Information Technology has become a commodity in its own right. Virtually all aspects of IT are now available as some variant of the “XaaS” family, which includes Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and numerous others.
They all save time, effort, and money for individuals or enterprise subscribers.
And the advantages of cloud-based, hosted, and managed tools or resources haven’t gone unnoticed by players on the darker side of the digital spectrum – a fact which has seen the growth of an entire market sector offering “cyber-crime for hire”, or “Malware as a Service (MaaS)”.
Malware as a Service – The Managed Services Model
Infecting and amassing a network of computers to form a “botnet” large enough to mount a Distributed Denial of Service (DDoS) attack on a major website or enterprise. Coding and tweaking malware variants innocuous-looking enough to fool virus scanners and Intrusion Detection Systems (IDSs). Or simply managing the trans-global returns from a successful ransomware distribution campaign.
All of the above require skills, human resources, money, and infrastructure that your average “hacker in a basement” simply doesn’t have. So if the opportunity to gain access to such capabilities for a moderate fee presents itself, it’s likely that they’d jump at the chance.
This is where the Malware as a Service (sometimes referred to as Cyber-crime as a Service, or CaaS) concept has emerged to fill an obvious gap in the cyber-criminal black market. Like other members of the cloud-driven XaaS family, it’s a fee or subscription-based business model that transfers responsibility for infrastructure, resource, and service provision to a remotely located third party.
Threat research analyst Marcus Moreno lays out the multi-level structure of the MaaS model, as consisting of:
- A First Level of skilled engineers and coders who do research, construct exploits, and write malware
- A Second Level of distributors who host computer systems, own botnets, or generate and transmit spam
- A Third Level of financial data providers, accountants, treasurers, and “mules” for transferring funds
In addition, the Malware as a Service economy offers a “cash and carry” option for malware and exploit kits, and back-end functions such as 24/7 Technical Support and customer service helplines, with testing facilities for malicious code written by subscribers.
Malware as a Service – An Affordable Commodity
For some time now, there’s been a healthy trade in malicious code snippets, ideas, and resources between collaborators on the so-called “Dark Web.” Malware as a Service comes as a more structured addition to what’s become a thriving economy which exists beyond the reach of law enforcement and government controls. And as the sector evolves, it’s pricing itself into the reach of independent operators and (allegedly) state-sponsored actors, as well.
Research figures from 2013 put the price tag on a thousand infected host computers in the US at $200, with the tariff set at around $60 to $120 for a thousand hosts in the European Union. In 2015, Distributed Denial of Service (DDoS) attacks could be contracted out to clients for as little as $25 per hour.
MaaS is a demand-driven market, with price levels reflecting the degree of sophistication of the attack vectors or services involved, and influenced by the availability of popular exploits in the malware eco-system.
For example, after the Angler exploit kit disappeared in June 2016, developers of the Neutrino exploit kit were able to hike their monthly rate for infrastructure rental from $3,500 to $7,000.
There can be a huge disparity between the costs incurred by Malware as a Service subscribers and the financial impact of a successful attack on their targets – which is part of the reason why the MaaS business model is such a lucrative option for those on the dark side.
The same DDoS service package that’s available to hackers for less than the price of a decent restaurant meal can cost an enterprise more than $155,000 per hour, according to figures calculated by Neustar in its 2015 “DDoS Attacks & Impact Report.”
Exploits on Demand
MaaS contributes monitoring, management, and value-added services to a market that already offers exploit kits for the development and delivery of malware.
Ransomware has become a hot item in this sector, with phishing strategy, bogus site development, delivery vectors, and financial management services now available to order. Packages range from smaller-scale ploys aimed at individual consumers or small businesses to enterprise-grade kits capable of assaults on multi-national corporations.
Malware as a Service – A Growth Industry
A threat index prepared by CIO Insight measuring the number of malicious websites world-wide suggests that this figure grew from 128 in the fourth quarter of 2015 to 137 in the first quarter of 2016 – an increase of 7%. This indicates an upward trend in the spread of Malware as a Service outlets and resources that’s likely to continue.
Domains registered in the USA dominate the scene, accounting for around 41% of malicious IP addresses. This includes domains specifically constructed for cyber-crime and those legitimate domains that have been compromised by malware and fall under cyber-criminal control. Iceland, the Netherlands, Portugal, Russia, and the UK collectively account for around 50% of new malicious domains.
Ironically, the number of actual individuals currently playing key ownership and management roles in the MaaS economy runs to less than 200, according to figures from the the US Federal Bureau of Investigation (FBI). But the revenue generated by MaaS may very well run into billions of dollars, annually.
An Ongoing Battle
As enterprise security becomes increasingly multi-layered and complex, Malware as a Service seems to have arisen as a way to redress the balance for “black hat” operators. Prices in the MaaS sector are continuing to fall, as the number of available services increases – putting even more pressure on their targets.
Attacks themselves are evolving into multi-layered assaults that further stress enterprise resources. Those cheaply sourced DDoS attacks are often used as a backdrop for more complex and sophisticated techniques targeting intellectual property, customer credentials, and business-critical data.
In addition to having to adapt their own defenses to survive, businesses may also have to call upon the help and collaboration of Internet Service Providers (ISPs), in providing up to date information regarding the source of an attack, and in bringing down Command and Control centers used by Malware as a Service networks.
Share this Post