December 14, 2007 1:10 PM PST

Cracking open the cybercrime economy

A correction was made to this story. Read below for details.
"Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don't think we are really winning this war."

As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.

There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cybereconomy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.

It is difficult to establish exactly how organized this malware economy is but, according to David Marcus, security research manager at McAfee Avert Labs, it's relatively straightforward to buy not only the modules to build malware, but also the support services that go with it.

"If it weren't for Storm, bots would be in significant recession. Some days we're seeing 1,000 different variants a day."
--David Marcus, security research manager, McAfee Avert Labs

"From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts," said Marcus. "They present themselves as a cottage industry which sells tools or creation kits. It's hard to tell if it's a conspiracy or a bunch of autonomous individuals who are good at covering their tracks."

As well as kits and support, legions of compromised computers, or botnets, can be hired for nefarious purposes--usually for spam runs, or to perpetrate denial-of-service attacks. One of the most successful botnets of 2007 has been "Storm," so-called due to the hook-line used to trick victims into opening e-mails containing the Trojan horse. In January, the first malware was sent out with the tagline "230 dead as storm batters Europe."

The Storm botnet, estimated now to contain millions of compromised computers, has advanced defenses. The servers that control the botnet use so-called fast-flux Domain Name System (DNS) techniques to constantly change their location and names, making them difficult to locate and shut down. And security researchers who have attempted to find the command and control servers have suffered denial-of-service attacks launched by the controllers of the botnet.

"Storm has been exceptionally successful," said McAfee's Marcus. "It's used for spam runs, and researchers attempting to locate Storm command and control servers have come under attack. The hardest part is finding the key to those channels. They're not always easy to detect and find. Some of the communications are encrypted, while some are difficult to detect from a network point of view. I hate to use the word evolution, but they're certainly learning from their successes and failures. If it weren't for Storm, bots would be in significant recession. Some days we're seeing 1,000 different variants a day."

Weathering the Storm
Joe Telafici, director of operations at McAfee's Avert Labs, said Storm is continuing to evolve. "We've seen periodic activity from Storm indicating that it is still actively being maintained. They have actually ripped out core pieces of functionality to modify the obfuscation mechanisms that weren't working any more. Most people keep changing the wrapper until it gets by (security software)--these guys changed the functionality."

In the past year, the development of illegal malware has reached the point where it is almost as sophisticated as the traditional software-development and sales channel, according to Telafici.

"We've seen platform development, middleware, solutions sellers and hosting--all types of software and companies, with the same level of breakdown," said Telafici.

One indication of the maturity of the black economy, according to Telafici, was the recent case of a hacker who wrote a packer (software used to bypass antivirus protection) and who "threw in the towel recently as it wasn't profitable enough--there's too much competition. They opened the source code and walked away."

Security vendors seem to be powerless to take any action against the groups in control of botnet networks, especially those who use fast-flux techniques to move the location of command and control servers.

"With botnets, we are unlikely to make a dent unless we find the guy who controls the command and control server," said Telafici.

While law-enforcement agencies have a headstart in tracking cybercriminals, due to their experience of dealing with economic crimes such as fraud, many of the crimes are seemingly small, not warranting police attention.

CONTINUED: "A Darwinian power struggle"…
Page 1 | 2 | 3

See more CNET content tagged:
hacking, McAfee Inc., malware, malicious code, bot


Join the conversation!
Add your comment
It's not a closed economy
Money is getting into this economy from what we consider "legitimate" economy. They're not only marketing porn/gambling/illegal drugs etc. The kind of businesses I see advertised in Israel using botnet based spam are legitimate businesses: financial institutions, academic colleges (real ones), medical institutions, and other legitimate businesses selling legitimate merchandise/services. The money they pay feeds this illegal industry. And as long as they can go buy services from this illegal economy that steals computer and network resources and sells them at cheaper price than those who actually pay for the resources they sell we would have this economy. Buying these services is not different from buying stolen goods.

I would like to see the information about use of malware organized and flowing to allow those whose PCs were infected find out the advertisers whose spam was sent using their compromised PCs, and done in such a way that they can organize and demand that the advertiser pay for the use of the resources, and sue the spammer in the right jurisdiction if needed. Advertisers should know that if they get a cheap deal and it was cheap because the spammer stole the resources used to do the distribution, they might have to pay for the resources in addition to what they paid to the spammer, and they might have to face criminal charges for illegal use of computer viruses (that is, having paid to be provided with a service based on computer viruses should be enough for a criminal charge. It doesn't have to be limited to those who actually perform the crime they were paid to perform). To achieve this there is a need for an infrastructure that collects the data from various sources (spam reports, security software on infected PCs, network monitoring such as scanning of outgoing traffic for spam by ISPs) and maks them available to the right parties (such as spam reports about mail coming from a dynamic IP address matched with information about the service advertised provided by speakers of the language of the advertisement should be available to the operator of the PC that used the IP address at the time the spam was sent. It's not an easy task. But it is not impossible, and it is needed if we want to stp the flow of legitimate money to the cybercrime economy.
Posted by hadaso (468 comments )
Reply Link Flag
HadasoL It;s Not Likely You'l;l See...
...that list of firms in a popular tech publication amytime too soon. Many of the firms to which you're alluding are after all major advertisers at best and poular providers of system killing freeware ay worst. Personally, I'd prefer an adjusted C|NET policy of providing copy (reviews et al) of for-pay products that offer a freeware product for those who cannot afford the for-pay version. To cxompliment this initiative, I'd like to see a requirement that C|NEY only offer downloads of products they recommend in their reviews. This post is a compliment to C|NET's vision and integrity appled to this new world we're living ibn which the article describes.
Posted by i_made_this (302 comments )
Link Flag
Bottom Line: As long as it's profitable... it will continue to expound
That said, what can be implemented to ensure that it's no-longer profitable.

Once the risks and loss are greater than the profits... it will start to dwindle... No sooner.

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.