Despite the dubious success of botnets such as Zeus, which has infected thousands of machines around the world, the authors of malware apparently have plenty of business issues to worry about to earn a dishonest crust.
Zeus, described as the world's largest botnet, delivers a banking Trojan that sends data back to those in control of the network. Like other cybercriminals, the creators of Zeus have taken several leaves from the book of legitimate commercial software, including the concept of offering customers their malware in convenient modules.
ZDNet UK talks to Jon Ramsey, chief technology officer at managed security services firm SecureWorks, about the business models that the authors of the malware industry are adopting.
Q: Is there really a shadow criminal IT industry that mirrors the legitimate commercial world?
A: If you look across the whole supply chain for criminality, there is a service provider for everything you would need today. The impact of that is to reduce the barrier to entry. So if someone wants to get into cybercrime, it's very easy.
You can just go and buy a whole bunch of services instead of building a whole bunch of services, whether it's a cash-out service, a laundering service, a malware service or bulletproof hosting.
What are the typical business models that criminals use?
The botnet and the malware authors have three models. They either develop malware and put it to their own use, or they develop the malware and sell it for other people to use. More recently, they have been using a pay-per-install model. The pay-per-install model is sort of a channel or VAR reseller model for the malware they develop.
For example, in the context of the Zeus botnet, it turns out that its authors develop it and then sell it for other people to use at good dollar amounts for a pretty good profit. Then the people using the Zeus malware often have a business model of stealing the identities and doing automated clearing house (ACH) fraud to profit from it.
Then the pay-per-install model is a borrowing from the legitimate commercial world?
Zeus is a direct-sell model [not pay-per-install]. The authors sell it to criminals to go off and use. The interesting thing about Zeus is what you purchase from the author is a kit and the kit costs anywhere from $3,000 (£2,000) to $4,000. And there are individual features or functions that you can get as part of that kit.
So, for example, you can get the back-connect module for $1,500, which allows someone to submit a web request through a machine that is compromised with Zeus. Probably the most expensive module with Zeus now is the virtual network computing (VNC) module, which is about $10,000 and allows someone to take full control of a machine that Zeus has compromised.
When you buy the kit from the author, the author gets a hardware ID from you and puts it in the kit, so that you only run that kit on the one machine that you have effectively a licence for.
So is it a form of digital rights management for criminals?
That's exactly right. Because what used to happen is that someone would buy the kit and then sell it on at half the price. Now because the kit is specific to a machine someone can't sell it on.
If they are mimicking legitimate commercial IT industry business approaches, such as licensing, does that make them more likely to be identified?
Not necessarily. But the thing about being a criminal who sells a piece of malware, you need to market yourself and you need to have a reputation.
If you are going to buy Zeus, and it's going to cost anywhere from $3,000 to $15,000, you're just not going to spend that kind of money with someone you don't know, especially as what you do know is that they are a criminal who you can't trust.
So what we see is criminals doing marketing and building up reputations, because it's a business. Just as on the legitimate side, you need to have a brand name and a market and a reputation. It's the same thing on the malicious side when you're in the business of selling software.
That [need to market themselves] is how we track groups and how we put pieces of the puzzle together around criminals. They come up with a name or a name of the group and they market themselves, and that's effectively how we track them.
How do they market themselves?
Usually through websites. Earnings4u.com is a popular pay-per-install website and they use other means, through word of mouth, through referrals and references.
These are essentially endorsements by satisfied criminal customers?
Yes. It's reference-based selling in many contexts. Another site, dogmamillions.com, uses a pay-per-install reseller model, and to be a member of the site you have to...
...be referred to the site. That's not necessarily a way to market yourself but a way to keep the bad guys — that's the good guys — from infiltrating these sites.
You mention the criminals' need to promote themselves as a way you can identify and track these people. What other techniques can you use?
We track them or their activities using three principle methods. The first method is shared code among malware. It's often the case that one piece of code from one piece of malware is used in another piece of malware — a kind of common ancestry, if you will. So we have these trees of malware ancestry.
The second method is shared command-and-control infrastructure. So if someone sets up a command-and-control infrastructure and then two pieces of malware point back to the same IP address or use the same DNS name, we would consider those related.
The third way is based on three aspects of a target list: who are they targeting specifically with their attacks; what are the methods of their targeting; and what is their business model behind the targeting. Then we relate things across that spectrum.
Apart from its scale, what is there about Zeus that has made it so significant?
The most interesting thing about Zeus is it has been so successful at stealing user names and passwords that they have adopted a model where they are specifically targeting high-value transactions.
If someone were to log in to an account with multi-factor authentication, then that is an indication to the person running the botnet that this is a high-value or high-asset person. It could be a business account, and the criminals are prioritising their activities around going after those accounts that have multi-factor authentication.
They are also going after ACH fraud in particular because that often represents businesses — businesses use ACH in the US a lot — and that means that there are usually bigger dollar amounts involved.
The other thing we've seen relatively recently is that the criminals now use instant messaging. When someone logs in to an account with multi-factor authentication, the criminal will get a message in real-time saying this person is logging in with these credentials and the criminal will use the back-connect feature in Zeus to be able to submit fraudulent ACH transactions while the person is still logged in from that machine.
Your recent research into the Black Energy botnet mentions its unusual modular architecture, which allows various plug-ins — for example, for fraud, distributed denial-of-service (DDoS) attacks and spam — to be developed without needing the source code.
That approach is pretty common among malware today. It allows rapid, agile development of feature sets for criminals.
Have created their own application programming interface (API)?
That's correct. There is an API and a whole library that you could use to generate a whole Black Energy module and load it right into the executable.
Black Energy not only tries to commit financial fraud by stealing customer data but also has delivered a DDoS attack on the banks in question.
Yes, but the thing that's interesting about Black Energy is that it's specifically targeting Russian and Commonwealth of Independent States' (CIS) banks, and we haven't seen that before.
Most malware we see today goes out of its way not to target any Russian sites. As a matter of fact, with the pay-per-install sites we talked about earlier, if you have an installation in Russia or any of the CIS, you won't be paid for that — there's no fee. The DDoS attack along with identity theft is fairly uncommon.
Why are they doing that?
Our hypothesis is that it's a diversionary tactic, so the bank is using all its resources in paying all its attention to the DDoS attack and then when they are not looking they do cyber frauds and steal money while the bank is busy trying to bring its systems back online.
Why is the cloud becoming a platform for malware attacks?
The cloud is a good model for the criminals to be able to use for things such as command-and-control and denial-of-service attacks, to be able to host malware because of the utility-based nature of the cloud and the general trust that people put in the cloud.
If someone hosts a command-and-control server in Amazon's cloud, most sites don't block Amazon's cloud because there are so many other legitimate services hosted in the cloud so that makes it a good place for criminals to hide malicious sites among many legitimate ones.
It's a lot like DNS: when you register a site, they don't really do any form of authentication or verification. You can register domain names very easily with stolen credentials. Now with the cloud model, you are not just getting a DNS name, you're getting a whole infrastructure that you're effectively stealing with someone else's identity.