Malicious code apparently used by governments to spy on, harass, and sabotage one another has grabbed headlines in recent years, yet the highly targeted nature of such attacks have meant ordinary Web users have so far had little to fear. That may now be changing as some experts say the techniques used in sophisticated, state-backed malware are trickling down to less-skilled programmers who target regular Web users and their online accounts or credit card details.
“Cybercriminals read the news as well,” says Roel Schouwenberg, a security researcher with Russian computer security company Kaspersky. Schouwenberg adds that sophisticated, state-sponsored “cyberweapons and targeted attacks now give us some insight into what will be coming into the mainstream.”
State-sponsored malware became widely known in 2010 with the discovery of Stuxnet, a program targeted at Iranian industrial control systems and believed to have been sponsored by Israel and the United States (see “New Malware Brings Cyberware One Step Closer”). Since then, several other very sophisticated malware packages have been discovered that are also believed to have been made by governments or government contractors. These packages include Duqu, exposed late in 2011, and Flame, found in May 2012.
One reason such malware is so effective is that it tends to exploit previously unknown software vulnerabilities, known as zero-days, in widely used programs such as Microsoft Windows to gain control of a computer. Schouwenberg says those exploits can be quickly “copy-pasted” by other programmers, as happened after the discovery of Stuxnet, but they are also usually patched relatively quickly by software companies. More concerning is the way that higher-level design features are being picked up, he says.
“They are copying the design philosophy,” says Schouwenberg, adding that one now-popular technique found in conventional “criminal malware” was inspired by the discovery of Stuxnet. For example, Stuxnet installed fake device drivers using digital security certificates stolen from two Taiwanese computer component companies, allowing them to sneak past any security software. Other malware now uses fake certificates in a similar way to hide malicious software from antivirus programs.
“Stuxnet was the first really serious malware with a stolen certificate, and it’s become more and more common ever since,” says Schouwenberg. “Nowadays you can see use of fake certificates in very common malware.”
Aviv Raff, chief technology officer and cofounder of Israeli computer security firm Seculert, agrees. “Design features of Stuxnet, Duqu, and Flame are appearing in opportunistic criminal malware,” he says.
Schouwenberg says he is currently on the lookout for tricks used in the recently discovered Flame, described by some researchers as the “most complex ever found” (see “The Antivirus Era is Over”), to surface in more common malware.
Flame had a modular design, enabling its operators to send upgraded parts as necessary, for example to perform particular actions or attacks. “I think we will definitely see more of that approach,” says Schouwenberg, who believes it might be an attractive way for malware authors to sell their work to others. “It provides an up-sell opportunity for these guys if they can sell something, and then offer upgrade kits to improve it later.”
Schouwenberg says that a modular design also makes malware harder for security companies to track a particular piece of malware. “When they only upload the modules to specific targets, it’s much harder to get all the components and see and know all of it.”
Sean Sullivan, a researcher at Finnish security company F-Secure, agrees that this is a good way to understand the way common cyber criminals build technology. “Criminals operate in a highly commoditized ‘malware as a service’ ecosystem. They buy components and assemble them into their operation. Like a business, they optimize for profit,” he says.
However, Sullivan also notes that many cyber criminals have invested in their own code, and can’t dedicate resources on the scale of a government contractor or agency.
“The operational security required by those behind Stuxnet, Flame, etc. means that they simply cannot outsource anything, they must do everything from start to finish,” says Sullivan, “which is a heavy investment and certainly isn’t anything close to being profitable.”
But Schouwenberg says the influx of expensively developed new ideas into criminal malware will likely increase in coming years. Government agencies and contractors around the world now openly advertise for programmers with the skills needed to create sophisticated malware, he says, suggesting there are more Stuxnets, Duqus, and Flames to come. “That’s a major shift from just a few years ago,” he says.