December 14, 2007 1:10 PM PST
Cracking open the cybercrime economy
- Related Stories
The next generation of security threatsDecember 5, 2007
Infamous Russian malware gang vanishesNovember 9, 2007
Security expert: Storm botnet 'services' could be soldOctober 16, 2007
Storm worm variant ignites e-mail virus delugeApril 13, 2007
Net pioneer predicts overwhelming botnet surgeJanuary 29, 2007
'Storm worm' rages across the globeJanuary 19, 2007
Security from A to Z: BotnetNovember 27, 2006
(continued from previous page)
"The majority of cybercriminals are small players for small dollars and short bursts of traffic," said Telafici. "On the flip side, you see the amount of effort and money spent protecting spam relays (as in Storm). If (security researchers) aren't careful they get DDoS-ed"--that is, hit by a distributed denial-of-service attack--"by a chunk of the spam network. That the guys are protecting their turf indicates that in aggregate the amount of money that is changing hands is significant."
Game theory, a branch of applied mathematics that models how adversaries maximize their gains through adapting to each other's strategies, features heavily in security assessments of the black economy. As one player becomes stronger, the other increases its efforts to gain the upper hand.
"I view it as we're locked in a Darwinian power struggle," said Telafici. "As we up the ante, the black economy adjusts to that, and it in turn ups the ante."
Anatomy of the 2007 black economy
Peter Gutmann, a security researcher at the University of Auckland, says in a report that malicious software via the affiliate model--in which someone pays others to infect users with spyware and Trojans--has become more prevalent in 2007.
The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid Webmasters 6 cents per infected site. Since then, this has been extended to a "vast number of adware affiliates," according to Gutmann. For example, one adware supplier pays 30 cents for each install in the United States, 20 cents in Canada, 10 cents in the United Kingdom, and 1 or 2 cents elsewhere.
Hackers also piggyback malicious software on legitimate software. According to Gutmann, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.
While standard commercial software vendors sell software as a service, malicious-software vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via Internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam.
"If you don't have it, you can rent it here," boasts one post, which also offers online video tutorials. Prices for services vary by as much as 100 percent to 200 percent across sites, while prices for non-Russian sites are often higher: "If you want the discount rate, buy via Russian sites," Gutmann says.
In March, the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.
In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts.
"You wonder why anyone still bothers burgling houses when this is so much easier," Gutmann says.
Antidetection vendors sell services to malicious-software and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit card data and pay a premium for verifiably active accounts. "The money seems to be in the middlemen," Gutmann says.
One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations.
According to Gutmann, there are many independent malicious-software developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling antidetection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.
3 commentsJoin the conversation! Add your comment