"Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don't think we are really winning this war."
As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.
There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.
It is difficult to establish exactly how organised this malware economy is but, according to David Marcus, security research manager, McAfee Avert Labs, it's relatively straightforward to buy not only the modules to build malware, but also the support services that go with it.
"From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts," says Marcus. "They present themselves as a cottage industry which sells tools or creation kits. It's hard to tell if it's a conspiracy or a bunch of autonomous individuals who are good at covering their tracks."
As well as kits and support, legions of compromised computers, or botnets, can be hired for nefarious purposes — usually for spam runs, or to perpetrate denial of service attacks. One of the most successful botnets of 2007 has been "Storm", so-called due to the hook-line used to trick victims into opening emails containing the Trojan. In January this year, the first malware was sent out with the tagline "230 dead as storm batters Europe".
The Storm botnet, estimated now to contain millions of compromised computers, has advanced defences. The servers that control the botnet use so-called fast-flux Domain Name System (DNS) techniques to constantly change their location and names, making them difficult to locate and shut down. And security researchers who have attempted to find the command and control servers have suffered denial of service attacks launched by the controllers of the botnet.
"Storm has been exceptionally successful," says McAfee's Marcus. "It's used for spam runs, and researchers attempting to locate Storm command and control servers have come under attack. The hardest part is finding the key to those channels. They're not always easy to detect and find. Some of the communications are encrypted, while some are difficult to detect from a network point of view. I hate to use the word evolution, but they're certainly learning from their successes and failures. If it weren't for Storm, bots would be in significant recession. Some days we're seeing 1,000 different variants a day."
Weathering the Storm
Joe Telafici, director of operations at McAfee's Avert labs, says Storm is continuing to evolve. "We've seen periodic activity from Storm indicating that it is still actively being maintained. They have actually ripped out core pieces of functionality to modify the obfuscation mechanisms that weren't working any more. Most people keep changing the wrapper until it gets by [security software] — these guys changed the functionality."
In the past year, the development of illegal malware has reached the point where it is almost as sophisitcated as the traditional software-development and sales channel, according to Telafici.
"We've seen platform development, middleware, solutions sellers and hosting — all types of software and companies, with the same level of breakdown," says Telafici.
One indication of the maturity of the black economy, according to Telafici, was the recent case of a hacker who wrote a packer [software used to bypass antivirus protection], "threw in the towel recently as it wasn't profitable enough — there's too much competition. They opened the source code and walked away."
Security vendors seem to be powerless to take any action against the groups in control of botnet networks, especially those who use fast-flux techniques to move the location of command and control servers.
"With botnets, we are unlikely to make a dent unless we find the guy who controls the command and control server," says Telafici.
While law-enforcement agencies have a headstart in tracking cybercriminals, due to their experience of dealing with...
...economic crimes such as fraud, many of the crimes are seemingly small, not warranting police attention.
"The majority of cybercriminals are small players for small dollars and short bursts of traffic," says Telafici. "On the flip side you see the amount of effort and money spent protecting spam relays [as in Storm]. If [security researchers] aren't careful they get Ddossed [distributed denial of service attack] by a chunk of the spam network. That the guys are protecting their turf indicates that in aggregate the amount of money that is changing hands is significant."
Game theory, a branch of applied mathematics that models how adversaries maximise their gains through adapting to each other's strategies, features heavily in security assessments of the black economy. As one player becomes stronger, the other increases its efforts to gain the upper hand.
"I view it as we're locked in a Darwinian power struggle," says Telafici. "As we up the ante, the black economy adjusts to that, and it in turn ups the ante."
Anatomy of the 2007 black economy
Peter Gutmann, a security researcher at the University of Auckland, says that malware via the affiliate model — where you pay others to infect users with spyware and Trojans — has become more prevalent in 2007.
The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid webmasters six cents per infected site. Since then this has been extended to a "vast number of adware affiliates", says Gutmann. For example, one adware supplier pays 30 cents for each install in the US, 20 cents in Canada, 10 cents in the UK, and one or two cents elsewhere.
Hackers also piggyback malware on legitimate software. According to the researcher, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.
While standard commercial software vendors sell software as a service, malware vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam. "If you don't have it, you can rent it here," boasts one post, which also offers online video tutorials. Prices for services vary by as much as 100-200 percent across sites, while prices for non-Russian sites are often higher: "If you want the discount rate, buy via Russian sites," says Gutmann.
In March the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 (£500) and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.
In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts. "You wonder why anyone still bothers burgling houses when this is so much easier," says Gutmann.
Anti-detection vendors sell services to malware and botnet vendors, who sell stolen credit-card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit-card data and pay a premium for verifiably active accounts. "The money seems to be in the middlemen," says Gutmann.
One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations.
According to the University of Auckland, there are many independent malware developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling anti-detection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.
Hackers can buy denial of service attacks for $100 (£50) per day, while spammers can buy CDs with harvested email addresses. Spammers can also send mail via spam brokers, handled via online forums such as...
...specialham.com and spamforum.biz. One dollar buys 1,000 to 5,000 credits, while $1,000 (£500) buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mailserver. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client's PC using broker provided software and control information.
"This is a completely standard commercial business," says Gutmann. "The spammers even have their own trade associations."
Ready-made tools for creating phishing emails, such as fake requests for bank details, are fairly easy to buy, with many independent vendors selling them. Bulletproof hosting is also easily available, while phishers engage spam services to lure users to their sites.
Carders, who mainly deal in stolen credit-card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit-card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a social security number; and $50 for a full bank account.
How is the money laundered?
Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000 (£5,000), and agree to pay them $20,000 (£10,000) if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as "money mules", can also take up to 50 percent of the funds to move the money via transfer services.
Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.
What is the cost to legitimate business?
As the malware economy grows in sophistication, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, these losses have seen a sharp increase this year.
Robert Richardson, director of the CSI, says the average annual loss among US businesses due to cybercrime has shot up to $350,424, from $168,000 in 2006. "Not since the 2004 report have average losses been this high," says Richardson.
This year's survey results are based on the responses of 494 computer security practitioners in US corporations, government agencies, financial institutions, medical institutions and universities.
Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident said they had suffered a targeted attack aimed exclusively at their organisation, or organisations within a small subset. Khalid Kark, a principal security analyst at Forrester, says targeted attacks against companies and institutions are becoming more common.
"As banks and companies have increased security levels, the hacker community is casting a much wider net," says Khalid. "Instead of hacking into something right away, now it's low and slow. They're determining attack avenues, taking their sweet time to find holes, and then using stealth [to steal data]."
Financial services companies are being attacked more and more, says the analyst, while the attacks are increasing in number and complexity.
But while the black cyber-economy is maturing, at the moment its main practitioners seem to be individuals or small groups acting within a loose web of affiliations that can be quickly established and broken to evade detection.
F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities," says Hypponen. "What if you are born with IT skills in rural China, or in the middle of Siberia? There is no legal way of making use of the skills they have."
While law-enforcement co-operation with government and the IT community is paramount in addressing the problem in the short term, longer-term solutions must be found. One way to address the issue of the growth of the "black cyber-economy" in the long term is to harness the IT talent in developing countries that otherwise might be co-opted into illegal activity.
"We have to make it more attractive to be in the white economy than in the black — when that happens we will turn a corner. We're starting to see that happen as companies look to less expensive economies as places to put people. In Eastern Europe and Asia there are highly skilled people where there are less opportunities — this is where the black economy is fuelled now," says McAfee's Telafici.