New America

Introduction

Computers and computer systems are becoming ubiquitous, managing everything from government databases, to grocery transactions, to activity on our own phones. However, these systems don’t come without their vulnerabilities, and their exploitation has never been in such high demand. So where does malicious software—the code designed to exploit these vulnerabilities—come from?

Malicious software is bought, sold, and traded. These transactions take place on websites which could be mistaken for ebay clones, over encrypted email between former colleagues, and even when vendors publicly offer cash for flaws in their software. The malware markets are home to both defensive groups, like software vendors, and offensive groups, like criminal networks and other attackers. Companies are involved with building and selling malicious code, from single exploits all the way up to integrated surveillance packages. Underneath all of this is a global network of companies, criminal groups, individuals, and even governments that build, buy, and sell code.

Key Definitions:

Malware: Software used to manipulate a computer system by a malicious third party

Vulnerability: A software flaw or feature subject to manipulation

Exploit: Part of malware, a small software program written to take advantage of a vulnerability

Exploit kit: A collection of software exploits used to deliver malicious payloads. Often rented as a service.

Propagation method: Part of malware, a means to deploy malware from one computer to another

Payload: Part of malware, code designed to achieve a specific outcome, like stealing passwords

Bug bounty program: Money offered by software vendors in exchange for information about vulnerabilities in their products

Offensive Actors: Individuals or groups working to compromise and manipulate computer systems and networks, e.g. the Russian Business network, a criminal organization

Defensive Actors: Individuals and groups working to prevent the compromise and manipulation of computer systems and networks, e.g. US-CERT, a government agency that helps coordinate vulnerability information and response to major incidents

About this Project

Computers and computer systems are becoming ubiquitous, managing everything from government databases, to grocery transactions, to activity on our own phones. However, these systems don’t come without their vulnerabilities, and their exploitation has never been in such high demand. So where does malicious software—the code designed to exploit these vulnerabilities—come from? 

This started as a project developed by Luke Heine and Brian de Luna of Harvard College in consultation with Trey Herr for CS 105: Privacy and Technology. Major credit to Kirk Jackson for his help with the graphic redesign. Additional thanks for feedback and support from the New America Cybersecurity Initiative including Rob Morgus, Joanne Zalatoris, and Ian Wallace. Thank you to Jim Waldo for the idea and Ben Buchanan for his review.

Authors

Brian de Luna is a data scientist at Airbnb. He has done a range of side projects that include data visualizations and analyses on topics ranging from malware markets to venture capital funding.

Luke Heine is a director at the Lab for Entrepreneurship and Development at the Harvard Institute of Quantitative Science. His research includes how risk is legitimised by capital and the bottlenecks of cluster formation. 

Trey Herr was a fellow in the Cybersecurity Initiative and formerly with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. His work focuses on trends in state developed malicious software, the structure of criminal markets for malware components, and the proliferation of malware. 

Project Outline:

Dataset:

* If using Safari or Internet Explorer, right-click download link and select "Download Linked File"