The next big thing? Crimeware-as-a-service

The next big thing? Crimeware-as-a-service

Summary: Finjan says Crimeware-as-a-Service (CaaS) is becoming an increasing problem and the ability of law enforcement to track malicious hackers will become increasingly hampered.On Monday, Finjan's Malicious Code Research Center (MCRC) released its first quarter Web security trends report (registration required) and highlighted CaaS.

TOPICS: Security, CXO

Finjan says Crimeware-as-a-Service (CaaS) is becoming an increasing problem and the ability of law enforcement to track malicious hackers will become increasingly hampered.

On Monday, Finjan's Malicious Code Research Center (MCRC) released its first quarter Web security trends report (registration required) and highlighted CaaS. finjan's release is timed for the RSA security conference in San Francisco.

The gist: "Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites," says Finjan. In other words, it's point, click and hack.

What makes CaaS a big problem is that the service operators don't necessarily attack anything. These CaaS operators are basically arms dealers that provide customers with anti-forensic attack techniques and the ability to manage cod networks. Finjan has highlighted this trend before, but its report puts a little more meat on its research.

Finjan argues that CaaS is the latest phase in the commercialization of malicious hacking. Next up: A service for getting stolen data that tailors victims to criminal intent. Here's how Finjan sees the commericalization of information security crime developing.


Finjan in its report notes:

(Cybercrime commercialization) is no longer just the trading of data as we have seen in the past,where criminals would offer sensitive business data to the highest bidder, but providing a service that encapsulates the entire attack and infection process, and provides a distilled feed of data that is being harvested as part of the attack. It not only detaches the criminals from the actual work of exploiting and controlling the attacks, but also allows a bigger “market share” in the business of criminal activities on the web.

And here's a possible crimeware data trading scheme:


Finjan paints a glum law enforcement picture.

A service like this will also be the next logical step in terms of the technical development of Crimeware toolkits. Initially we have seen a simple aggregation of exploits, followed by some reporting capabilities. Next came automatic updates, support, and enhancements (such as integration of code-obfuscation and evasive anti-forensics techniques). Currently, we see the rise of the Crimeware-as-a-Service (CaaS) model in the Crimeware-toolkit market. It enables such a toolkit to gather the data from the victims and sort it according to some rough criteria for the users, since all the data and networking is already built-in and available for the criminals and attackers.

This development will further distant the criminals from the techies – a trend that we have seen evolving over the past couple of years. This trend will get a further boost with the catching on of the CaaS model. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised. Although in theory such an operator could be prosecuted for hosting and operating malicious code (depending on the penal code in the respective country in which it is being prosecuted) the impact that the data itself could have on such a prosecution makes it quite academic.

Comforting eh?

Topics: Security, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Close to maturity, watch out!

    Cybercrime against commercial and end-users is going to be big business this year. I expect to see a big ramp-up in fraud and extortion incidents, and we will continue to see the same lip service from law enforcement agencies who see it as unsexy drudge work compared to terrorism or kiddie porn investigating.

    At the same time the banks and credit card companies continue with the very same policies that make identity theft so easy, and companies continue to have data breaches that are hushed-up or misrepresented in scope and severity.

    In the meantime, there are 3 actions that every consumer should take to minimize the damage:

    1) cancel non-essential credit cards and lines of credit;
    2) put blocks on your credit reports to prevent new lines of credit from being approved;
    3) look for ID theft insurance.

    With hundreds of billions in write-downs and fraud being uncovered in the subprime fiasco, cybercrime is not getting much coverage from the FBI or the press these days. A billion or two in losses are small change to them.

    But if YOUR life has just been ruined because of a $50K loss from your savings account or you are being harassed by creditors 10 hours a day, then it's a big deal to you
    terry flores
  • RE: The next big thing? Crimeware-as-a-service

    The only way to stop this trend is to have the courage to take the profit out of it. Take ALL assets, whether obtained criminally or legally FROM those involved at whatever level of involvement. Then strip them PERMANENTLY of any degrees, employment, or access to any medium to which they can employ their technical talents.
    Make it last for their LIFETIME. Further, make them contribute a portion of all future earnings to law enforcement pools of money to purchase the latest technology and expertise to fight crime. No money, no profit, severe reality-based penalties, no crime.
  • RE: The next big thing? Crimeware-as-a-service

    You are correct.However you need to punish the criminal behavior and character so that you don't punish the innocent. Punishing the innocent with over-restrictive laws will not help and the criminals will break the laws no matter how many laws you create so we need to not to overburden the innocent with laws. We need to punish the bad behavior and character not the device also. We seem to gotten a mindset of banning something to stop what is really bad behavior.
    For those who technologically savvy you can send for punishment to some place where there is no advanced communications (even a simple telephone) or systems so they can suffer their consequences properly.
  • Thanks, Gonzo and Mukasey

    Hate to make it political, but the top cop in the land is the AG. We've had two in a row who refuse to prosecute buddies, and Mukasey flat out states that he won't prosecute nasty things that happened in the past, but probably won't happen in the future.

    When idiot cronies rule the land, geniuses do as they please. We've entered that phase of capitalism where anything's legal until you are caught, and the odds of that are ZERO.
  • RE: The next big thing? Crimeware-as-a-service

    The current Whitehouse resident and his buddies do not give a flying fart if your child is killed or maimed as long as they can hand out their no-bid contracts and hold hands with Saudi Princes.

    Until cybercrime steals from them personally they aren't worried.
    Besides, they figured a way to make money off our troubles. It is the very same folks that harvest personal info and then lose it, that are pushing monthly fees for protecting you from the edge that THEY gave to the badguys.

    Steal a dollar and they lock you up.
    Steal a million and they make you king.
    • Re: The next big thing? Crimeware-as-a-service

      Another completely off topic rant promoting some PC (not Personal Computer !) BS. Go back and do a couple more lines and return when you're coherent, dude.
  • RE: The next big thing? Crimeware-as-a-service

    I agree you can't punish the innocent. The criminals would only keep breaking the laws they need to banned the criminals from computers and don't let them use any means of a computer that would include a cell phone too. I think if people would run a crimeware program it would cut down on the cybercrimes.