I recently attended a local ISACA event here in San Francisco and was blown away by a presentation by Ali Golshan with PWC. The name of the presentation was Advanced Cyber Threats. In it he provided a deep dive into the new types of malware being developed and used the Aurora incident in 2009 as an example. He went on to say that Aurora utilized social engineering, a Zero-day vulnerability, and gaps in traditional IPS, firewall, and web proxy security solutions. It targeted email archives and other confidential data.
What I was most impressed and amazed by was his description of the modular nature of the malware. It could accept new payloads for further compromises, had a mechanism for updating itself, and accepted remote command and control. It followed traditional security practices by only initiating sessions from inside the network it was on. As I was thinking about this, it dawned on me that this sounded a bit like a software-as-a-service (SaaS) model perhaps more aptly described as malware-as-a-service (MaaS). There are a lot of definitions for SaaS. The iTunes / iPhone (iPad, iOther) combination can be considered a form of SaaS. Qualys’ vulnerability management service follows a SaaS model that includes a scanner appliance controlled through a web site with back-end support supplied and hosted by Qualys in their data center.
Aurora’s sophistication begins to sound like the evil version of SaaS. In Aurora’s case, I have a piece of software that’s placed on a host or network (surreptitiously) that can be remotely updated and remotely controlled (maybe through a web interface). It gathers data and securely sends it back to be over SSLv3. The only difference is that this service performs a malicious function that the victim has no control over.