Web criminals turn to stealthy malware

In the past, writing malware was about gaining respect in the hacker community. However, the latest generation of malware writers are no longer interested...

In the past, writing malware was about gaining respect in the hacker community. However, the latest generation of malware writers are no longer interested in making headlines, showing off their technical skills or gaining bragging rights.

"We are seeing a decrease in high-volume, high-profile attacks because they do not make money," says Greg Day, Security Analyst at McAfee's Avert labs. "They are quickly spotted by the anti-virus companies and protected against. Today, malware threats are about compromising systems, gaining command and control, theft of data and revenue generation."

The aim of criminals now is to gain control over as many machines as possible and remain undetected for as long as possible to maximise the profits from spam relays and identity theft.

To meet this new "professionalism" in the malware world, a host of GUI-based tools have emerged that allow relatively unskilled criminals to choose what functionality they want to include in their virus - from keyloggers to web downloaders to host redirection - with a few mouse clicks. These automated tools can the create a new virus in seconds.

Hackers can quickly create multiple of variants of the same virus, incorporating advanced techniques to avoid detection - such as the ability to disable anti-virus software - with just a few more selections. As a result, anti-virus software suppliers such as McAfee have seen a dramatic increase in the number of different threats seen "in the wild", with nearly as many unique malware threats created in the first half of 2008 as in the whole of 2007.

Crimeware writers are making greater use of techniques that allow malware to beheave stealthily and reinfect for as long as possible. For example, there has been a return to the use of parasitic infections that add code to legitimate files. Another technique is to drop in a companion file with a different file extension, such as regedit.com, that executes before the .exe file. These are harder to detect than trojans, which simply add new files, through traditional anti-virus signature files. Malware writers are also using rootkits to start processes that remain running and reinfect systems even after infected files have been cleaned by anti-virus software.

The upsurge in criminal use of malware was highlighted in the most recent UK Threat Assessment of Serious Organised Crime issued by the Serious Organised Crime Agency earlier this month.

Kudos drove yesterday's hackers

A typical example of yesterday's hacking culture was the "war" between the writers of the Bagle and Netsky mass-mailing trojans in early 2004. The spat erupted when the author of Bagle became upset that Netsky was getting more press coverage. At one point, new versions of both viruses were being released almost daily containing messages buried in the code insulting the author of the other worm. Anti-virus suppliers faced a constant battle to deal with the new variants, and users saw performance issues on their networks as the viruses mailed itself on from infected PCs.

Read more on IT risk management