Malware is evolving into a rewarding, mature high-tech market, and it's not surprising that the financial incentives of developing and peddling malware can outweigh the risk of penalties that include spending quality time in jail.
Malicious code developers may not be business school graduates, but they appreciate basic business principles to expand their addressable market; optimizing revenue from the install base and leveraging technology. That was the takeaway from the Cisco 2009 Midyear Security Report, an excellent summary of the major malware activity written for a less-technical executive audience.
The nature of most malicious activities on the Internet has forced cybercriminals to find ways to maximize returns and do so in a more polished, business-like way. There's no doubt that most tech vendors will recognize the activities below.
- Expand the addressable market. One way to grow a business is to grow the number of prospects the business sells to. Given a sales closure percentage, more prospects generally leads to more revenue. Malicious teams are constantly using new skills and techniques to reach unprotected endpoints. Spam is the most effective means of attracting new endpoints. According to Cisco and the Messaging Anti-Abuse Working Group, spam attacks are easy to implement, difficult to trace to the source, and generate a predictable revenue stream.
- Mine the install base. Every business knows it is easier to farm the install base then it is to hunt new customers. Malicious developers of botnets make money by utilizing the software real estate of their installed base. Bots that are initially designed as launch platforms for low-and-slow spam activity are rented or sold to other attackers for lucrative ID theft, denial-of-service attacks, or other spam campaigns. It has reached the point where botnet owners now have to use security methods to protect their installed base from competing botnet developers.
- Sustain and innovate technical differentiators. High-tech vendors emphasize their technical differences from competitors to market the best solution to customer problems. Those with poor differentiation usually are forced to compete on price and to live on thinner margins. The attack trend is to differentiate and move quickly with new technology to keep ahead of security researchers. Look for malware developers to continue to innovate with DNS redirection, new forms of spam, harder to detect botnets, website hacks, and Web 2.0 malware designed for social networking (e.g. Facebook), social communications (e.g. Twitter) and social mobile devices (e.g. iPhone applications).
Ironically, it is the Conficker Working Group itself that provides a lasting example of the agility attackers display in applying basic business principles. While www.confickerworkinggroup.org is the published site of the multivendor security working group, www.confickerworkgroup.org is a cybersquatter site. It seizes the opportunity presented by Conficker publicity to expand the addressable market of site visitors, mines that base with malware (including a button for the Conficker Worm Remonal – sic), and seems to employ multiple malware technologies as a differentiator. It is a perfect illustration of how easy it is to set up an attack and how difficult it is for security to distinguish between a predatory site and one that is just distasteful. Readers of SearchSecurity.com are savvy enough not to venture near this site. If you do not see a column from me next week, you'll know that I made a mistake and my computer just went up in smoke ;).
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.