Keeping the customer satisfied: cybercriminals focus on service

"Zeus customer can we help you get the most out of your exploit kit today?"
"Zeus customer can we help you get the most out of your exploit kit today?"

The MaaS trend will probably continue as other developers adopt the same business model, the report predicted.

“The bad guys out there are trying to make a buck, and the way to distinguish themselves from their malware competitors is to layer on additional services”, said Rick Howard, general manager of Verisign iDefense. Cybercriminals want to “keep the customer happy”, he told Infosecurity.

In addition, the report found that the release of the Zeus source code last year has spurred development of Zeus variants and more powerful versions of SpyEye and Ramnit.

After it was released last April, the Zeus source code quickly spread across the Internet via underground websites and file-sharing sites, giving malware authors across the globe access to a powerful and well-written malware platform.

“The self-proclaimed author of the Zeus source code declared in the open that he wanted to retire. He decided to hand over the code to another person. But the code was leaked to the public”, explained Howard.

“That means that Zeus, the most prominent malware trojans out there, is now available to anyone who wants to downloaded it and try to use it for their own purpose”, he said.

Howard explained that the public release of the Zeus code has had two effects. First, he expects to see other malware converge on the Zeus capabilities. Cybercriminals “are going to take existing pieces of malware, like SpyEye or Ramnit, and the features in Zeus that those other pieces of malware don’t have and incorporate them. If fact, we are seeing that already.” Second, Howard expects to see variants of Zeus with a “tweak” like adding encryption.

“We will see a lot more malware out there with a lot more capability….We will probably see more [financial crime] because of that”, he said.
On the good news side, the application of sandboxes has made exploiting vulnerabilities significantly more difficult, the report found.

Currently, only two public demonstrations of bypassing sandboxes exist in environments that use and support defense-in-depth strategies such as address layout randomization and data execution prevention. None of the public demonstrations included any public exploit code, the report said.

“This is a good news story. We should realize how far the industry has come”, Howard said. This technology makes it “extremely hard” to leverage exploits in common software, particularly the deployment of sandboxing technology in the main browsers, he noted.

What’s Hot on Infosecurity Magazine?