I'm not sure, but the malware community may soon make more money than the security community on Macs. I wouldn't mind these revenues. :)
Symantec: Flashback malware netted upwards of $10,000 a day
“This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang,” Symantec wrote. Since Flashback infected hundreds of thousands of users, “this figure could sharply rise to the order of $10,000 per day,” Symantec wrote.
I'm busy this week on another task, but I'd like to write up a review of Flashback from the audit trail perspective maybe next week (see example papers below). If anyone maintains a web server with the malware & infection vector on it (for testing purposes only presumably), I'd appreciate a link to it or a tarball of it so I can stand up a server in my lab here to infect myself.
By the way, I received some feedback (thanks! you know who you are:) from the first paper on Google behaving like an APT and wrote a second paper on it. There is still some feedback that I haven't addressed yet, but I will try to get to them soon.
Thanks,
Todd
In case you are interested, here is a "making of" paper if anyone wants more technical details ...
The Making of "The Advanced Persistent Threat You Have: Google Chrome"
Google's software update system can serve as a model Advanced Persistent Threat (APT). APTs often embed programs in a penetrated system. These programs wake up from time to time, call home, download additional programs and instructions to carry out, and modify systems. Google's software update performs all these steps too. Furthermore, because the Google Chrome browser is so widely used and updated so frequently, Google's update process provides analysts ample opportunity to test their data sources, tools, and skills for their ability to detect and reconstruct the "attack". The paper "The Advanced Persistent Threat You Have: Google Chrome" made the claim that if the analyst could not perform the analysis of Google's update system, they were probably not prepared for malicious APTs. The paper then provided a partial reconstruction of the update activity. This paper describes how the analysis in that first paper was performed. It describes the computer system, data collection, and analysis tool. It then shows how the tool and data were used to reconstruct the "attack".
And the original paper...
The Advanced Persistent Threat You Have: Google Chrome
The Advanced Persistent Threat (APT) has become the watchword for cyber espionage damaging our national and economic security. Do you have APTs inside your organization right now? How can you be confident of your answer? I argue that you probably already have a "benign APT" inside your organization, and your ability to detect, analyze, and understand this benign APT's actions will tell you whether you have a chance to do the same for malicious APTs. That benign APT is Google's software update system. I pose key questions that your organization should be able to answer about this activity. I present a summary of my findings and a somewhat detailed analysis of Google's update activity. To determine if your organization is prepared for a modern threat, you should consider a similar exercise with the data you currently collect and the tools you use to analyze that data. If you fail with the Google APT, you will probably fail with a real APT.
|