A Decade in Review: Cybercriminal Motivations behind Malware

Ten years later, it is tempting to say that the September 11th terrorist attacks against the U.S. changed everything. It is indisputable that it changed many things, and without a doubt it changed how we think about security, how we deploy security, and what we spend on security.

But, we have not seen a significant impact on cyber security. The events of 9/11 drove a deep concern with physical security, but in 2001 no one saw a physical threat originate from a computer. That said, in the last ten years, we have seen a significant evolution in the Internet security threat landscape.

  Major Threats Fame
2001 Code Red
Anna Kournikova
Network and email worms caused chaos and system overloads, bringing underground fame to the authors behind them.
2003 SQL Slammer
2004 MyDoom
2006 Rogue AV (Trojan.FakeAV) Selling fake security software becomes a highly profitable business for cybercriminals.
2007 Zeus (Zbot)
Storm Worm (Peacom)
Banking Trojans allow crooks to rob banks without ever entering a building.
2008 Conficker (Downadup) Security industry efforts limit impact of last major massive attack.
2009 Koobface Users move to social media and cybercriminals follow with malware that leverages the connections that social media creates.
2010 Aurora (Hydraq)
High profile attacks show the true potential of malware to steal IP and cause harm in physical world.
2011 APTs and Hacktivism With reports of governments, businesses, defense contractors, and security companies coming under attack, targeted attacks become ubiquitous.

Looking at the list above, it is easy to see that cyber threats have become much more sophisticated over the course of the last decade. But the real evolution—what has driven the changes in the threat landscape—is the motivation behind the malware. In 2001, malware authors were mainly concerned with displaying their technical prowess. While they didn’t desire fame for themselves (because that could result in jail time) they wanted their creation to be famous. In other words, they were showing off.

From here, the progression towards monetizing malware seemed almost natural; as attackers became more sophisticated in practicing their craft, it was only a matter of time before someone sought to make money off their skills. The criminal entrepreneurs stepped it up. The second half of the 2000s brought an explosion of botnets, fake AV, and banking Trojans. Crime paid. While there were DDoS attacks and website defacements undertaken by different groups for political purposes, none were particularly noteworthy in their technical sophistication or newsworthy in their accomplishments. They failed at fame and represented no significant threat to anyone. Our way of life was not threatened by our inability to access a particular website at a given time.

The second major evolution since 2001 is underway now. Hydraq (or Aurora) quickly demonstrated that the same tools used to steal from a consumer could be used to steal from a corporation. It wasn’t the first time malware was used for industrial espionage, but as recent events have made clear, it was also not the last. That said, spying on companies or governments is not new and the malware tools used in cyber espionage are not particularly new or unique. Advanced persistent threats (APT) or targeted attacks are different in how the tools are used, not in the tools that are used.

All of which brings us to Stuxnet. The real legacy of Stuxnet will be the example it set for others. It opened up a world of possibilities in everyone’s minds. Politicians and militaries now talk openly about cyber warfare, and security researchers are finding ways to hack into devices that many might not even think of as vulnerable—such as insulin pumps, cars, and doors to jail cells.

What Stuxnet does do is force us to consider malware in our concerns about physical security. And, this does tie into the significance of 9/11 and change everything. In ten years time, there will no doubt be plenty of examples of how Stuxnet has impacted the Internet security threat landscape.