Malware may be the boomingest niche in a slow economy

Change in focus from sabotage to stealing will make cybercrime even more lucrative

Looking in vain for any bright spots in the current economy? Wondering if the economy will beat out mutant microbes, global climate change, zombie epidemics or robot insurgencies as the one thing that will push human civilization over the edge of sanity and into a Mel Gibson movie?

If it helps at all, there is one shining bright spot in the technology universe, one area of specialty in which spirits are high, technical barriers are falling, new markets are opening and the money is flowing deep as the Mississippi in Spring.

That is, we have to assume the money is flowing from the rush of new products and obvious enthusiasm with which they're being used. The developers are kind of reluctant to say.

That's the only thing they're reluctant about, though, according to PandaLabs, which released its quarterly report on activity in the global malware market.

During July, August and September of this year, Panda identified more than five million new samples of malware, including a record number of Trojan Horse viruses, which made up three quarters of all the new malware samples found.

And they're not short of distribution methods or partners.

The number of web sites surreptitiously feeding users malware in as well as content went up 89 percent in the third quarter of this year alone, compared Q2, according to security company IID (which stands for Internet Identity).

Most lure victims in by posing as well-known, well-trusted organizations, the most popular being the FDIC, Federal Reserve, IRS and National Automated Clearing House, according to IID's report.

Trojans have always been the most common variety of malware, but really sprung ahead this quarter, from 68 percent of all malware to 77 percent. By comparison, viruses made up just 12 percent of the total, with worms (6.3 percent) followed by adware in last place with 3.52 percent.

That low number for adware is deceptive, though. That 3.52 percent is more than twice as much adware as during the previous quarter, mostly due to an increase in fake antivirus schemes.

Fake AV vendors get smarter, far less numerous

The total number of face AVs is actually down compared to previous years, according to GFI Labs, but new approaches – including taking advantage of the rising popularity of Macs to pitch poison anti-virus to Mac users – has made them more effective.

Rather than simple YOU MAY BE INFECTED! Click Here for Free Scan! scams, fake AV vendors are distributing fake toolbars, video players and other vehicles as cover for their own malware, according to GFI.

They're also putting up fake cloud sites offering full-time, full-function antivirus delivered from cloud sites but delivering any of a series of families of viruses and Trojans to capture and return user data to the developers.

Security vendor Enigma Software counted a 60 percent decline in the total number of fake AV, scareware and rogue anti-virus attacks during the summer.

GFI attributes that to better enforcement and more information aimed at non-technical consumers who might not be able to tell even obvious scams from real AV offers.

Enigma attributes the drop more to raids by the FBI on fake AV operations in Latvia, the Ukraine and half a dozen other factors as well as the increasing availability of free, high-quality antivirus products that make "free" antivirus from untrusted sites far less attractive.

Fewer phishers, better breaches

Phishing and spear-phishing is actually on the decline according to II – despite high-profile attacks from super-Trojan Duqu and longer-term campaigns like "Nitro" and "Night Dragon" – that used spear-phishing as an entry point for tailored packages of malware.

The reduction wasn't voluntary. Google dropped the second-level domain from its search lists for consistently hosting malware attacks, cutting 11 million web sites from the list of likely traps. Tokelau, an island nation in the South Pacific that is a territory of New Zealand, called for from IID, Facebook and the Anti-Phishing Alliance of China (APAC) after phishing attacks from its .tk domain increased 600 percent during the second quarter.

Securing the .tk domain cut phishing attempts by 40 percent during the most recent quarter, though the drop would probably be even steeper if the government of Tokelau didn't let anyone who wanted on get a .tk domain name.

A joint effort by Kaspersky Labs, Microsoft and law enforcement organizations in the U.S. and Germany this summer also shut down a botnet of 41,000 computers infected with the Kelihos virus, reducing the 'net's capacity for spam by billions of messages per day.

What's the upshot? Long-term heists, not hackery

The bulk of malware writers seem to be drifting back from traditional, bone-stupid worms, viruses and Trojans blasted out blindly to anyone who could, conceivably be fooled into infecting themselves.

That is a good strategy to build a botnet if you want to rent it out to the highest bidder, or (like Anonymous) DDOS attack any site any time and hope to shut it down.

The smart money, and smart coders, seem to be adding focus and specificity, picking specific targets in specific industries, using legitimate-looking spam or web sites to get a foothold, and work harder for a longer period of time to extract and resell information from those targets to buyers you've probably already identified, according to IID CEO Lars Harvey.

In fact, it's not even specific data ethically challenged customers are buying from malware writers and other hackers, Harvey said.

Increasingly, they're buying access to the systems of their competitors, important government agencies or other relevant organizations directly, in operations like Shady RAT, a campaign of attacks on more than 70 companies conducted using Remote Access Tool (RAT) malware over the course of five years.

Attacks like the hijacking of domains managed by NetNames – including, and were highjacked and all their traffic – users looking for Web pages and transactions from those sending money – were rerouted to another site.

In this case it was LulzSec and the attack was meant as much as a way to get attention as to accomplish anything serious.

The cybercrime trend in both malware and direct attacks is the same, however: persistent control or access to someone else's site to intercept their flow of money or information.

It may not seem like a big deal; every cracking attempt and malware attack has some aspect of industrial espionage to it.

Now most forms of cybercrime are taking on that flavor, Harvey said. Hackers who aren't data brokers themselves are working for those who are, or are being hired directly by "the enemy" of whatever victim is chosen.

Russia's largest alternative payment processor – Chronopay – had its domain highjacked and its customers redirected to a phishing site last year, Harvey said.

That's not just a hack. It's not even a data breach. It's a flat-out heist, and it or something like it are happening more and more often, Harvey said.

It's the big new thing in cybercrime, no matter how many new copies of almost-the-same virus are circulating or poisoned web sites come online.

They're just means to an end. It's the access that matters.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon