Creators of malware – worms, trojan horses, spyware, adware – are teaming up in the underground to propagate Internet threats at an even faster rate, according to a Canadian researcher.
“What we’re seeing is a concerted effort to share techniques,” says Brian Grayek, vice-president of threat research at CA Inc. Headquartered in Islandia, NY, CA is a provider of information technology (IT) management software.
Barely a year ago, if a malware technique was proven successful, it might still have been weeks or even months before another attacker adopted that approach, says Grayek.
“Now, when we observe a new occurence, we see it happen suddenly all over the world. That was not the case three months ago, or even last year.”
Authors of malware are sharing their methods, and using common systems and engines to transmit these various forms of hostile, intrusive and annoying software or program code, he says.
They communicate their malware strategies in three main ways, says Grayek.
First, malware authors converse on Internet relay chat (IRC) – a synchronous conferencing channel for group communication – where they share techniques and plans of attack.
Second, some are brazen enough to flaunt their conquests, strategies and techniques on personal Web sites. Grayek says this method is usually more common in countries where the IT security laws are relatively lax.
Third, malware creators locate one another through old-fashioned networking – in other words, one connection upon another is created until a large informal group can start congregating and sharing ideas.
“These groups have been built over the past year and a half, and now we’re seeing the results of their efforts,” says Grayek.
There’s a financial incentive to get together and share techniques that work, he says, given the potentially large payouts to be made in the Internet attack business.
But besides sharing approaches so that malware attacks propagate faster, creators of harmful code are recycling elements of past successes and incorporating them in new, more robust and dynamic entities, he says.
For instance, the “hugely successful” approach employed by ‘stration’, a family of computer worms that produce new variants in order to avoid detection by anti-virus applications, is now observed in phishing attacks, says Grayek. “If the image in the phishing message is slightly changed, it can keep anti-spam and anti-malware detectors from catching it.”
Internet threats surfacing today tend to stem from successful attacks we’ve seen from the past, rather than from new efforts or less successful threats,” says James Quin, senior research analyst at Info-Tech Research Group in London, Ont.
“We’re seeing an evolution of successful malware. All in all, that means the threat level is raised a little bit.”
Despite this, Quin doesn’t believe the current plan of attack to recycle successful malware code represents a significant problem to IT security. “The threats are those we already know about, and for which we have virus definitions, and are able to recognize.”
The attackers’ ability to inflict potential damage will be minimized because IT systems will be that much more in tune with catching these threats, he says.
Quin agrees financial incentives play a major role in Internet attacks nowadays, thereby shifting the underlying motivation. “Attack trends, in general, are moving towards ones that are financially motivated, than ego motivated.”
“The ‘talented’ bad guys are diverting their efforts away from generic threats, such as writing viruses and worms, and putting their attention to targetted attacks that yield more monetary gain.”