Automation of SpyEye botnet raises the stakes for security

Sophisticated malware-automation techniques are cited as the probable cause for a dramatic increase in Web application attacks.

According to new research, traditional security defences are becoming increasingly inadequate against a wave of new attacks by well-funded cybercriminals.

Market standard security, such as antivirus and firewalls, is not up to the challenge anymore.

Mickey Boodaei, CEO, Trusteer

Several new reports from security vendors outline a rapid rise in the use of automation by criminals, who are now able to create, modify and distribute their malware on an industrial scale, often bypassing security defences such as firewalls and antivirus.

“Market standard security, such as antivirus and firewalls, is not up to the challenge anymore,” said Mickey Boodaei, CEO of Israeli security company Trusteer, which specialises in protecting banks and their online customers.  

Trusteer reports seeing a surge in the use of the SpyEye Trojan against English-speaking banks around the world during the last few months, with 60% of the SpyEye bots targeting US banks, and 53% targeting UK financial institutions.

Boodaei said the criminals using SpyEye have built in new code to help the botnet avoid being spotted by the banks’ transaction-monitoring systems, which normally analyse various aspects of customers' online banking sessions in order to detect abnormal behaviour -- such as rapid completion of input fields, and skipping certain pages -- that might denote an automated attack.

“SpyEye developers appear to have figured how these defences operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems,” Boodaei said. He added that the SpyEye botnet seems to follow agile software development practices, so new versions of the code can be easily developed. On some occasions, two new versions have appeared in a single week.

As well as attracting Trojan attacks, the UK has become one of the world’s most targeted nations for phishing emails, with one in every 127.9 emails being a phishing message, according to the July 2011 Symantec Intelligence Report.

Symantec also noted a greater level of automation in the way attacks are launched. It found that polymorphic malware accounted for 23.7% of all email-borne malware intercepted in July, more than double the same figure six months earlier. “Perhaps greater use of automation has enabled them [the criminals] to increase their output to this extent,” the report concludes.

It adds that the number of variants of malware involved in each attack has also grown dramatically -- by a factor of 25 times in six months -- again indicating that the criminals have automated their processes. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade,” the report says.

Another survey from security vendor Imperva highlights the use of automation in launching high-volume attacks against Web applications (.pdf). The company monitored around 10 million individual attacks targeted at Web applications over a period of six months in the first half of 2010.

Imperva found that, due to automation, Web applications on average are probed or attacked about 27 times per hour, approximately once every two minutes. At times of peak activity, some Web applications experienced nearly 25,000 attacks per hour, or seven per second.

Amichai Shulman, CTO of Imperva, said the attackers were using proven methods to break into websites – SQL injection, cross-site scripting, remote file injection and directory traversal – but were able to achieve success by increasing the volumes of their attacks. “They choose a large number of servers for each operation – sometimes hundreds of thousands – then they distribute the work between compromised hosts and launch the campaign. They may only be successful with a small percentage of their target list, but that small percentage is a large absolute number,” he said. 

Shulman said better coding standards will only help protect websites up to a point. “Applications will always contain vulnerabilities, even though they are improving,” he said. “But with a distributed infrastructure of attack agents, each running an automated script, the attackers will eventually find these vulnerabilities. It’s the law of big numbers. If you have a Web presence, you will be under attack.”

He said that, despite the high level of application attacks, most security expenditure is not targeted at protecting Web applications. “Security people have not yet made the shift," Shulman said. "Many still rely on antivirus and firewalls.”

Read more on Web application security