Advancement #4: Expanded browser/OS support (Chrome, Opera, Safari, and Apple OS X)
Crimeware in 2010 expanded beyond PCs running IE/Windows. In March 2010, crimeware expanded its support to include PCs running Firefox with Windows OS. In July 2010, Crimeware developers deployed upgrades to support man-in-the-browser attacks against the Firefox browsers on Windows OS. This support greatly increased the number of PCs susceptible to crimeware. Crimeware susceptible platforms have since expanded to include even more browsers (Chrome, Opera, and Safari) and operating systems (Apple OS X).
Advancement #5: Source code availability/release
The source codes for Zeus and SpyEye, among the most sophisticated crimeware, were publicly released in 2010 and 2011, respectively. This enabled other developers to exploit the mechanisms that Zeus used to subvert PCs. As a result, other crimeware and malware programs have been modified to include Zeus and SpyEye advanced capabilities (stealth, form-grabbing, and web-injects).
Advancement #6: Disabling/circumventing of anti-crimeware
Crimeware in 2010 deployed the capability to disable anti-malware products not themselves employing stealth techniques. Crimeware may also circumvent such anti-malware products to break their functioning even though the product would appear to be functioning normally. In essence, anti-crimeware products themselves needed to employ stealth capabilities.
Advancement #7: Mobile device support (also termed man-in-the-mobile)
In 2011, as banks increasingly turned to out-of-band authentication techniques to validate online banking transactions, new crimeware became available that subverted the mobile devices banks used to validate online banking transactions with customers. Termed man-in-the-mobile attacks, when out-of-band messages are sent to mobile devices to validate Web-based banking transactions, man-in-the-mobile attacks both suppress the user from seeing validation requests while covertly validating the transaction without the user's awareness.
For example, a text request from a bank for a customer to authenticate a fraudulent online banking transaction would not be shown to the mobile device user, but the mobile device would validate to the bank that the transaction was valid without the mobile device user's awareness.
Advancement #8: Anti-removal (also termed persistence)
As security solutions struggle to detect and remove crimeware from compromised PCs, malware authors are updating their code to permit it to re-emerge on PCs even after its supposed removal. Once a PC is compromised, the objective is for the PC to remain compromised.
We are in an era where PCs, mobile devices, and the Internet are no longer trusted. Crimeware is devastating our security, our privacy, and our anonymity. It has jumped across browsers, operating systems, and even devices, to endanger all current technologies.
There are likely three actions that might be taken.
First, we need to know how thoroughly crimeware has infested our technologies and what losses and damage are attributable to crimeware. In short, we need to know where we stand. Is crimeware being used to control our stock markets, our banks, and our government?
Second, we need to contemplate new approaches to controlling the handling and distribution of crimeware - it is no less dangerous than weapons, cryptography or wiretapping. After all, if it isn't dangerous, why do they call it cyberwar?
Third, the Federal Government could counter crimeware with an anti-crimeware program -- disabling crimeware functionality on a broad scale instead of attempting to detect and remove crimeware from compromised PCs. Its time U.S. cyber defenses extend their reach to shelter citizens and their technologies.
It's unlikely that George Orwell or anyone else could have envisioned either the widespread availability of crimeware or the proliferation of our generation's hand-carried telescreens. We have entered a new phase of security, unprecedented in its susceptibility to crimeware and international monitoring. As of yet, there is no magic technology around the bend that can fix the situation. For the foreseeable future, we are left with hand-to-hand software combat for the control of our processors.
Philip T. Mellinger is currently Chief Scientist for trusted Knight Corporation, creating anti-crimeware solutions for the financial indU.S.try. He received graduate computer science degrees from Johns Hopkins and George Washington Universities, holds seven patents for anti-fraud technologies, and has served with the National Security Agency, the North Atlantic Treaty Organization, the U.S. Air Force, and two Federal think tanks.