«June 2011 BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 ...»
In any dynamic marketplace, the prices claimed for a commodity will fluctuate with supply and demand. In any technology marketplace, prices will also fluctuate with the utility of the commodity, given changes in technology landscape. The dollars commanded for stolen commodities listed in Table 2 motivated the creation of secondary malware markets that produce software tools that make malware increasingly effective at enabling information theft. Individuals use software generally to automate tasks that are both tedious and resource intensive, and malware perpetrators are no exception. Automating malware delivery and data harvesting tasks reduces operating costs and © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report allows malicious perpetrators to obscure their activities. Malware delivery and operations systems have become increasingly modular, and these modules have themselves become a commodity. Prices obtained for modular software information theft enablers are listed in Table 3. The prices were observed in the same timeframe as the prices that were commanded for stolen information in Table
2. It is obvious that information on financial accounts may be sold for multiples above the cost to purchase the tools that enable the theft.
When such malware software support systems are discovered to exist, the software is referred to as crimeware . Continuing the Zeus malware example from Section 2, a good example of crimeware is the Zeus toolkit. Zeus malware was introduced in 2006, and its corresponding crimeware followed in 2007. Zeus’ crimeware takes advantage of its modular design, so attackers can configure and deploy new functionality very quickly. A user-friendly graphical interface allows an attacker to select the capabilities to be incorporated in a “release” as well as to select a personal encryption key for harvested data. Over 5,000 releases of the Zeus software have been created using Zeus crimeware . Although several Zeus users have been identified and charged with cybercrimes, the Zeus crimeware authors remain at large.
3.1 The Malware Industry
Malware development and distribution is highly organized and controlled by criminal groups that have formalized and implemented business models to automate cybercrime. Just as the software industry has spawned a business model in reselling, installing, and maintaining legitimate code, the malware industry has spawned distribution and support networks to assist criminals in successful © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report malware usage. Developers of crimeware profit from the sale or lease of the malware to third parties who then use it to perpetrate identity theft and account fraud. Figure 4 illustrates the interaction between components in a typical crimeware business model. Individual groups of criminals coordinate their efforts, and the product is Crimeware as a Service (CAAS).
Figure 4: Malware Industry Process
The process depicted in Figure 4 leads with software vulnerabilities being sought by criminals in a systematic way. The figure begins with “zero-day” vulnerabilities, because these are more valuable to malware creators because potential victims are unsuspecting. These vulnerabilities are sold to criminals who engineer malware to exploit the vulnerability, and aggregate multiple malware vulnerability exploits into kits whose components can be systematically installed as in the iFrame example in Section 2.3. Because many vulnerabilities exist in unpatched systems long after they have been announced, exploit kits may include combinations of zero-day and older attacks. The kits are configured to send harvested data to private hosting services, and this configuration may be customized for a given buyer. Crimeware market makers contact potential customers via email and chat, agree on prices and sell not just software, but crimeware services. They engage malware delivery services to operate the malware on behalf of buyers, who pay the market makers via anonymous ecommerce payment systems.
Crimeware operation is blatantly illegal, yet individual risk of criminal prosecution is minimized by the overall business model. Each malware profit center has a level of exposure corresponding only to its role in the overall marketplace. For example, in academic circles, the study of vulnerabilities is common. Academics write papers on engineering and reverse engineering of exploits, and this is not © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report considered criminal activity. The relative prosecution risk to profit ratio for each activity in Figure 4 is estimated in Figure 5.
Figure 5: Relative Risk to Profit for Participation in Crimeware Activity
3.2 Malware Supply Chain Earnings for malware development are time sensitive but are very low risk. During the lifecycle of malware, protections are developed to mitigate the risk. To remain competitive and profitable new malware must be released frequently. Security analysts are seeing dramatic increases in the number of malware specimens created and distributed. One report claims that a full third of all viruses that exist were created in 2010 . The profit incentive driving these activities creates a persistent risk for financial institutions.
The supply chain in the malware industry encompasses more than just software. It is an elaborate collection of organizations, people, technologies, processes, services, and products. Financial services such as moneygrams, virtual credit cards, and online money transfer services allow anonymity between buyers and sellers. However, not all of the players in this black market are criminals. The marketing of malware, crimeware, and associated services and products can be found on both black market forums and legitimate sales channels. Crimeware operators will use legitimate online payment services to process purchases and then the payment details are used to facilitate fraudulent transactions. They will also use legitimate Internet Service Providers (ISP) to host databases of stolen data. Hence, another way to view the malware industry depicted in Figure 4 is to © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report follow the money. Figure 6 demonstrates the interaction between legal and illegal transaction flow in the malware market.
In Figure 6, solid lines show legal financial flows and dotted lines show illegal financial flows. The
lines are numbered with types of transactions included, and these are described as follows :
1: Extortion payments, click fraud, compensated costs of ID theft and phishing 2: Uncompensated costs of ID theft and phishing, click through, stock price pump and dump schemes, email scams, and other forms of consumer fraud 3, 4, 5, 6: Hardware purchases by criminals, corporate and individual users 7, 8, 9, 10: Security service purchases by hardware manufacturers, corporate and individual users, ISPs 11, 12, 13: ISP services purchased by corporate and individual users, criminals 14: Payments to compensate consumers for damages from ID theft The inclusion of legitimate business interests in the ecosystem of malware-enabled cybercrime sometimes makes crimeware and malware operators difficult to distinguish from Internet entrepreneurs.
3.3 Beyond Crime
In addition to its use for criminal purposes, malware also enables other malicious actors that pose risks for the financial services sector. The term Advanced Persistent Threat (APT) is now increasingly used to describe a category of malicious activities facing a growing number of government institutions and commercial organizations. As described in a recent Financial Services © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report Information Sharing and Analysis Center (FS-ISAC) report, “APT refers to an advanced, clandestine means to gain continuous, persistent intelligence on an individual, company or foreign nation state government or military .” The report shows there has been a history of APT attacks since 1986.
Key risks posed by APT actors generally include efforts to access and exfiltrate data that contains sensitive and/or classified information. The information may be related to technology and operations, intellectual property, proprietary business processes, business strategy, and/or personal data pertaining to executives. APT activities include network mapping and software modification to gain and maintain remote access to a variety of systems within the target domain. Such sustained access, knowledge of networks and business processes allows perpetrators to lay groundwork for future disruptive activities. Increasingly, APT discussions also include the use of tools specifically designed to achieve disruptive effects such as Stuxnet, which is malware designed to attack Iran’s nuclear power plants . The possibility of attacks focused on data corruption in the future has
also been identified. Key characteristics of APT activities include, but are not limited to:
threat actors with clearly identified long-term objectives guiding their attacks structured, sustained intrusive activities to deploy, support and maintain exfiltration operations ability to conduct intelligence on individuals, organizations and processes that will prove to be valuable targets use of sophisticated software tools and techniques to conduct activities flexible and adaptable operations to avoid detection.
Public recognition of these activities has risen dramatically. Numerous reports exist related to ongoing activities against governments and defense industries worldwide, specific activities focused on the US energy industry and the highly publicized attacks against Google, as part of Operation Aurora [17-19]. With regard to financial services, limited open source information exists regarding specific activities but the financial services sector is often identified in discussions and doctrinal writings about cyber warfare between nations .
The conduct of APT activities relies fundamentally on the use of malware to establish access, to maintain footholds within organizations and to exfiltrate sensitive data and/or conduct disruption of IT systems or networks. Directed efforts using spearphishing have been a principal approach of many of the operations against governments and the defense industry. Often, the payloads of spearphishing attacks include a range of malware targeted at the most common types of applications for enterprise users, particularly those in Microsoft Office and Adobe products. Often this malware uses well known code exploiting well known vulnerabilities, but APT activities also employ new and custom code not detectable by enterprise intrusion detection and anti-virus systems. APT actors are generally highly aware of the state of enterprise information security practices. They employ code and techniques not only to avoid detection but also frequently use malware to disable anti-virus, intrusion detection systems, and other security software on exploited computers, and even across broader portions of the enterprise. More significantly, APT actors may have a portfolio of capabilities at hand to ensure the ability to continue activities even when discovered. Malware © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report more unique to APT activities often includes redundant and diverse tools to conduct exfiltration of user credentials and sensitive data.
FIs must be cognizant of the growing risks posed by malware specifically designed to disrupt operations, particularly the operation of industrial control systems (ICS). The emergence of the Stuxnet worm in 2010 targeted at the Siemens ICS provides concrete evidence that cyberspace can have devastating effects on physical resources such as data center environment and power systems, electric grids, gas pipelines, water delivery systems, and manufacturing equipment . While the original purpose of this malware appears to be targeted at the Siemens ICS utilized in nuclear programs in Iran, key features of the worm pose much larger concerns that should inform the financial services sector. The possibility of another actor capturing the code and repurposing it for other purposes such as disrupting power grids is a significant possibility. As a Department of Homeland Security official testified before a Senate committee, “What makes Stuxnet unique is that it uses a variety of previously seen individual cyber attack techniques, tactics, and procedures, automates them, and hides its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring. The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors .” More generally, the financial services sector could be targeted by disruptive ICS malware specifically designed to exploit vulnerabilities in ICS applications used in this sector, specifically heating, ventilating, air-conditioning (HVAC) and power supply equipment used to monitor and control data centers.
The FS-ISAC has conducted a more detailed analysis of APT threats, risks and mitigations available to FS-ISAC members.
4. Malware in Financial Services Malware is used by malicious parties, both inside and external to the organization, with different motivations. Examples of such motivations include financial gain, competitive advantage or, potentially, revenge for some perceived slight or adverse event. For example, according to the United States Computer Emergency Readiness Team (US-CERT), malware, as logic bombs, has been distributed by disaffected insiders to delete massive amounts of data. In one such case, malware “was designed to disrupt business operations .” In another case, a disgruntled systems administrator employed by a financial services firm caused more than $3 million in damage to the company's computer network, and was convicted of securities fraud for his failed plan to drive down the company's stock price upon activation of the logic bomb . Cyber espionage, or theft of information to receive a competitive advantage, could be aimed at stealing information about a new technology product, uncovering strategic plans about a potential acquisition, or confidential data regarding litigation. A House Conference Report that accompanied the US Consolidated Appropriations Act of 2010 accurately observed “Cyber-based attacks and intrusions upon U.S.
computer networks... result in substantial loss of critical intelligence by U.S. government, © BITS/The Financial Services Roundtable 2011. All Rights Reserved.
BITS Malware Risk and Mitigation Report
academia, military, industry, financial and other domains .”
It is evident from past and ongoing cybercrime investigations that the financial industry hosts a good deal of malware. The US Secret Service (USSS) is the primary investigation resource for the US Department of Treasury. For the past two years, USSS shared their cybercrime case reports with the Verizon Incident Response team so they could be included in a collaborative effort to establish cybercrime metrics [25, 26]. The resulting report contains details on confirmed security breaches within firms that are either Verizon clients or in the investigative jurisdiction of the Secret Service (141 Verizon cases and 257 USSS cases in 2009, 94 Verizon cases and 661 USSS cases in 2010).
Financial services firms were the primary targets in 33% of 2009 and 22% of 2010 cases, making them the most targeted sector in 2009, though in 2010 they were surpassed by hospitality and retail.