Malware as a Service, Zeus Trojan Variants 2012 Security Trends: Verisign

A Verisign report looking at security dangers for 2012 pointed to MaaS and an open-source Zeus kit as issues, but also noted that sandbox technology helps against exploits.

Verisign researchers, looking at what happened in the world of security in 2011 to get a better feel for what to expect this year, are warning against cyber-attackers beginning to offer customers more services and leveraging the Zeus Trojan as an open-source kit.

But it€™s not all bad. The Verisign researchers, in a report released this week, also said that using sandboxes can make it significantly more difficult and costly for hackers to exploit vulnerabilities.

€œCurrently, only two public demonstrations of bypassing sandboxes exist in environments that use and support defense-in-depth strategies such as address layout randomization (ASLR) and data execution prevention (DEP),€ according to the report. €œNone of the public demonstrations included any public exploit code. Until corporate enterprises widely adopt newer client-side applications that have implemented sandboxes, however, attackers will have an easier time developing exploits.€

The report, from Verisign€™s iDefense Security Intelligence Service, outlines what researchers see as the most important security trends as businesses and governments head into 2012. A key one began in April 2011, when the source code for Zeus version 2.0.8.9 became available to anyone online.

€œThe release of the Zeus source code effectively converted the Zeus banking Trojan from a proprietary, pay-per-use crime kit into an open-source crime kit,€ the report states. €œThe source code quickly spread across the Internet via underground Websites and file-sharing sites, giving malware authors across the globe access to the powerful and well-written malware platform.€

The result has been the rise a host of Zeus-based variants, which is a trend that will continue into this year. However, the researchers pointed out that the Zeus code is incomplete, and that anyone compiling it needs to have the programming skills to modify and add to it. This keeps less experienced hackers from using the source code. However, it also means the more skilled and more malicious attackers need to modify it, leading to the source code branching out into variants. Those variants include Spyeye, Ramnit, Ice IX and Aeacus.

€œAs Ramnit and Spyeye demonstrate, there will be more minor Trojans that include the functionality of Zeus into their arsenals. This trend will be even more pronounced when new malware families emerge that not only augment themselves with components of Zeus but also augment Zeus with new functionality specific to each new variant family,€ the report states. €œThe release of the Zeus source code is going to have a dramatic impact on the production of new, dangerous banking Trojans in 2012. Fortunately, antivirus programs may actually detect as Zeus the malware variants that malware authors have based on Zeus€™ source code€”a detection that will decrease the effects of these variants.€

Another key trend is that cyber-criminals are beginning to adopt a new business model, which Verisign researchers called malware as a service. In this MaaS model, authors of exploit kits not only offer the kits to customers, but also extra services.

€œThis trend will probably continue as other developers adopt the same business model,€ they said.

Software vendors would be well-served in fending off vulnerability exploits by using sandboxes, according to Verisign.

€œThe use of sandbox technologies has significantly hindered the ability of malicious actors to exploit vulnerabilities,€ the report says. €œConsequently, software vendors will continue to use sandbox technologies to help protect their products and customers. Sandbox technology is a mitigating security mechanism that limits the environment in which a program can execute. Companies typically use sandboxes to process untrusted content while keeping a host system protected from persistent changes.€

While sandboxes don€™t get rid of vulnerabilities, they make it much more difficult for cyber-criminals to exploit them; many times, hackers will need to exploit multiple vulnerabilities at the same time to exploit a software vulnerability that uses sandbox technology. The sandbox concept isn€™t new€”it was introduced by Microsoft in 2007€”but the use of it by many software vendors is. Microsoft first introduced it with Internet Explorer 7 with Protected Mode; Google in 2008 rolled out a sandboxed browser, Chrome. Adobe, with the help of Microsoft and Google, in 2010 came out with Protected Mode for Adobe Reader X, and has since added sandbox technology to such products as Office and Acrobat.