An up close look at how miscreants are making money off of viruses and malware

Two questions that we frequently get are how / why do I get viruses and how do the people creating the viruses make money?  I found this article this morning linked to another news story and it does a pretty decent job of answering both.  Basically, the article talks about the Sweet Orange exploit kit and what it does.  There were some really good points in the article but they’re mixed in with a good bit of geekspeak.  I’ve tried to distill the important points of the article in the following 5 bullet points but there’s a link to the full article at the bottom.

  1. What is an exploit kit?  From the article, an exploit kit is “…an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past…”.  The English version of this is simply that an exploit kit is a new way to distribute viruses and, instead of requiring that the virus be spread through email or some other manual method (that can infect ten, hundreds or maybe even thousands of computers in a few days and often requires a complete rewrite when antivirus companies get a chance to research it), exploit kits enable the Bad Guys to infect tens of thousands or hundreds of thousands of computers in the same amount of time (or less).  An added benefit is that the exploit kits are built to be flexible, if the exploit that worked yesterday is no longer usable, the Bad Guy doesn’t have to completely retool, he / she just has to tweak the kit and continue on.
  2. How does an exploit kit access my computer?  The exploit kits rely on compromised computers to act as Command and Control (C&C) servers for the network (botnet).  These C&C servers basically host the application the same way that the SalesForce.com servers host SalesForce.com and Gmail.com servers host Gmail.com email and Google Apps.  The biggest differences are that a) the C&C servers have to move around a lot (if they stay in the same place, they’re more easily caught and shut down) and b) while SalesForce.com and Gmail.com offer legitimate services, the C&C servers exist for the sole purpose of hosting the exploit kits that are used to infect your computer.  Websites are compromised and fake emails are generated (Your DHL package has arrived, there was a problem with your Payroll account, your computer is infected with 10,000 viruses, hurry and click here) that have links back to the C&C servers.  When you view these [compromised] websites or receive these [fake] emails, the C&C server does a quick scan of your computer to see what vulnerabilities exist and can be exploited.  With Sweet Orange, it actually tracks and provided statistics on which exploits are more successful (Java, Adobe, IE, Firefox, etc.).  In most cases, you have no idea that your computer has been scanned (unless you get a virus that’s very visible as soon as it’s installed, like the FBI virus or fake antivirus virus).
  3. What does the exploit kit do to my computer?  Once your computer has been scanned, the exploit kit will execute an appropriate exploit to install it’s software (payload) onto your computer.  With some exploit kits, this is a one shot deal, with some they will try a ‘Hail Mary’ and attempt over and over until they find one that works.  Once it works, the software (virus / malware) is installed on your computer and your computer ‘checks in’ with the C&C servers, reporting for duty if you will.  From that point on, your computer may be used to relay SPAM, host stolen credit card or other personal data or even become a C&C server itself or you may just start getting tons of advertising pop-ups or the FBI virus.  At this point though, your computer is under control of the botnet and can be used by the [botnet] owner for whatever he / she wants to use your computer for until it’s removed.
  4. How do the exploit kits make their owners money?  In the case of the Sweet Orange exploit kit, Sweet Orange guarantees it’s customers 150,000 unique visitors per day with a successful infection rate of 10% to 25%.  Simply stated, Sweet Orange guarantees that it’s customers will gain control of at least 10,000 new computers each day and can use those computers for pretty much any task.  A simple example would be for the [Sweet Orange] customer to successfully leverage the FBI virus on 100 computers per day (1% of the 10,000 guaranteed infections that the [Sweet Orange] promises), which would be $30,000 in MoneyPaK or Western Union money per day.
  5. How can I protect myself?  As I noted earlier, the exploit kits rely on unpatched vulnerabilities to work.  In an ideal world, the best way to protect yourself would be to simply install the updates as they are made available (and tested).  In many cases though, these exploits hit the ‘wild’ before the vendors (hardware & software) are able to release the updates to fix the vulnerability, so a layered approach is a much better option:
    1. Regular Updates – Microsoft and [now] Adobe release updates on the second Tuesday of each month, typically referred to as Patch Tuesday or Black Tuesday.  Oracle also has a semi-regular update cycle but have been forced to release a large number of ‘out of band’ updates to address serious security problems with Java in the past few years.  Installing these updates will ‘patch the holes’ that the exploit kits are targeting.  It isn’t safe to just rely on this, as many exploits are now released as ‘zero day’ exploits meaning that the software / hardware manufacturers find out about the problem when the rest of the world, leaving no time for the manufacturers to release a patch in time to prevent infection.
    2. Effective Antivirus – Antivirus software is very similar to a flu vaccine.  It’s software that looks for specific ‘signatures’ or characteristics and can quickly be updated to recognize new threats.  Like the updates, it’s not 100%, but antivirus signatures to recognize and block the threats are typically easier and quicker to deploy than actual updates.  
    3. Firewall – A firewall is basically a device that sits between your computer and the Internet and can be configured / programmed to block access to specific websites, servers or hosts (technically all of these are the same thing).  Many can block access automatically, requiring little or no action on your part.  Some firewalls also have built-in tools similar to antivirus that will prevent the virus or malware from making it to your computer(s).  

 

The full article is available here and has significantly more detail than I’ve provided here.