Malware-as-a-Service (MaaS)?

I recently attended a local ISACA event here in San Francisco and was blown away by a presentation by Ali Golshan with PWC. The name of the presentation was Advanced Cyber Threats.  In it he provided a deep dive into the new types of malware being developed and used the Aurora incident in 2009 as an example.  He went on to say that Aurora utilized social engineering, a Zero-day vulnerability, and gaps in traditional IPS, firewall, and web proxy security solutions.  It targeted email archives and other confidential data.

What I was most impressed and amazed by was his description of the modular nature of the malware.  It could accept new payloads for further compromises, had a mechanism for updating itself, and accepted remote command and control.  It followed traditional security practices by only initiating sessions from inside the network it was on.  As I was thinking about this, it dawned on me that this sounded a bit like a software-as-a-service (SaaS) model perhaps more aptly described as malware-as-a-service (MaaS).  There are a lot of definitions for SaaS. The iTunes / iPhone (iPad, iOther) combination can be considered a form of SaaS.  Qualys’ vulnerability management service follows a SaaS model that includes a scanner appliance controlled through a web site with back-end support supplied and hosted by Qualys in their data center.

Aurora’s sophistication begins to sound like the evil version of SaaS.  In Aurora’s case, I have a piece of software that’s placed on a host or network (surreptitiously) that can be remotely updated and remotely controlled (maybe through a web interface).  It gathers data and securely sends it back to be over SSLv3.  The only difference is that this service performs a malicious function that the victim has no control over.