ISTR XIV: All Aboard the Malicious Code Freight Train
A driving force behind the growing speed and efficiency of malicious code development is the demand for goods and services that facilitate online fraud. This is demonstrated by the flourishing profitability of confidential information sales in the online underground economy. For example, one person who was arrested for computer related credit card fraud in 2008 had possession of a condominium, a luxury vehicle, and over 1.6 million dollars in cash, among other valuable goods. All of which were presumably obtained by fraudulent means.
Malicious code that exposes confidential information is of particular value because the information is critical to several illegal practices, such as identity theft and credit card fraud. In many instances, well-organized programmers are developing this code on a large scale, much as how development occurs in a legitimate software enterprise. The confidential information obtained by the malicious code is then used for fraud or advertised for sale on underground economy servers. In 2008, Symantec observed an increase in threats to confidential information that export user data or log keystrokes. These threats are useful to financially motivated attackers because leaked data can be used to steal a user’s identity or aid in further attacks. Increases in this type of exposure are not surprising considering the potential value of harvested information.
Malicious code that incorporates adware applications is also popular because it is effective for generating revenue for malicious code authors; this is because adware generates traffic for advertising services that typically pay on a per-visit or per-view basis. Adware applications are components that are commonly downloaded by malicious code, but can also be integrated into the malicious code itself or can operate as stand-alone applications. The significant presence and success of threats that are linked to financial gain, along with the flourishing vitality of the underground economy, may indicate a growing trend towards malicious code developed specifically to facilitate advertisement distribution.
The increasing professionalization of malicious code development has resulted in an increase in the speed and efficiency with which malicious code is “brought to market.” In turn, this has enabled an increased number of threats to be developed. Symantec monitors the proliferation of malicious code by examining the number of new malicious code signatures created to detect threats from period to period. In 2008, Symantec added over 1.6 million new malicious code signatures, bringing the total number of signatures that Symantec has created to over 2.6 million. This means that more that 60 percent of Symantec’s malicious code signatures were created in 2008. Furthermore, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month in 2008.
For a complete analysis of the software piracy activity observed by Symantec as well discussion on other cybercrime activity occurring in the underground economy, please see the Symantec Internet Security Threat Report XIV.