Tuesday, June 20, 2006

The 3 faces of crimeware

The 3 faces of crimeware

June 16, 2006

Crimeware is the name of what used to be called cybercrime or cyberterrorism a few years ago. It differs from viruses and spam, which most users consider to be Internet standards. Crimeware poses a greater threat of financial loss.

"Crimeware is software that is written specifically to commit a crime," said Ed English, vice president and chief security strategist at Trend Micro. "It's not pop-up ads, adware, or traditional viruses, worms, or Trojans. Instead, crimeware is software that is located on the machine to commit any number of different crimes: keylogging to steal information; email spoofing to appear as legitimate businesses, in an attempt to gain bank credentials or other sensitive personal information; or covertly diverting the user to another site to steal sensitive information, to name just a few. What these and other crimeware schemes have in common is that they are all intended to explicitly lead to financial gain."

According to Jamz Yaneza, senior threat analyst with Trend Micro, the history of the word 'crimeware' came from a meeting with the Anti-Phishing Working Group (APWG; http://www.antiphishing.org), a not-for-profit organization composed of industry experts and law enforcement, focused on eliminating the fraud and identity theft that result from phishing, pharming, and other forms of cyber crime. Many software security vendors link to APWG as a partner, as it represents a collaborative effort and repository for reports from all sides.

APWG defines crimeware as any piece of software that is dedicated to illicit financial gain or online fraud. That includes phishing, spy-phishing, spyware, trojans, back doors, and Ransomware.

The rise of spyware, phishing and malware coincides with a general trending away from destructive attacks. Though they certainly still exist, Global virus outbreaks are relatively rare these days.

"If you write a virus you get 15 minutes of fame and the authorities come after you," said Yaneza. "These software writers have the skills, although they lack the morals. Crime organizations hire them to make spyware, rootkits, botnets, and other crimeware. By and large what is a down-on-his-luck virus writer going to do? He'll get a job with a criminal organization, which is why we don't often see big outbreaks these days, and why there is so much spyware out there now."

According to Anthony Arrott, manager of spyware research at Trend Micro, to make sense (i.e.: to be profitable), crimeware needs to fit into a bigger picture.

In my big picture, I divide crimeware into three portions:
1. Payloads;
2. Installers, and
3. Bodyguards.

"Bear in mind that you're looking at the equivalent of FBI charts of a crime organization, because these groups don't make their own charts, and even if they did they wouldn't share them. Criminals have every reason to hide information so as to confuse us. The lesson is to not sweat the exactitude of the divisions between categories; it's more important what each category is."

The functional component of the threat, or the payload, has to get onto the machine via an installing mechanism. Then the bodyguards, sometimes rootkits, must protect it from discovery.

For example, Coolweb Search is a nasty form of spyware that you can't get rid of. Not because it's sneaky about how it's installed or what it does, but because it laces itself into your operating system so that anti-spyware has an extremely difficult time getting rid of it. Similarly, rootkits can hide themselves from Windows APIs and remain invisible.

"Put installers together with bodyguards, and you see they are actually tools -- they aren't performing the purpose, they only help it," said Arrott. "You have to separate the payload from the mechanism." There are three groups of purposes. The first is to create havoc, with a purpose of vandalism, as seen in classic viruses and worms that do damage.

"At the other end you have adware, trackware, browser hijackers and helpers, which is marketing and advertising that goes beyond acceptable standards," said Arrott. "Except there are no standards, so we're always arguing over what is acceptable."

Crimeware is defined as software that performs larcenous crime versus vandalism crime. That involves some type of information theft, or transaction theft, or money theft; either directly or fraudulently.

This definition includes dialers that dial a 900 number, so that your money accrues to whoever put the dialer on your system. It also includes phishing, which is a direct way to get people to log into their bank and steal information.

"You have all the password, bank info, and identity theft payloads," said Arrott. "Much of this comes from keyloggers, which log keystrokes. My grand scheme is crimeware is defined as when some larcenous crime is being committed: some kind of information theft or transaction fraud."
 
 

No comments:

Zoitsa the Gaian