Economic Catalysts in Malware Development

This was actually written in October of 2010, in response to getting a continuous stream of the same questions after cleaning malware off of systems.

What is malware? How did I get it? Why did someone create that kind of horrible thing..? Like most things in life, look for the money, and there's your motivator.

Malware: Viruses, Trojans, adware, spyware, worms, browser redirectors, rootkits, and blended threats. What are these things? Where do they come from? Why are they created? What motivates their creators? All these are common questions that I receive on a daily basis in the course of my duties. “Malware” is an umbrella term that covers the gamut of malicious applications. Anything from the relatively innocuous piece of adware that customizes ads according to the shopping habits of the user to the frighteningly quiet rootkit busily gathering personal information and providing back door access to the computer can be considered malware. In the bygone days of hacking computers for the joy of discovery, viruses and worms were relatively simplistic pieces of code designed to demonstrate a hacker‟s abilities. Some of them were jokes like the "Cookie Monster‟ virus.

This little piece of code would stop your computer periodically and output “I want a cookie” to the screen. In order to continue working you would need to type “cookie” on the screen.

As the code proliferated throughout the system the incidence rate of interruptions would increase

until eventually the user could do nothing but type “cookie”;

It is believed that this effect was unintentional. **Disclaimer - I may or may not have been hungry when doing the illustrations for this post... Today the reasons behind malware creation are not so innocuous. There have been huge instance rates of the so-called "Vundo" virus. There are many iterations of this virus but they all follow a similar pattern: Masquerading as either legitimate anti-virus applications or actual Windows Security Center applications, these begin as popups or "system messages" indicating that the host computer is infected (which it is), and urging the user to download appropriate software to clean the computer by clicking a provided link. Once the link is clicked, the user is directed to a site where they can "purchase" the software at a nominal $80. If a user actually follows through with this, the perpetrators now have four things: The user's credit card number, the user's personal information, the user's money, and permission to download and install a back door virus or rootkit which allows later access to the computer without the user‟s knowledge or consent. Websites can be registered for around $10/year, and throwing up a reasonably legitimate looking webpage is child's play with current tools. Then all that needs to be added is a shopping cart application, available through several banks or PayPal. Depending on the infection vector, hundreds of computers can be infected per day. If only ten percent of 400 computer users fall for the hoax, that is 40 purchases at $80 each, or $3200. Considering the minimal amount of investment required on the perpetrator's end, this is a great deal of return. How many legitimate jobs net $3200 per day? Combining the user's personal information into databases provides another source of revenue. Identity theft and other fraudulent activities require this information and databases or lists of personal information can be sold for several thousand dollars each. Databases of credit card numbers are worth even more, ranging in the tens of thousands of dollars. Credit card fraud is a growing problem for both creditors and consumers, and credit card theft is a rampant issue. Two other types of malware, adware and spyware, rely on monitoring online activity such as browsing and shopping habits. Adware is slightly less of a threat and is sometimes even welcomed as a helpful application. Bonzi Buddy was an early example; this application populated the desktop with a friendly purple ape. The application would track the user‟s online activity and suggest shopping sites in accordance with noted preferences. Many browsers, browser helper objects, and toolbars now incorporate this type of “shopping assistance”. The primary objection to adware is that many people view this as a violation of their privacy. Designers and implementors of adware make a profit from agreements with advertisers and retailers. Spyware is much more invasive; although it performs a similar function as adware, it additionally records and reports the shopping habits to a centralized database. In many instances the same software reports customer identification information such as location (from IP address) or personal information gathered from purchases made online. Modern versions of malware have incentive to stay hidden from users. In order to do so, they cannot be randomly destructive as have some pieces of malware in the past which destroyed certain types of files, tried to wipe hard drives, and occasionally disabled entire operating systems. No computer program can be tested under all possible conditions; even the best-tested professionally-produced software can encounter compatibility issues causing system or software failures. The constant need for updates from Microsoft is evidence of this. Malware typically undergoes even less testing and can have conflicts with hardware, software, protocols, and other essential system resources. Modern malware will often target access to certain websites to disable updates from Microsoft or antivirus software. These types of issues are usually the first "symptom" of an infection. The computer slows down, software fails to run or will not run properly, access to certain websites is disallowed or redirected, and wireless connections are often disabled completely. So far the information I have presented is fairly self-evident, with logical and easy to understand motivations. There is yet another layer of convolution involved in the proliferation of malware. Installation of below-the-operating-system controls commonly called "rootkits" allow for remote access and control by crackers. These enslaved computers can then be linked together in IRC (Internet Relay Chat)-controlled botnets and used in DDOS (Distributed Denial Of Service) attacks, distributed spam production, and distributed computing networks for password cracking. These services can be offered at standard pricing or entire botnets can be sold or traded. The Conficker worm was suspected to be an attempt to tie thousands of computers together in a botnet which would then be sold for an enormous sum. The end result would be incredibly dangerous, the worm managed to infiltrate many sensitive areas. I personally removed it from several health care facilities, attorneys' offices, and home computers. IRC channels are popular and convenient ways to control computers equipped with rootkits; with the unobtrusive hijacking of a single set of ports for communications, a perpetrator can conveniently issue commands from his computer on the couch at home and have thousands of computers all over the world obey. This does not necessarily explain every instance of malware creation. Occasionally there is still the product of misguided creation intended to be amusing and nondestructive. There are also additional financial incentives for malware production capable of penetrating business networks and allowing access to sensitive information. Those are more in line with industrial espionage-grade cracking, which is outside the scope of this paper. The average instance of malware is no longer a demonstration of skill or an amusing prank. An extremely lucrative system has proliferated around the theft of personal information and control of personal computers slaved together in botnets. Systems administrators must be able to implement protective protocols against these threats, but the large number of crackers and cracker organizations dedicated to creating new malware makes it next to impossible to completely eliminate the possibility of infection. Therefore it will also be necessary for the vigilant systems administrator to be able to identify these threats, even when there are no symptoms, then locate them and completely and confidently remove them from the system. The hazards presented by theft of personal information, invasion of privacy, and destructive malware are serious and require serious attention.

#cybersecurity #cybercriminal #cybercrime #malware #malwaredevelopment #worm