While it is difficult to estimate how thoroughly crimeware has infested our technologies, the most telling way to demonstrate the effectiveness of crimeware is to obtain a copy of Zeus or SpyEye, generate a fresh variant to infect a PC, and then check whether PC security technologies detect and remove the crimeware. In most cases, the impact of fresh variants of crimeware are so effective and so devastating that the only way to guarantee its removal is to rebuild the machine from scratch.
Crimeware was founded on three core technologies: 1) botnet controllers capable of handling hundreds of thousands of bots; 2) sophisticated Trojans that are updateable; and, 3) highly-effective data collection. Subsequently, there are eight major advances since 2003 that have contributed to the invincibility of crimeware.
Advancement #1: Form-grabbing for PCs running IE/Windows
Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers. Prior to 2003, malware employed a variety of hook-based key-logging techniques to collect keystrokes from compromised PCs. The 2003 deployment of form-grabbing against PCs running IE/Windows (browser/OS) avoided the pitfalls of key-logging (e.g., backspaces, corrections, misspellings, etc.), allowing criminals to harvest large numbers of online bank account IDs and passwords.
In response to criminals' large-scale harvesting of banking credentials, the Federal Financial Institutions Examination Council (FFIEC) in 2005 declared password-based authentication (single factor) to be insufficient for online banking and required banks to transition to more sophisticated authentication techniques such as two-factor authentication (something you know, something you have) to access online bank accounts. Crimeware quickly evolved to overcome even two-factor authentication.
Advancement #2: Anti-detection (also termed stealth)
A fundamental advance in crimeware was its ability to evade detection by anti-virus software and other security technologies. Crimeware anti-detection capabilities (sometimes termed stealth) prevent detection by either signature-based (i.e., anti-virus) or behavioral-based (i.e., intrusion detection/prevention) techniques. Crimeware achieves this by varying any feature (registry locations, file names, CLSIDs, signatures, protocols, etc.) that could be used to detect the crimeware. Stealth techniques have all but rendered traditional anti-virus products useless since it is impossible for them to detect and remove tens of millions of variants that are generated each year. [Also see The rise of anti-forensics.]
Advancement #3: Web-injects (also termed man-in-the-browser)
In 2009, Crimeware added the capability of performing web-injects (also termed man-in-the-browser attacks) for PCs running IE/Windows. This capability fully defeats the FFIEC-considered two-factor authentication by allowing criminals to take over authenticated connections from within compromised PCs. Web-injects subvert key-entry based authentication techniques. In essence, the criminal is real-time monitoring PCs from within and can manipulate any entered data. While a user may believe he is entering authentication data directly onto a bank's server, in reality, the crimeware is capturing the authentication within the PC, and then forwarding the authentication data itself. The crimeware now controls the user's connection to the bank from within the PC.