News broke this week that one of the criminals involved in a massive global banking fraud scheme that relied heavily on the Zeus trojan to steal millions from both U.S. and European banking accounts will be sentenced this Spring.
The news reminded me of the relationship between malicious software (i.e. “malware”) and insecure software (i.e., “badware”). Criminals intentionally create malware to do bad things (in other words, to launch attacks on victims). Viruses, trojans, root kits, malicious code, etc. are all examples of malware. Badware, on the other hand, is software that has underlying security weaknesses (or defects) that can be exploited by attackers. These underlying weaknesses manifest as the software is constructed and deployed and *are not intentionally* planted by software developers. Often, badware acts as a vehicle for malware to attach itself to victims and successfully carry out its operations.
Gary McGraw wrote about this problem in May 2012. Today, I focus on combating the badware problem - helping organizations build software that is resilient when attacked by malware and other malicious agents. Thus, I’m in the prevention or risk mitigation business.
I used to study malware during my undergraduate days with Professor Tobin at Fairmont State Unversity. I’ve always found malware footprints - how malware touches devices and leaves traces of execution - to be interesting. What’s more fascinating to me these days is how criminal organizations run global operations to successfully leverage malware and badware for monetization purposes.
The FBI has published a decent infographic that explains the high level moving parts and operational aspects of a Cyber Theft Ring . The criminal who faces sentencing in the original news article was considered to be a “money mule”, a person who aids in the transfer of stolen funds.
: FBI, 01:49, 3 October 2010 (UTC), http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud