This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Malware as a Service

Researchers have discovered a new service offering criminals customized cyber-attack tools and hosting in a MaaS package.

Security researchers are studying Capfire4, which may be the first example of malware-as-a-service.

As enterprise strive in improve their efficiency, more and more they are turning to the cloud for ease of access, cost savings, and greater agility overall. This is as true of criminal enterprises around the world as it is of legitimate ones.

Cyber-criminals have long embraced the cloud, both for file sharing to host their malware and for processor-intensive tasks such as cracking passwords. In a sense botnets are nothing more than illicitly assembled, ad-hoc cloud resources. Now some criminals are taking the next step in embracing the cloud, offering software-as-a-service and cloud storage for their products: malware-as-a-service.

Alberto Ortega, a research engineer at AlienVault, described the operation of the Capfire4 MaaS offering. "It means that clients don't have to mess with almost any technical issues, and they don't need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server" in the cloud, Ortega explained.

Capfire4 joins a teeming underground market of remote access tools, crimeware kits, and support forums for cyber-criminals worldwide. The service combines malware -- which the client can personalize -- with a remote administration tool for controlling infected victim machines via a Web browser, and cloud hosting for the client's malware on a choice of legitimate-seeming domains.

After the client's personalized Trojan is generated in real time, the malware service checks it against 42 anti-virus packages. The sample shown on the AlienVault site was detected by only 2 of the 42 AVs tested.

Client communication with the Capfire4 portal's control panel is via HTTPS using a valid SSL certificate. When the command-and-control server issues commands to compromised machines in the client's botnet, it does so using port 9000 and a custom protocol.

Information security and user education are becoming more important than ever, as the tools to generate malware and build botnets become available in the cloud to unskilled and not-technical users worldwide. Capfire4 may be innovative in its cloud packaging, but the Trojans at its core still need user action to enlist machines into a botnet army. Besides enrolling the cloud service and its command-and-control servers on reputation blacklists, defending against this and similar malware threats rests mainly on an educated and security-savvy user community.

Be careful out there.