Security researchers are studying Capfire4, which may be the first example of malware-as-a-service (MaaS).
As enterprises strive to improve their efficiency, more and more are turning to the cloud for ease of access, cost savings, and greater agility overall. This is as true of criminal enterprises around the world as it is of legitimate ones.
Cybercriminals have long embraced the cloud, both for file-sharing to host their malware and for processor-intensive tasks such as cracking passwords. In a sense, botnets are nothing more than illicitly assembled, ad-hoc cloud resources. Now some criminals are taking the next step in embracing the cloud, offering software-as-a-service and cloud storage for their products: malware-as-a-service.
Alberto Ortega, a research engineer at AlienVault, described the operation of the Capfire4 MaaS offering. "It means that clients don't have to mess with almost any technical issues, and they don't need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server" in the cloud, Ortega explained.
Capfire4 joins a teeming underground market of remote access tools, crimeware kits, and support forums for cybercriminals worldwide. The service combines malware (which the client can personalize) with a remote administration tool for controlling infected victim machines via a Web browser and cloud-hosting for the client's malware on a choice of legitimate-seeming domains.
After the client's personalized Trojan is generated in real time, the malware service checks it against 42 anti-virus packages. The sample shown on the AlienVault site was detected by only 2 of the 42 AVs tested.
Client communication with the Capfire4 portal's control panel is via HTTPS using a valid SSL certificate. When the command-and-control server issues commands to compromised machines in the client's botnet, it does so using port 9000 and a custom protocol.
Information security and user education are becoming more important than ever, as the tools to generate malware and build botnets become available in the cloud to unskilled and not-technical users worldwide. Capfire4 may be innovative in its cloud packaging, but the Trojans at its core still need user action to enlist machines into a botnet army. Besides enrolling the cloud service and its command-and-control servers on reputation blacklists, defending against this and similar malware threats rests mainly on an educated and security-savvy user community.
Be careful out there.