Would it trouble you if malware-infected systems were treated like a commodity that could be bought and sold?
Research has found that such markets for infected hosts indeed do exist.
Security blogger and cybercrime researcher Dancho Danchev found one such market where prices range from $35 for 1,000 hosts (as part of an international mix of hosts) to $270 for 1,000 hosts (based in Canada) to leverage these machines to attack.
What Danchev and others are observing is an underground economy where infected hosts and malware can be bought or even rented as some sort of “Exploit-as-a-Service.”
“The malware landscape has changed dramatically in the past years – a ‘for-fun’ activity has turned into a profit-driven criminal activity,” says Lorenzo Cavallaro, a Royal Holloway, University of London lecturer who who recently led an online course called “Malicious Software and its Underground Economy.”
The online course led students through research into the underground economy where malware developers sell their software, intermediaries sell infected systems to clients, and perpetrators of cybercrime can simply pay to exploit systems for their nefarious purposes.
What could be particularly worrying is that market forces are, in effect, helping create more sophisticated ways of exploiting and attacking systems thanks to the efficiency caused by specialization of roles and the integration of buyers and sellers.
InfosecStuff principal researcher and consultant Mark Baldwin provided some commentary on why it’s necessary for keep tabs on the underground marketplace for malware.
“Studying and monitoring the underground marketplace is important for a variety of reasons,” says Baldwin. “Foremost among these is that it provides security researchers with information about the types of malware that are being used in the wild. This is particularly important for finding zero day exploits, which are exploit tools that take advantage of vulnerabilities in systems for which no security patch is available.”
“By making this information known to the security community at large, those responsible for protecting networks can take appropriate actions to defend their systems,” he says.
But the underground also provides a window into trends, Baldwin says. “For example, a researcher might be able to predict a wide-scale attack against certain types of systems based on the types of tools that are being offered and downloaded from a site hosting malware.”
There’s also an opportunity to determine the risk level of threats. “Monitoring underground sites can provide good empirical evidence to those whose job it is to determine the level of risk to their environment, which in turn can be used to determine the level of funding that should be dedicated to mitigating such risks.”
How can web hosts ensure their clients are not hosting malware from the underground marketplace, or even hosting parts of the underground marketplace itself?
Baldwin responds: “Combating the distribution of malware is a very difficult issue for web hosting providers. How they combat this will depend on a variety of factors including the type of hosting they provide, the size of the operation, and the laws under which the business operates.
“The most common control that most web hosts utilize is not a technical control, but an administrative one. Most web hosts – at least reputable ones – require their customers to sign a Terms of Service agreement.” He says this should typically forbid the hosting and distribution of malware.
“A couple of technical controls that can be used include running malware scans on their hosted systems. This can become a very time consuming and arduous task depending on the size of the hosting provider. Another common technical measure is to monitor network traffic for signs of malware on the network.”
Baldwin says it’s unlikely that all or even most web hosts have the resources to combat malware on customer accounts due to the degree of difficulty and resources needed.
The legal software industry’s disruptive innovations such as cloud computing and software-as-a-service delivery appear to have given the malware industry cues as to operate more efficiently and dangerously, and – to the chagrin of many web hosts – perhaps become even more disruptive in both senses of the term.