Fake programs are even more successful at duping victims when they appear to come from popular, well-known websites that a user has trusted and visited, without incident, for years. Or they launch from one of the popular social networks, like Facebook and Twitter, which are all the rage among the least savvy computer users. Some malware programs scan the user's computer for vulnerable software that lacks security patches, but typically, users cause infections themselves by installing apps they should not.
This is not to rule out the obvious impact of spam, phishing, adware, or other attack methods. It's just that computer worms, viruses, and the other methods for exploiting computers, added up all together, don't equal the threat of the socially engineered Trojan -- even though some multivector worm programs, like Conficker, have victim figures that number in the millions.
In a common scenario, the first malicious program installed is called a downloader. A downloader's goal is to be installed on the victim's PC and then to "phone home" to the "mothership" Web server for more instructions. The downloader often has instructions to contact a dynamic DNS server to get the mothership Web server's current location. The dynamic DNS server is just another Trojan-infected computer installed on an innocent user's desktop. The DNS address record received by the downloader has an address that is good for only a short time -- sometimes as little as 3 minutes. These "fast flux" techniques complicate efforts to investigate or eradicate malware. The downloader will eventually be redirected to another server (which is, of course, just another compromised host) and download a new program or receive instructions. This sequence of finding and downloading new programs and instructions can go on for dozens of cycles.
Eventually, the final program and instructions will be installed on the victim's computer, with a handful of command-and-control servers under the direction of the botnet owners. Botnets can be used by the owners themselves to steal money, to conduct distributed denial of service (DDoS) attacks, or to break into other computers. Often the botnet owner will rent the botnet to other criminals who then use them to do their bidding. A good example of a common bot and botnet is Mariposa. At one point, it controlled more than 13 million PCs in 190-plus countries. The masterminds of Mariposa were not ultraskilled malware writing geniuses -- they were three guys who bought a botnet "kit" on the Internet for $300.
DIY kits: Tools of the trade
Do-it-yourself malware kits have been around for two decades, but now they are soup-to-nuts efficient. The typical kit can spit out (currently) undetectable malware to do the customized bidding of its owner. Using these kits is as easy as clicking a few check boxes. The resulting malware will break into websites to start infecting innocent visitors, generate enticing spam and phishing e-mails, and do everything it takes to create the botnet -- including bots, dynamic DNS servers, roving mothership Web servers, and the command-and control servers.
Many of the kits are directed toward bypassing particular types of authentication and focus on particular financial institutions. The better bot kits include a sophisticated administrative back end so that the hackers can read statistics on total infections, OS versions exploited, and tricks used. For another $30, the kit creators will include 24/7 tech support.
These kits aren't hidden. With just a little bit of searching, you can find them on the open market, often marked as "experimental" or "test-only" products. And there are plenty of "service providers" willing to help malware hackers turn their ill-gotten gains into hard cash.
Read more about how to fight back against modern malware in InfoWorld's free PDF report, "Malware Deep Dive," including:
- Doing business under siege
- The best defenses