We’ve talked quite a bit about the increasing number of attacks being reported over the past few months. This is partially due to the increasing use of web apps and reliance on the browser as a way of accessing business information. But it’s also attributable to the increase in “open source” malware. As with key layers of the Internet stack, the source code of various exploits have been released by the authors, and other developers are building on that base.
The Linux operating system is probably the greatest success story of the open source movement. An operating system built, maintained and modified by users. Proponents tout the many advantages to using Linux: it’s free, can be customized at will and, because so many people are able to contribute to solutions, it’s arguably more secure than a traditional operating system. This chart gives a graphic representation of the success of the model.
The motivation behind Linux is largely altruistic: people create it so they and others like them can have a platform that they have a stake in and control. Now take all that ingenuity and commitment and apply it to malware. Except now instead of altruistic motives, the collaborators are in it for the money.
Collaboration between cybercriminals is nothing new. But until recently, the bad guys would create ‘kits’ and sell them to each other.
The Zeus Trojan hit the scenes in 2006, designed as an exploit to infect windows systems, primarily through the browser, and steal user data in order to get access to banking sites. Researchers suggest that in the early years several criminal gangs were collaborating on Zeus, and versions were available for purchase via underground forums. But in spring of 2011, files containing Zeus source code were posted across a variety of forums popular with the bad guys. What happened next is similar to the Linux evolution.
With the building blocks to targeted exploits widely available there has been an explosion of derivative attacks. Take the recent Dyre attack against Salesforce. Dyre first emerged in June 2014 as a Zeus variant targeting financial institutions. Dyre starts as a phishing scam that prompts victims to click a link that downloads the malware onto their machine. Then, when they log into the targeted website -- say, Bank of America or Chase -- it grabs their credentials.
The original version of Dyre was dangerous, but like any other open source project, it soon evolved. By September, Dyre had been tweaked in a number of ways. Further obfuscation within the system to make it more difficult for AV solutions to find it; hooks to thwart 2-factor authentication, and interestingly, it was adapted to target non-financial data. Somebody realized that there is value in the data in other SaaS systems, and Dyre adapted to target Salesforce.com. When Salesforce disclosed the issue, they reported the possible leak of millions of credentials.
As open source malware gains traction, we can expect to see more targeted and aggressive attacks. Trojans that lie dormant until the user goes to specific site or subset of sites. The Salesforce hack demonstrates that it’s not just banking institutions anymore; criminals are now targeting all sorts of sites, small businesses, and medical providers -- any place that stores personal information that can be sold on the black market.
But no matter how sophisticated these attacks get, they still (at least for the time being) rely on the user to give them access to the system. As in the Dyre instance, a user clicks a link, enters some credential data, and sensitive information is stolen. The infrastructure adapts, grows and evolves, but at the end of the day, the bad guys need users to cooperate.
As difficult it is, the ultimate solution is for users to increase their vigilance. When in doubt: Do. Not. Click.