Killing the malware-as-a-service supply chain
Almost everything in IT seems to be becoming available as a cloud-based or "as-a-service," delivery model. We've seen software-as-a-service (SAAS), platform-as-a-service (PAAS) and event infrastructure-as-a-service (IAAS). And now cyber criminals are looking to imitate the marked scalability of the 'as-a-service' model, with malware-as-a-service (MAAS).
Cyber criminals have been eyeing the cloud for some time, and MAAS brings the convenience of SAAS to worms, viruses, and even DDOS attacks to their criminal efforts. Much in the same way that cloud services lessen the load of having to continually manage and scale the supporting infrastructure, MAAS does the same when it comes to plotting and committing cyber attacks.
MAAS can be viewed as a DIY kit for cyber criminals. Moreover, it might even offer access to after sales support, botnets, and servers regularly checking their malicious codes to make sure they are working effectively.
Dr Jabu Mtsweni, research group leader for cyber defence at the CSIR, will be presenting on 'Malware as a service: sharing TTPs to kill the supply chain,' at the ITWeb Security Summit 2016 at Vodacom World in Midrand from 16 to 20 May.
Mtsweni says according to Verizon Report of 2015, on average 25 malware events occur every five seconds, and these malware events share a number of similarities, including operations and malicious code.
Malware authors no longer spend time writing the complete payload on their own, they collaborate with other malicious code authors all over the world, and some sell or buy malware in the dark Web that targets different types of users, he says.
As a result, MAAS has become a thorn in the side of anti-virus vendors, users, and researchers. According to Mtsweni, the challenge is also that ordinary IT users can now buy malware, such as ransomware, from external parties and deploy it to the target of their choice.
"For example: just under 5 000 Android malicious apps were observed every day in 2015, leading to an emergence of over 1 million malware samples targeting Android users. Most of these apps use shared malicious code, but users and businesses are oblivious to this fact."
Speaking of the malware supply chain, he says there are various ways that malware authors attempt to distribute their code to their targets, and common methods such as mass phishing scams, PDF documents, Flash adverts, drive-by-downloads using vulnerable Web sites, vulnerable endpoints, including BYOD and external drives, APT campaigns, and the dark Web for the 'retail' side of things.
There are several tools, techniques and procedures that can be used to kill the supply chain, says Mtsweni. "Cyber threat intelligence and dynamic malware analysis are approaches that are emerging as a possible solution in killing the supply chain."
During his presentation, he will explain this approach, and will discuss how any endpoint that is Internet-enabled is susceptible to being affected by malware. In addition, he will talk about how malware authors continue to collaborate, thus their chances of success are over 50% in all their campaigns.
"The key in killing the supply chain of malware-as-a-service is about understanding the techniques, tools, and procedures used by malware actors, and collaborating with trusted partners."