This document discusses the rise of malware as a service and the business models that cybercriminals use. It notes that cybercriminals are mirroring legitimate business models by offering malware creation, distribution, leadership, and resilience services. Customers can get custom or off-the-shelf malware, distribution networks, command and control resilience, and 24/7 support. This document warns that these criminal models pose serious threats and are difficult for defenders to detect and disrupt in a timely manner.

1. Technology Deathmatch
The arms race is on
Sean M. Bodmer, CEH, CISSP, NCIA
Chief Researcher
Counter-Exploitation Intelligence
CounterTack

2. Who is this tool?
 Sean M. Bodmer, CISSP, CEH, NCIA
 Arrested @16 years of age for hacking NASA and 3 other .gov networks
 Yes, it did put a damper on my life for a few years
 >50% of my time spent in non-gov’t based clandestine cyber operations
 2012 – Helped US Entities seize and recuperate > $6M USD
 Brief Bio
 Over 16 Years in IT Systems Security
 Over 10 Years in Intelligence and Counter-Intelligence Operations
 Lectured at numerous Industry Conferences
 Co-Authored 2 Books w/McGraw-Hill (writing 2 more)
 Quoted and Named in > 400
 Magazines, newspapers, radio, and tv-news
 CounterTack, Inc.
 Focused on in-progress detection and attribution of threats
 Develops and deploys custom high-interaction honeypots
 Provides customers tailored Threat Intelligence Services
 Knowledge Bridge Intelligence, Inc
 US IO Subject Matter Expert

3. 11/18/2013
3

4. There is more than one
Author(s)
• Original malware creator(s)
• Offer malware “off-the-rack”
or custom built
• May offer DIY construction kits
• Money-back guarantee if detected
• 24x7 support
Distribution/Delivery (MAS)
•
•
•
•
•
Specialized distribution network
Attracts and infects victims
Global & targeted content delivery
Delivery through Spam/drive-by/USB/etc.
Offers 24x7 support
Leader
• Individual or criminal team
• Maintains and controls order
• Holds admin credentials
Operator
• Operates a section
• Issues commands
• May be the leader
Resilience/Recovery (MAS)
•
•
•
•
•
Provides C&C resilience services
Anti-takedown network construction
Bullet-proof domain hosting
Fast-flux DNS services
Offers 24x7 Support

7. Cloud as a Service Model
• YES, criminals are mirroring our e-biz models

8. Malware As A Service

9. Malware As A Service

10. Malware As A Service

11. Malware As A Service

12. Boundary/ Perimeter

13. Host/End-point

14. Host/End-point

15. The Arbitrary Icon
THIS DOES NOT MEAN YOU ARE SAFE !!!

17. Today’s Problem Set
• Almost all discoveries are post-mortem
– Next day or countless days later
• Generally, through laborious manual analysis
• Easily detectable over time
– Static defenses can be identified by skilled adversaries
• Difficult to use
–
–
–
–
Heavily dependent on human expertise
Staging and maintaining honeynets
Manual reporting and analysis
Manual correlation between data sources

19. Let’s Look @ Something
• What can one find when p0wning bad-actors?
Carberp Source Code Leak

20. Questions??
sbodmer@countertack.com
Twitter @Spydurw3b
Skype @Crypt0k1d