Cloud-based services are increasing in popularity these days: almost every kind of software is now available as a cloud- or software-as-a-service (SaaS) offering and that, unfortunately, also includes malware distribution. In fact, Malware-as-a-service (MaaS) is by far the most common way that malware is distributed, becoming a software industry in its own right. Let’s take a look at how this works without getting too technical.

What is MaaS and why it is used?

Malware-as-a-service is an online service which offers malware for purchase or rent, and also serves as a distribution service for malware delivery.

Essentially, with MaaS, hackers don’t have to worry about creating their own malware, or distributing malware that they have written. Those who do not have the skills or time to write their own malware, can rent or purchase ‘off-the-shelf’ malware, which they can then edit or deploy as they wish. Alternatively, the MaaS industry will distribute the malware code for you.

The distribution aspect of MaaS is particularly interesting for hackers who write their own code. It allows them to focus on what they do best – writing pernicious software – while leaving the distribution to drive maximum impact to others. Before MaaS became available it was up to the hacker to find the proper distribution channels, which meant:

  1. Infecting pirated software with malware and uploading it to common piracy websites
  2. Creating a website and inviting people to download a file in which malware is hidden
  3. Creating self-replicating malware and distributing it via some form of software vulnerability
  4. Infecting their friend’s USB sticks with the malware and renaming it to something which they or others were likely to open.

Each of these methods required a significant amount of effort to distribute the malware effectively so that it could have the desired, maximum impact. The MaaS industry is now a dream come true for hackers – it is faster, everything is done for them and at a very good price.

The bad news for users, companies and industries is that with MaaS, everyone can become a hacker overnight. Individuals can order malware À la carte, and then pay a little extra for someone to distribute the code.

Not surprisingly, the popularity of these ‘exploit kits’ is increasing. Prices vary, with some exploit kits selling for as low as $50 for a day or up to $1,500 for a year’s service. When you consider how effective some malware can be, it’s not an expensive service.

How does the infection come about?

So, a piece of malware is written or purchased from a preferred malware vendor. A distribution fee is also paid. What happens next? How does the malware reach its intended targets?

There are a number of steps before an unsuspecting user’s machine is infected, as explained in the graphic below.


Step 1: The malware is loaded onto a distribution server ready to be pushed out to new victims

Step 2: The MaaS service discovers web servers of legitimate software which have problems or vulnerabilities in their setups. These vulnerabilities allow the MaaS vendors/authors to inject a piece of hidden HTML code into the software on those webservers which will be used to perform malicious actions

Step 3: An end-user visits the legitimate (but compromised) website. The hidden code on the website analyses the user’s machine, detects what browser and other software the user has installed on that computer. If the user has software which has not been patched, then the next step is executed automatically

Step 4: Based on the analysis in step 3, the user is redirected to another website. Here, a targeted exploit to infect the user with malware that is mapped to that particular vulnerability is deployed. For example, if a user has a version of Java which hasn’t been updated, they will be redirected to a server that executes a Java exploit.

Step 5: The exploit is executed

Step 6: Information is sent to the MaaS service so that statistics can be gathered about which types of users, geographies, browsers and other demographics are being successfully infected

This distribution method is effective because:

  1. The sheer number of currently compromised websites (millions) on the internet (and which will continue to be compromised in future) creates a huge audience hackers and their malware to exploit
  2. The fact that these are legitimate and trusted sites means that people will continue to visit these sites unaware that they have been hijacked and infected with invisible, malicious code
  3. The delivery of a ‘designer’ exploit targeted to the vulnerability within a user’s unpatched software ensures the exploit is deployed successfully
  4. The exploit does not need any kind of additional user interaction, such as a click or a download, and simply arriving on the site will result in an infection – hence the name for this type of infection,  ‘drive-by’ download)
  5. The growing revenue to be made from  MaaS, which funds the hackers and provides them with financial resources, enables malware authors to keep expanding the sites they use, research and develop new  exploits, and enhancing  AV avoidance techniques
  6. The effectiveness of pushing malware via techniques such as spamming, SEO poisoning,  baiting users on popular sites and social networks, obfuscating the URLs using URL shortening services and other techniques to push users towards compromised sites, is growing fast.

How effective are these kits? And how many of them are there?

In short, they are very effective. Different security vendors (who monitor the number of websites infected by the various exploit kits) give different statistics on how effective each exploit kit is, but all of them agree on one thing: these exploit kits cause the majority of infections today. Old viruses and distribution methods have become insignificant when compared to these new, malicious URLs. There are dozens of exploits kits, including the Blackhole Exploit kit (which used to be one of the most effective until the author Paunch was reportedly arrested and the kit was no longer ‘supported’ and updated), Neutrino, Glazunov and many more. In many ways, the MaaS industry is just like any other: as this business becomes more lucrative, MaaS authors become more competitive, making improvements in their products: from enhanced usability and competitive pricing to more advanced infection and obfuscation techniques.

Ouch! How do I protect my network and machines?

Thankfully, it is not all doom and gloom. Although it is very difficult to keep track of which legitimate websites have been compromised, there are several automated security solutions which you can layer on top of each other to protect your network and machines: the so called ‘defence in depth’ strategy.

First of all, you need to regularly scan all the devices on your network and create an inventory of every vulnerability they may have. Second, you need to automate, and as rapidly as possible, then deploy patches to all vulnerable devices, thus mitigating the risk they pose. GFI LanGuard, the automated network security manager, is an essential tool that can help you with both of these steps.

Third, you need to put an automated web security solution in place which stops users from visiting websites known to contain malicious payloads, thereby preventing malware from exploiting any possible remaining vulnerabilities in your network. (GFI WebMonitor or GFI Cloud Web Protection will both prevent your users from visiting these websites).

Fourth, you still need to have an antivirus on your machines to ensure that malicious software payloads are detected and stopped. GFI Cloud antivirus is the right tool for this.

The bad news is that if you are missing any of these protection layers, it’s only a matter of time before your machines and network are exposed to malware and infected through your users’ actions, possibly  without their knowledge.

Don’t leave it to luck, GFI offers all the layers of protection required to ensure your end users are safe.