According to a report from IBM, criminals successfully stole $4 million from 24 American and Canadian financial institutions and associated businesses over just a few days late last year using a new form of malware that combined portions of two distinct types of previously-known malware.
The new hybrid - christened "GozNym" - blends the stealth and persistence capabilities (that is, the features that allow the malware to avoid detection and to remain active and difficult to remove even if the system is rebooted) of malware known as "Nymaim" and the fraud technology of an older form of malware known as "Gozi ISFB" (whose source code has long since leaked online) to create a powerful tool that can steal money while making itself hard to detect and remove.
Until a few months ago, Nymaim was known primarily as a way to distribute ransomware, not to commit bank fraud. Gozi malware, on the other hand, focused on stealing money; the malware monitors and manipulates web sessions - by reading and modifying the content of web pages, intercepting the data sent by a user to a server, and injecting data as needed in order to perform fraudulent activities.
The rapid success of the new blended malware clearly demonstrates the risk of criminals creating powerful attack technologies by blending "best of breed" malware capabilities from multiple strains of malware.
I asked several experts about this development. Here are their comments:
Giovanni Vigna, Co-Founder & CTO of Lastline:
"While it is interesting to see two strands of malware becoming closely intertwined, it is not surprising. As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as-needed. The stealth behavior of the malware highlights the need for sophisticated dynamic analysis that is able to identify the both the overtly malicious actions and the attempts to hide the true nature of the code."
Travis Smith, Senior Security Research Engineer at Tripwire:
"Cyber criminals have specialties just like their whitehat counterparts. By taking bits of code from different pieces of malware, they are able to create their malicious payload quicker than writing everything from scratch. This reduces their time to exploit, and increases potential profits from criminal activity. While data is the currency of the 21st Century, criminals are still interested in real currency as well - banks and e-commerce sites face attacks from criminals seeking both types of currency. Organizations should monitor critical systems for suspicious changes as well as limit network connectivity to prevent data leakage in the event of a breach."
Jonathan Sander, Vice President at Lieberman Software:
"One would think that once a bad guy has crawled in an unlocked window and robbed a facility that the people responsible to lock the window would remember to do so going forward. If you walk by and see the window open and then discover valuables missing, all you can do is sigh, close it up again, speak to the people in charge of the window, and hope that they listen the second time around. In many ways that's what happened. The new GozNym malware used pieces of past malware to swipe another $4 million - making security professionals wonder how much protection was actually implemented after the original strains surfaced."
Andrew Komarov, chief intelligence officer at InfoArmor:
"Unfortunately, the leak of the source code of famous online banking Trojans created a new market with modifications and different variations, but they are based on exactly the same principles as several years ago. Security bypass and anti-virus evasion mechanisms are rapidly changing due to the efforts of the security community, and this is why bad actors are looking for new and private zero-day exploits for modern platforms and specific security solutions."
Ensuring that you practice proper cyber-hygiene can prevent most malware infections - and doing so does not require huge expenditures. Those with adequate budgets might want to consider deploying technologies that look for anomalous activities on computers and networks - such systems can often catch problems that anti-virus engines and the like sometimes miss.