Revisiting “Malware – Future Trends” – 10 Years Later – An Exclusive Peek Inside the Modern Cybercrime and Malware Ecosystem – An Analysis

It’s been a decade since I originally published my infamous “Malware – Future Trends” research paper and it’s been decade since I’ve originally posted an in-depth summary of the cybercrime ecosystem and the vibrant cybercrime ecosystem following my visit in the GCHQ circa 2008 with the Honeynet Project to present a relevant and recent “Current and Emerging Cybercrime Trends” presentation and to summarize some of my research findings in the World of cybercrime and malicious software.

In this in-depth and detailed and comprehensive post I’ll share what appears to be the single most comprehensive and in-depth analysis of the current and modern cybercrime ecosystem including some of the current and emerging malicious software developments through the prism of my research published throughout 2008-2020 and actively discuss some of my currently active projects including my involvement in the Top Secret GCHQ program known as “LOVELY HORSE”.

Some of the key emerging malware trends which I outlined in my original “Malware – Future Trends” circa 2006 include:

  • Mobile malware will be successfully monetized – it used to be a situation where mobile malware was once perceived as a novel approach to successfully attempt to affect a huge portion of modern mobile devices and their associated mobile operating systems with several PoC (Proof of Concept) malicious software variants circulating in the wild at the time. Things have greatly changed throughout the past couple of years thanks to an emerging monetization vector known as affiliate-based revenue-sharing scheme which basically offer a decent amount of money for the purpose of affecting hundreds of thousands of mobile devices with custom-made or affiliate-network distributed malicious software including the active use of premium-rate mobile numbers with the actual infected devices attempting to automatically send a premium-rate SMS message or actually make a call in the background with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts. Among the key driving factors within this market segment remain the active utilization and exploitation of mobile malware hosts for the purpose of enabling a possible geolocation abuse based campaigns through the direct establishment of Sock4 and Socks5 servers on various compromised mobile devices which will eventually enable novice and experienced cybercriminals to commit high-profile fraud and launch fraudulent and malicious online campaigns largely relying on a gelocated set of Socks4 and Socks5 enabled servers on various compromised mobile devices across the globe which can greatly result in the bypassing of geo-location based
  • Localization as a concept will attract the coders’ attention – throughout the last couple of years it became clearly evident that event-based malware campaigns and real-time Google Keywords syndicating campaigns became the de-factor standard within the cybercrime ecosystem with novice and experienced cybercriminals continuing to launch malicious and fraudulent online campaigns largely relying on a localized and basically translated to the native language of the prospective victim content potentially improving the probability for a successful infection. With more services offering localization on demand continuing to pop up it should be clearly evident that novice and experienced cybercriminals will continue to outsourced their localization needs to a vast majority of newly emerging localization on demand vendors that specialize in translating and localizing spam and phishing and malicious software content potentially improving the infection rate for an upcoming malicious software campaign.
  • Open Source Malware – with more source code continuing to leak online it should be clearly evident that novice and experienced cybercriminals will continue to offer open source malware within the cybercrime ecosystem market segment which will eventually result in a variety of modularity based new featured that will be eventually introduced within the open source malware releases potentially bringing new malware coders on board on the project eventually resulting in the development or an ecosystem for the purpose of managing and releasing open source code malware release that also includes the actual source code behind the releases and the persistent and systematic release of new features potentially improving the market share of the malicious software in question or actually allowing its vendors to come up with sophisticated on demand proprietary releases.
  • Anonymous and illegal hosting of (copyrighted) data – it’s becoming increasingly evident that malware-infected hosts could be easily converted to anonymous and illegal hosting of information P2P based hosting providers largely thanks to their ubiquitous Internet-based connectivity where the bad guys could easily start offering commercial services on the top of the fraudulent and malicious infrastructure without the actual knowledge of the malware-infected victim basically establishing the foundation for a successful bullet-proof hosting ecosystem largely using the infected population part of a specific botnet or a currently ongoing or upcoming malicious software spreading campaign. Case in point is the ongoing commercialization of Socks4 and Socks5 servers offered and build on the top of Android malware infected users where their mobile device actually starts to act as an anonymization proxy where the bad guys could easily bypass geolocation-based firewall protection in place potentially undermining modern firewall and anti-fraud protection in place. With more Socks4 and Socks5 services using Android-based infected mobile devices continuing to pop up it shouldn’t be surprising that at a certain point in time it should be highly feasible for malware authors to actually begin offering managed anonymous and illegal hosting of specific content on the top of a specific botnet largely building a P2P based bullet-proof hosting infrastructure for rogue and anonymous content.
  • The development of Ecosystem – the current state of the global malware ecosystem as I’ve originally stated in my original “Malware – Future Trends” publication has to do with hundreds of vendors and novice and experienced programmers constantly introducing new features including new cross-platform releases potentially driving the overall cybercrime ecosystem business model while offering publicly and proprietary accessible malware releases potentially undermining modern defense mechanisms in place and potentially undermining the confidentiality availability and integrity of the targeted host.
  • Rise in encryption and packers – what used to be a situation once where the bad guys would attempt to manually obfuscate their releases is today’s modern Web-based and automated API-based malware crypting on demand ecosystem where the bad guys continue offering commercial services with the idea to offer an additional and de-facto standard for malicious software Q&A (Quality Assurance) where the bad guys could constantly verify and check whether their malicious releases are actually detected by modern antivirus and firewall solutions before actually launching the malicious and fraudulent campaign.
  • 0day malware on demand – with more malicious software programmers constantly popping-up online it shouldn’t be surprising that custom coded and on demand 0day malware releases are increasing in the context of having a third-party or a nation-state actor actually requesting a custom coded malicious software on demand which is basically undetected by a huge portion of modern antivirus solutions and actually seek additional value-added services on behalf of the malware authors where new features and modules could be easily introduced on the basis of coding custom based and 0day malicious software on demand.
  • Cryptoviral extortion / Ransomware will emerge – this is the single most evident point that I’ve managed to actually predict which is today’s epidemic growth of malicious and fraudulent ransomware releases and custom coded cryptoviral extortion releases on demand which directly results in the direct establishment of a rogue and fraudulent ecosystem on the basis of infected targeted host. Today’s growing ransomware epidemic can be greatly attributed to an ongoing commercialization of the ransomware market segment largely thanks to the general availability of DIY including publicly accessible ransomware releases and their associated source code including proprietary and on demand ransomware releases including the general availability of affiliate-based network revenue sharing schemes where novice and experienced cybercriminals can earn fraudulently obtained revenue for their participation in a ransomware campaign or the actual execution and infection of as many Internet-connected hosts as possible potentially earning fraudulent revenue in the process.
  • When the security solutions ends up the security problem itself – it used to be a situation when users were blindly relying on freely available or commercial antivirus solution software that also includes personal firewalls which on the majority of occasions remain either misconfigured or not properly configured citing possible connectivity issues vs security benefits offered by these solutions which could also lead to a situation where users can end up with a false feeling of security while using these security solutions that also includes actual exploits and vulnerabilities in antivirus and firewall solutions which could potentially undermine the added security features offered by these security solutions.
  • Intellectual property worms – it’s becoming increasingly evident that today’s modern malware releases are truly capable of stealing a decent portion of the host’s intellectual property in an automated and semi-automated way largely relying on built-in modules for processing and harvesting sensitive and confidential potentially secret or classified information on the targeted hosts and therefore it shouldn’t be surprising that what I originally anticipated as a trend back in 2006 is today’s modern nation-state and groups of interest targeted attack campaigns including mass and widespread intellectual property stealing malware campaigns. Among some of the key innovations on this front include the development of custom intellectual property stealing modules targeted researchers and organizations internationally.
  • Web vulnerabilities, and web worms – diversity and explicit velocity – it used to be a case where modern web application vulnerabilities including the actual exploitation of web application vulnerabilties on a mass scale was largely considered as a novel approach to spread and launch mass scale malicious software and blackhat SEO serving campaigns. In reality largely thanks to today’s modern and vibrant cybercrime-friendly underground market ecosystem we’re continuing to observe an increase in the overall availability of DIY including proprietary and publicly accessible mass Web site and web application vulnerability exploiting tools and services whose availability greatly results in today’s rise of modern cyber attacks relying on web application vulnerabilities.
  • Hijacking botnets and infected PCs – what was once only a trend or a possible speculation is today’s modern trend where law enforcement including security researchers actually try to hijack a specific botnet and actually attempt to take it offline or actually attempt to remove it from the targeted hosts. As we’re continuing to witness the existence of this trend it shouldn’t be surprising that the U.S Intelligence Community is too fully capable of hijacking or disrupting a specific botnet largely relying on custom made or classified and sensitive tools methods and procedures.
  • Interoperability will increase the diversity and reach of the malware scene – this is still a trend largely driven by the rise of IoT devices including smart devices that are actually Internet-connected devices prompting malicious attackers and cybercriminals to look for ways to monetize access to these hosts potentially earning fraudulent revenue in the process.

Stay tuned!


Author: admin

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodlogy for processing threat intelligence leading to a successful set of hundreas of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge. With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.

Leave a Reply

Your email address will not be published. Required fields are marked *