August 24, 2011

New research: the "malware adoption lifecycle"

Patrik Runald

The media is buzzing with stories of state-sponsored hacking, so-called advanced persistent threats, and high-profile data-theft attacks by cybercriminals. So what does this mean to everyday businesses owners and managers (companies that aren’t defense contractors or giant corporations)? It means watch out. Below I outline our recent research findings and thoughts - let me know what you think.

(Please visit the site to view this media)

According to our research, the wildly successful techniques used in state-sponsored attacks are moving down a "malware adoption lifecycle." Yesterday’s million-dollar, well-planned, high-profile attacks are quickly becoming $25 exploit kits available online to armies of low-level hackers. Consider this "phase two" of advanced threats. The army of profit-driven hackers is using the same advanced techniques to steal any data that they can get their hands on to sell, fence or ransom. No one is safe, because traditional defenses don’t work against advanced malware. And the cybercriminals are targeting every kind and size of business.

This is the part of the story that people need to hear: While the big-name breaches get the headlines, too many companies get lulled into a false sense of security thinking that they are safe because they don’t have state secrets. Our research shows how the advanced techniques used in APT attacks move downstream. From state-sponsored groups, to criminal gangs, and ultimately to individual hackers—they are hitting any business with anything of value. Because that’s where the money is. And it’s easy pickings because antivirus software is defenseless against these advanced methods. Here’s how we see the malware adoption lifecycle playing out in the wild:

Bell Curve

Aurora is a great example. Google announced the attack on January 12, and four days later, the code was publicly available. Within weeks, the exploit was in the wild. Just 18 months later, there were 5,800 exploits using the same code.

Google Aurora

Now we’ve got another issue: how these exploits propagate in kits. Let’s look at CVE-2010-0188, a vulnerability discovered in Adobe Reader. This exploit has been included in two of the most popular kits out there today, Blackhole and Phoenix. These kits combine a large amount of exploits together, but the important thing is that they are very widely available for a relatively low overhead. The threshold for entry is lowered with these kits. Now hackers with a lower level of technical skill can now take advantage of these techniques – the same ones that powered high-profile targeted attacks on major corporations and defense contractors in previous state-sponsored attacks.

Adobe Reader

This example illustrates the pervasiveness of these exploits and kits, with Blackhole out there on more than 14,000 urls and Phoenix hitting more than 12,000 urls.

Now, typically, these exploits lose their efficacy the more pervasive they become, but that’s when the issue of patch management also becomes a critical factor. We took a look at one period from last year, and examined the identification of zero days in common applications and the time it took for a patch to be released. We found that over a four month period, even if you were immediately applying patches as they were released, your organization was vulnerable to zero-days 104 days of that time period, or more than 88 percent of the time.


Now, how many organizations are completely on top of the patch management game? Some might delay patches or batch them together to deliver at a single time, but what this means is that the longer you delay patches, the longer you extend the length of efficacy for malware and extend the lifecycle of that exploit. That’s why the inclusion of these exploits in kits still happens; even though there are patches… they still work.

So when we look at a new 0-day exploit used in a recent, high profile targeted attack (like this Adobe Flash exploit revealed in July), the question is: how long and to what extent will the bad guys use this to steal your data? Even if you aren’t a big government contractor or a giant corporation, if you have IP, you are a target. 

Adobe Flash CVE

In a month’s time, we are already seeing this on 140 websites. How many of these are being used in targeted attacks preying on the medium sized organization? How long until this one gets included in the biggest kits out there and more money or confidential data is stolen from additional organizations?

Look, modern malware circumvents AV and firewalls, so you simply can’t rely on these technologies or on patch management to protect your organizations. We need to examine both inbound and outbound content traffic to minimize risk. Because, if you combine these exploits with some well crafted social engineering, organizations will continue to be victimized. Organizations need to examine—in real time—the substance of each website visited and in each email to effectively battle this malware lifecycle. 

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.