Thursday, June 4, 2009

Malware Rising

  Yes, hacking by malware is the new hip trend.  All the cool kids are getting hacked that way.

Not to be left behind Aviva, USA says that at the core of their recent data breach was malware.

According to this article on, Aviva lost approximately 550 Social Security Numbers (SSNs) which isn't necessarily earth-shattering, but it is noteworthy that this continues the trend of Heartland Payment Systems, Hannaford Grocery Stores and many, many others who are blaming malware installed on their systems for their data breach problems.  Check this quick Google out.

Isn't that like blaming the hand-grenade that was tossed into an open window for the damage?  Wouldn't you blame the person who left the window open, then move on to the open window... and then move to the incendiary device?  They have to realize that the malware which they're blaming their troubles on was inserted into their systems by some human being which circumvented their security measures?  Right?


Gunter Ollmann said...

Sorry Raf, but I've gotta disagree with you on that one. The malware in criminal use today is much more advanced than what you're giving credit for. Most new DIY creator kits can create malware capable of bypassing just about all traditional host-based defenses. If you federate your malware production system with advanced packers, cryptors, droppers, and Web drive-by-download exploit packs -- well, the proof is self-evident that it can bypass traditional network defenses as well.

As it so happens, I was working on some content for presentations on this topic last night. So posted a short blog of a new run-of-a-mill DIY kit... Octopus Keylogger... $30 will get you started.

Rafal Los said...


While I do agree with you that malware these days is mostly customized to suit the purpose; I still think that blaming the malware itself isn't quite right. Most of these cases where "malware was the problem" could have been prevented by proper security measures (of course I'm hypothesizing) such as no local admin rights by ordinary users, encryption on the wire (point-to-point) and encryption of payload (encrypt the actual DATA)...

The procedural points wouldn't necessarily make it impossible (nothing can accomplish that, I acknowledge) to load custom-malware onto a system ... but it would raise the bar and maybe set off an alarm or two in the company's system in the process.

I agree that since I first used VCL (Virus Creation Lab) back in 1998/1999 things have been custom-coded for maximum efficiency - but it's the lack of procedural security that's making all these attacks possible.

I'm sticking to my guns Gunter :)