David Harley is director of malware intelligence for ESET, a global security company, and COO of AVIEN (Anti-Virus Information Exchange Network). He has authored numerous books, articles and papers on viruses, malware, product testing and other security issues, and is a regular presenter at security conferences. Harley was formerly the manager of the NHS Threat Assessment Centre.
ESET is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue at Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. For further information please visit www.infosec.co.uk.