2010-12-01
Abstract
‘The development and application of sophisticated malware ... already exists within the commercial realm.’ Gunter Ollmann, Damballa
Copyright © 2010 Virus Bulletin
As an industry we spend a lot of time tracking and discussing the criminals that manufacture malware. While, from a technological point of view, a remote management tool is typically indistinguishable from a remote access trojan, intent is the guide we use to label the trojan as malicious and the management tool as benign.
As threats morph, our industry undergoes periodic changes in the way in which we categorize both the software agents we’re expected to protect against and the labels we apply to their authors. Today, we’re being asked to make the call on ‘designer malware’ – in particular, the product of professional security consulting companies.
For a number of years, the call for commercial-grade malware – whether delivered as construction tools or as proof-of-concept code – has been increasing. What was once a hushed offering from boutique penetration testing companies has entered into the standard service offerings of several mainstream security consulting firms.
Obviously, there is great breadth in the classes and usage of ‘commercial-grade malware’ (for want of a better name). Traditionally, boutique security consulting companies have constructed their own malware for two primary purposes: as a stable platform for weaponized exploits, and as a delivery vehicle for proof-of-concept penetrations. While various government agencies and departments have often been the consumers of these specialized products, there is an increasing call for such penetration testing services in the commercial market.
Enterprise customers are looking for new, more exhaustive methods to test the strength of their business systems and products. Perimeter defences such as anti-virus gateways and content filters are now fair game and, in order to test them successfully, targeted delivery of bespoke malware and tuned exploit platforms is required. Much of this is driven by the need to verify the claims of security vendors that employ ‘pre-emptive’ technologies and other broad-spectrum protection engines.
What this all means is that the production of sophisticated malware is no longer entirely within the realms of criminals (if it ever was). Security consultants are generating their own custom malware agents and specifically tuning their exploits to defeat the defences uncovered during a penetration test. These consulting deliverables are often of a much higher calibre and sophistication than the average piece of malware circulating the Internet. As a consequence, we must be careful in how we label and react to the newest threats we encounter in the anti-malware business. We will also have to be more vigilant in identifying specific targeted attacks.
We know from past experience that it’s easy for proof-of-concept malware to escape confinement – whether that be through poor coding of worm functionality, unexpected recipients, failure to clean up afterwards, or merely because a sample was passed to the security vendor at the conclusion of the engagement. The result is a new family of malware or exploit technique causing a fire-drill response from the security vendor.
Then, of course, there’s the issue of research-driven malware. For example, a customer hires a consulting company to review the security of cellular picocell appliances from four different manufacturers. After several months of research, multiple vulnerabilities are uncovered and a proof-of-concept delivery sample is made (e.g. a worm that exploits the vulnerabilities). That piece of malware is the property of the customer, so we have to hope that the commissioner of the research was reputable.
The point of all this is that commercial ‘malware’ production is here to stay. As an industry, we need to recognize that malware is a tool used by criminal and legitimate businesses. The development and application of sophisticated malware – such as worms with ‘zero-day’ exploits that target specific classes of embedded devices – already exists within the commercial realm. As a consequence, we can expect to see more sophisticated malware coming from a broader spectrum of vectors which may not always be a ‘threat’ in the classic sense.
