Access-for-Sale Worms

Access-for-sale worms are the promise of scalable, targeted intrusion. A worm author creates a worm which compromises machines and installs a back door on them. Access to the back door is transferred by the worm author to a "cyberthief," who then uses the back door to break into the machine.

Access to a machine's back door would be unique to a machine, and guarded by a cryptographic key. By transferring the key, a worm author grants back door access to that one machine. There is a fine granularity of control, because access is granted on a machine-by-machine basis.

Why would access to a single machine be of interest, when entire botnets can be had?

Crime, particularly stealing information which may later be used for blackmail or identity theft. The value of such access increases in proportion to its exclusivity - in other words, a competitor must not be allowed to obtain and sell access too.

Ironically, this means that a good access-for-sale worm must patch the vulnerabilities in a machine it compromises, to prevent a competing access-for-sale worm from doing the same thing. There are two "business models" for access-for-sale worms:

  1. Organized crime. A crime organization retains the services of a worm author and a group of cyberthieves. The worm author creates and deploys an access-for-sale worm, and the back door keys are distributed to the cyberthieves.

This keeps the "turf" divided amongst the cyberthieves, who then mine the compromised machines for information." Due to the insular nature of organized crime, countermeasures that come between the worm author and cyberthieves are unlikely to work. Standard worm countermeasures are the only reliable defenses.

  1. Disorganized crime. Here, the worm author sells a back door key to a cyberthief. Compromised machines must first be advertised to potential customers by the worm author: this may be as crude as posting a list on some underground website, or an infected machine may leak a unique identifier on some covert channel that a customer can detect.

The customer-cyberthief buys the back door access key for their chosen target machine from the worm author, which is used by the cyberthief to break in. The whole process is shown in Figure 1.

This model admits two additional defenses. First, the worm author's reputation can be attacked. The worm author and cyberthief probably don't know one another, so an access key sale is based on the seller's reputation and a certain amount of trust.

One defense would make an infected machine continue to look infected, even after the machine has been cleaned, in the hopes of damaging the seller's reputation. Second, law enforcement authorities could set up honeypots and sell access as if the honeypots were accessfor-sale machines.

This would keep the doughnut budget in good stead, and might lead to the capture of some cyberthieves, or at least increase the cyberthieves' risk substantially.

The access-for-sale worm would require some verification mechanism to ensure that an access key did in fact come from the worm author.

This mechanism can be constructed using public-key cryptography, where a message is strongly encrypted and decrypted using different keys: Si private key known only to the message sender, and a public key known to everyone.

The access-for-sale worm can carry the worm author's public key with it, and each compromised machine can be assigned a unique identifier (based on its network address, for example).

When the worm author transfers an access key, they encrypt the machine's unique identifier with their private key; the worm can decrypt and verify the identifier using the public key.

If a symmetric cryptographic scheme were used, where the same key is used for encryption and decryption, then capturing a worm sample would reveal the secret key, permitting access to all of the worm's back doors.