Endpoint Protection

 View Only

Management Information Systems: Tools for the Malware Trade 

Jul 31, 2007 03:00 AM

In the (legitimate!) business world,Management Information Systems (MIS) are typically used by managers andkey decision makers of a business to see at a glance how well abusiness is doing in its various key performance areas. They typicallysummarize masses of transactional data through tables and reports; andalso allow for more advanced analysis and drill-down to detailed data.The advantage of such systems in business is considerable, becausehaving such information available on hand allows these individuals tomake key decisions that affect the future of a business.

Moving over to the malware criminal world, we are seeing more andmore parallels to the world of legitimate business. As online criminalsget increasingly organized, we are seeing them employ more of the toolsand techniques that would be employed in running a normal business.Such is the amount of money to be made in online crime, it has reallybecome a sort of gold rush: just like in the traditional gold rush, youdon’t have to dig for the gold yourself; you could set yourself up shopto supply the tools to those who want to do the digging.

Supplying tools to these criminals is an interesting twist to thecomputer crime story. By not creating malware, the authors of the toolscould argue that they are not doing anything illegal (I’m only makingthe gun, not pulling the trigger).

MPack was one of the more recent MalwareInformation Systems created by tool suppliers and we have seen howpopular that was. The MIS component in MPack was prettystraightforward: it allowed you to see at a glance a summary of howmany machines were compromised, what countries they were from, and youcould also see a detailed list of referrer URLs if you so wished.

Another recent example we have seen now is called Advanced TDS(Traffic Direct System). This appears to be quite similar to MPack, ithas a more sophisticated user interface and provides more informationthan MPack does. Interestingly, MPack, Advanced TDS and WebAttacker allappear to originate from Russia.

atds_ui_small.jpg
Click image for larger view

The interface of Advanced TDS allows the user to see, called a'scheme' for each exploit that they have deployed, a summary of whatcountries the visitors are coming from and what are the referring URLs.Clicking on the URLs allows the user to drill down to see the detailsof the data underlying the statistics. It would appear that this toolallows you to easily set up new (money-making) schemes to monitor.Typical usage model for this tool would be similar to that of MPack:

• Set up new exploit code on the server;
• Hack into some legitimate Web site and introduce an iFrame to point at the URL to the exploit code;
• Register the URL on the ADTS application;
• Wait for unsuspecting victims to call.

As you can see, online criminals are continually improving andmaturing their game. Deployment of MIS-type tools is just another signto indicate that we are no longer dealing with a bunch of amateurs.

We’d like to thank to Marco Cazzaniga for providing us with valuable information in this matter.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.