Polymorphism and the case for transaction monitoring
0 comment(s)
Poly what?! While doing research for a presentation on cyber-threats in relation to ACH fraud (I highly recommend fraud professionals to bone up on this topic since the nexus between fraud and on-line security is becoming so strong – watch for a post with reading suggestions) I came across the concept of polymorphism, and it scared me. Here's why...
Polymorphism as defined by Merriam-Webster is: "the quality or state of existing in or assuming different forms: as a (1) : existence of a species in several forms independent of the variations of sex (2) : existence of a gene in several allelic forms; also : a variation in a specific DNA sequence (3) : existence of a molecule (as an enzyme) in several forms in a single species b : the property of crystallizing in two or more forms with distinct structure. Merriam-Webster Online Dictionary
As you can see, it is a well known term for biologists, chemists and other scientists, but it's the meaning related to cyber fraud that is scary. It is applied to malware, most notably trojans, and in particular for our purposes; banking trojans (see we even get our own classification). A polymorphic trojan is one that changes its "signature" every time it is generated. Why is this important? Because anti-malware software works by identifying a trojan, determining its signature, putting a detection routine in the anti-malware software, and getting all clients to update their copies. See the problem?
Malware detection companies have always had to play a game of catch-up. Detecting malware first requires that you find it. Who knows how long it has been doing damage before you do. Then you have to do the other things I mentioned above, all of which take time, while the malware is continuing to wreak havoc. In the past malware has been static. Once it's out there its signature stays the same. But with polymorphic trojans the rate of incidence of new trojans increases significantly.
The Zeus banking trojan is an example. Last December I went to a presentation by Laura Mather Ph.D., a well known personality in information security circles. It was called "Dissecting Zeus the #1 Banking Trojan", and at that time she reported as I recall that there were at least 310 variations of the Zeus trojan. I shudder to think how many exist today. She also said that only 37% of anti-malware software detected the version her company was infected with (yes, her company), and they are security professionals! I didn't understand it at the time, but this is because of polymorphism.
So what's the moral of this sad tale?
Do all that you can to bar the front gate, but be sure to be watching what is going out the back door.
What I discovered, or rediscovered, is that on-line security is a sophisticated and ever escalating war. It is critical that you keep up to date, because every round ups the ante, and if you don't do everything you can, you will be more vulnerable and overwhelmed. Once a bank decides to get into the on-line banking game, and we pretty much all have, there's no going back or getting off the on-line security train. Watching what goes out the back door, of course, refers to looking at the transactions that your "customers" are generating, such as ACH file origination and wires. Do they make sense, or do they deserve some attention from your fraud team?