Yes you read right: You can now get a service contract to provide upgrades for spyware, Trojans, rootkits and key loggers, just like you get with your computers, Oracle databases and CRM software.
You have to marvel at the sheer brass of it all. “The pricing model is scarily professional,” Mark Sunner, chief security analyst at security firm MessageLabs, told internetnews.com. “You can buy a one-off and get an update or pay more and get many updates. The whole thing looks like a commercial model but is revolving around malware.”
The prices start at around $260 for just the software, and can go up to $3,500 for something guaranteed with updates and containing specific functionality, such as being able to recognize specific online banks.
Sunner first noticed late last year that Russian spyware and virus sites were offering to sell the Bespoke Trojan, which is designed to steal corporate information and intellectual property. Bespoke had been around a while, but now they were offering modifications to target a specific company and updates if a company’s security methods detected it.
He also noted a shift in targets. Large enterprises had been the traditional targets of Trojans and spyware like Bespoke, but corporations had better security methods, so small and medium-sized businesses have become the new targets. Small firms have less money for security and are therefore easier targets.
Because of this shift in malware to targeted industrial espionage, there is a good chance that the spyware will never make it to the labs of Symantec, McAfee, F-Secure and the others. These aren’t viruses floating around on the Internet. They are aimed at one particular target, so the antivirus vendors are less likely to get a sample of the malicious code, said Sunner.
This exposes the dirty secret of the antivirus market: it’s reactive. Antivirus software has heuristics, intelligence designed to catch patterns of behavior to trap unknown viruses. But the problem is, heuristics often aren’t very good.
“They find out about a virus because someone else takes a bullet. The problem with these targeted attacks is, because they are aimed at only one company, the chances of it getting onto the radar of the broader security world is zero,” said Sunner.
It’s becoming impossible to keep up with the bad guys because they are always ahead of the antivirus vendors. “The bad guys are gaming that reactive model very successfully. We’ve intercepted 20 variants of a single virus in 24 hours. They have them queued up ready to go, knowing that reactive model can’t keep up with that,” said Sunner.
Not helping at all is Russia. There’s an absence of legislation to prevent something like this in the first place, said Sunner. Russia and other countries, like China, are not participants in worldwide groups like the Organisation for Economic Co-operation and Development and/or the International Telecommunications Union, which attempt to fight malware.
Natalie Lambert, senior analyst for client security and management at Forrester Research, wasn’t surprised at such a development.
“The shift in Internet threats today is moving away from the malicious that’s out to cause harm. It’s all about money. So why create harm for fun when you can make millions of dollars? That’s what’s happening now,” she told internetnews.com.
Since antivirus writers can’t protect against a specific, targeted attack, Lambert said the urgency is for multilayered security. “It really is a matter of making sure your systems are protected,” she said.
“Antivirus software can only protect you against the known. You need a multilayer approach, antivirus, anti-spyware, firewalls, host IP filtering, application control, device control, the works.”