Definitions[]
Crimeware is
“ | software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software. | ” |
“ | a broad category covering any use of malware to compromise systems such as servers and desktops.[1] | ” |
How it works[]
Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:
- Social engineering attacks convincing users to open a malicious email attachment containing crimeware;
- Injection of crimeware into legitimate websites via content injection attacks such as cross-site scripting;
- Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software; and
- Insertion of crimeware into downloadable software that otherwise performs a desirable function.
Once installed, crimeware can be used for financial benefit by the attacker in many ways, including:
- Theft of personal information for fraudulent use and/or resale on a secondary market (as in a “phishing” attack);
- Theft of trade secrets and/or intellectual property, by commission, or for sale, blackmail or embarrassment;
- Distributed denial-of-service attacks launched in furtherance of online extortion schemes;
- Spam transmission;
- “Click fraud” that generates revenues by simulating traffic to online advertisements;
- “Ransomware” that encrypts data and extorts money from the target to restore it; and
- Use of consolidated personal information for furtherance of additional attacks, such as obtaining contact lists and email addresses to additionally or more precisely target the victim and his or her associates.
Distribution[]
Crimeware is distributed in many ways. The various distribution models include distribution leveraging social engineering (attachment, piggybacking), exploit-based distribution via server (web browser exploit, including content injection), exploit-based distribution via infected computer (internet worms), and distribution via human (hacking). Distribution of crimeware may blur these distinctions, such as a social engineering "phishing" attack that directs users to a web site that installs crimeware via a web browser exploit.
Anstomy of a crimeware attack[]
In this diagram, the stages of a crimeware attack are categorized as follows:
- Crimeware is distributed. Depending on the particular crimeware attack, crimeware may be distributed via social engineering (as is the case in malicious email attachments and piggyback attacks) or via an exploit of a security vulnerability (as is the case in web browser security exploits, internet worms, and hacking).
- The computing platform is infected. Infection takes many forms. In some cases, the crimeware itself is ephemeral and there may be no executable “infection” stage, as in immediate data theft or system reconfiguration attacks. In such cases, an attack leaves behind no persistent executable code.
- The crimeware executes, either as part of a one-time attack such as data theft or system reconfiguration, as a background component of an attack such as a rootkit, or by invocation of an infected component.
- Confidential data is retrieved from storage, in attacks such as data theft.
- Confidential information is provided by the user, in attacks such as keyloggers and web Trojans.
- The attacker misappropriates confidential data. Data may come from any of several sources depending on the type of crimeware involved.
- The legitimate server receives confidential data, either from the executing crimeware (in attacks in which data is explicitly compromised by the crimeware) or from the attacker (in man-in-the-middle attacks).