December 14, 2007 1:10 PM PST

Cracking open the cybercrime economy

(continued from previous page)

"The majority of cybercriminals are small players for small dollars and short bursts of traffic," said Telafici. "On the flip side, you see the amount of effort and money spent protecting spam relays (as in Storm). If (security researchers) aren't careful they get DDoS-ed"--that is, hit by a distributed denial-of-service attack--"by a chunk of the spam network. That the guys are protecting their turf indicates that in aggregate the amount of money that is changing hands is significant."

Game theory, a branch of applied mathematics that models how adversaries maximize their gains through adapting to each other's strategies, features heavily in security assessments of the black economy. As one player becomes stronger, the other increases its efforts to gain the upper hand.

"I view it as we're locked in a Darwinian power struggle," said Telafici. "As we up the ante, the black economy adjusts to that, and it in turn ups the ante."

Anatomy of the 2007 black economy
Peter Gutmann, a security researcher at the University of Auckland, says in a report that malicious software via the affiliate model--in which someone pays others to infect users with spyware and Trojans--has become more prevalent in 2007.

The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid Webmasters 6 cents per infected site. Since then, this has been extended to a "vast number of adware affiliates," according to Gutmann. For example, one adware supplier pays 30 cents for each install in the United States, 20 cents in Canada, 10 cents in the United Kingdom, and 1 or 2 cents elsewhere.

Hackers also piggyback malicious software on legitimate software. According to Gutmann, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.

While standard commercial software vendors sell software as a service, malicious-software vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via Internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam.

"If you don't have it, you can rent it here," boasts one post, which also offers online video tutorials. Prices for services vary by as much as 100 percent to 200 percent across sites, while prices for non-Russian sites are often higher: "If you want the discount rate, buy via Russian sites," Gutmann says.

In March, the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts.

"You wonder why anyone still bothers burgling houses when this is so much easier," Gutmann says.

Antidetection vendors sell services to malicious-software and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit card data and pay a premium for verifiably active accounts. "The money seems to be in the middlemen," Gutmann says.

One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations.

According to Gutmann, there are many independent malicious-software developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling antidetection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.

Previous page | CONTINUED: Tools fairly easy to buy…
Page 1 | 2 | 3

See more CNET content tagged:
hacking, McAfee Inc., malware, malicious code, bot

3 comments

Join the conversation!
Add your comment
It's not a closed economy
Money is getting into this economy from what we consider "legitimate" economy. They're not only marketing porn/gambling/illegal drugs etc. The kind of businesses I see advertised in Israel using botnet based spam are legitimate businesses: financial institutions, academic colleges (real ones), medical institutions, and other legitimate businesses selling legitimate merchandise/services. The money they pay feeds this illegal industry. And as long as they can go buy services from this illegal economy that steals computer and network resources and sells them at cheaper price than those who actually pay for the resources they sell we would have this economy. Buying these services is not different from buying stolen goods.

I would like to see the information about use of malware organized and flowing to allow those whose PCs were infected find out the advertisers whose spam was sent using their compromised PCs, and done in such a way that they can organize and demand that the advertiser pay for the use of the resources, and sue the spammer in the right jurisdiction if needed. Advertisers should know that if they get a cheap deal and it was cheap because the spammer stole the resources used to do the distribution, they might have to pay for the resources in addition to what they paid to the spammer, and they might have to face criminal charges for illegal use of computer viruses (that is, having paid to be provided with a service based on computer viruses should be enough for a criminal charge. It doesn't have to be limited to those who actually perform the crime they were paid to perform). To achieve this there is a need for an infrastructure that collects the data from various sources (spam reports, security software on infected PCs, network monitoring such as scanning of outgoing traffic for spam by ISPs) and maks them available to the right parties (such as spam reports about mail coming from a dynamic IP address matched with information about the service advertised provided by speakers of the language of the advertisement should be available to the operator of the PC that used the IP address at the time the spam was sent. It's not an easy task. But it is not impossible, and it is needed if we want to stp the flow of legitimate money to the cybercrime economy.
Posted by hadaso (468 comments )
Reply Link Flag
HadasoL It;s Not Likely You'l;l See...
...that list of firms in a popular tech publication amytime too soon. Many of the firms to which you're alluding are after all major advertisers at best and poular providers of system killing freeware ay worst. Personally, I'd prefer an adjusted C|NET policy of providing copy (reviews et al) of for-pay products that offer a freeware product for those who cannot afford the for-pay version. To cxompliment this initiative, I'd like to see a requirement that C|NEY only offer downloads of products they recommend in their reviews. This post is a compliment to C|NET's vision and integrity appled to this new world we're living ibn which the article describes.
Posted by i_made_this (302 comments )
Link Flag
Bottom Line: As long as it's profitable... it will continue to expound
That said, what can be implemented to ensure that it's no-longer profitable.

Once the risks and loss are greater than the profits... it will start to dwindle... No sooner.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.