Security Experts:

Understanding the Ecosystem of Modern Malware

Constant demand for advanced malware, paired with a co-opetition model, this ecosystem directly impacts how quickly and efficiently new threats can spread.

As malware gets progressively more complex, it’s important to understand how the major players in the malware industry fit together and how these relationships affect the ways that malware is developed, distributed and ultimately used in attacks.

Modern Malware

When we talk about attacks on IT security, we often talk about “the hacker” as some sort of lone wolf hidden away in a dark corner of the world. In reality there is a very broad and interconnected ecosystem behind the malware industry, where individuals and hacking groups both cooperate and compete to further their cause.

It is important to understand this ecosystem because it has a direct impact on the speed and efficiency with which new innovations arrive and how quickly new threats can spread.

Malware: A Model in Co-opetition

Malware authors have always been keenly aware of the progress of other hackers, quickly adopting techniques and features that are shown to work in other malware. However the stakes of this competition have changed as malware has become both more long-lived and powerful. A modern botnet can coordinate millions of nodes and live for years in the wild, making them very valuable malware properties, controlling millions of dollars. This has led to an evolving ecosystem based on equal parts cooperation and competition.

The competition and ultimate consolidation of SpyEye and ZeuS offers an ideal example of just how fluid these relationships can be. Back in 2010, ZeuS was the leading banking trojan with a wealth of sophisticated features that allowed many different criminal organizations to steal millions of dollars by capturing login details for individuals using online banking or financial sites. SpyEye was an up and coming competitor that took direct aim at ZeuS. SpyEye built competitive features, literally advertised itself as ZeuS-killer in online banner ads, and even had the ability to detect and ultimately remove ZeuS when, in fact, SpyEye was infecting a machine that was already infected by ZeuS. This led to a brief feature war between the rival developers, which was quickly resolved when the code-bases for each were merged. This merger brought all of the functionality of SpyEye and ZeuS together, even going so far as to merge customer support.

Malware Authors

Malware authors are, loosely speaking, the software developers of the malware industry. These individuals or groups are responsible for creating the malware platform itself. This includes not only designing the code for the infecting file, but also its all important command-and-control infrastructure. The command-and-control model determines how the malware is coordinated and managed by a remote hacker, and the security of this communication scheme will directly impact how susceptible the malware is to being taken offline by authorities or even taken over by a rival crimeware organization, making it one of the most critical aspects of a malware product.

MalwareToday, more often than not, a malware author’s actual product is a malware construction kit, which is sold to an individual who wants to run a malware operation. This allows the author to sell the malware kit to many customers, who can then use the kit to create their own customized version of the malware, and run their own campaigns that are separate from rival hackers. There is obviously no rule saying that malware authors can’t be malware operators, but as the landscape has evolved, we continue to see authors specializing in developing the malware and simply supplying the criminal community with their wares.

Malware Operators

Malware operators purchase malware, or a malware kit, from an author and actually use the code in live attacks. These are the individuals who actually run and maintain botnets, and ultimately will use the code for malicious activities. Malware operators are highly competitive with one another, just as you might expect from any other rival criminal group. In a very real sense, this is the group that will drive the demand for malware innovation. Malware operators can only be as successful as their malware code, so there is always demand for new malware, guaranteed to be unrecognizable and to have the latest features giving it the greatest chances of success.

These groups will also actively attempt to steal or take over the hosts that are infected or “belong” to a rival operator. As mentioned earlier, if a hacker can overtake the command and control mechanism used by a botnet, they can very quickly completely take over a rival botnet and bring all of those bots under their control. This is important because often a malware operator will spend just as much time protecting their botnets from other hackers as they do trying to avoid law enforcement.

Malware Affiliates

Malware affiliates are the hired help of the malware industry, and simply are focused on delivering the malware to their targets. A malware operator will hire out affiliates to infect users with the operator’s malware. The operator will typically pay the affiliate based on the number and value of the targets that the affiliate infects, such as X dollars per every 1,000 infected hosts. These hackers will typically infect websites with malware and drive users to those sites or even develop customized phishing campaigns in the more sophisticated cases.

With a constant demand for advanced malware, paired with a co-opetition model, this ecosystem directly impacts how quickly and efficiently new threats can spread and new innovations are made in the effort to successfully infiltrate IT security.

Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.