The current state of the crimeware threat - Q&A

What's the current state of the crimeware threat? Just how vibrant is the underground marketplace when it comes to crimeware? What are ISPs doing, and should ISPs be doing to solve the problem? Does taking down a cybercrime-friendly ISP has any long term effect?
Written by Dancho Danchev, Contributor

With Zeus crimeware infections reaching epidemic levels, two-factor authentication under fire, and the actual DIY (do-it-yourself) kit becoming more sophisticated, it's time to reassess the situation by discussing the current and emerging crimeware trends.

What's the current state of the crimeware threat? Just how vibrant is the underground marketplace when it comes to crimeware? What are ISPs doing, and should ISPs be doing to solve the problem? Does taking down a cybercrime-friendly ISP has any long term effect?

I asked Thorsten Holz, researcher at Vienna University of Technology, whose team not only participated in the recent takedown of the Waledac botnet, but released an interesting paper earlier this year, summarizing their findings based on 33GB of crimeware data obtained from active campaigns.

Go through the Q&A.

Dancho: Were you surprised that you were able to extract the data from the crimeware dropzones, so easily? Given the quality assurance practices that these people often put into their campaigns, it's logical to assume that they've taken basic precautions on the server/kit level.

Are cybercriminals taking the operational security of their campaigns seriously?

Thorsten: Actually I was rather surprised that we found so many open dropzones, it seems like the attackers do not follow security best practices. Especially earlier versions of Nethell had very often an open directory where all log files could be found by simply browsing to the correct URL. For ZeuS, we found only a handful of open dropzones, it seems like the attackers using that toolkit have more clue about what they are doing. Unfortunately, this has changed in the recent months: by now, most dropzones are configured correctly by default and thus it is not common anymore to find open dropzones.

Dancho: Considering the fact that security researchers are clearly capable of extracting campaign data, it's fairly logical to assume that cybercriminals are also peeking into each other's botnets, Zeus in particular.

Do you agree or disagree?

Thorsten: Yes, that definitely makes sense. Presumably an attacker can also use other methods to access a dropzone from another attacker: an attacker could exploit vulnerabilities in the dropzone's web app (e.g., SQL injection, default passwords, open MySQL access etc.), something that we could not do as part of our research. There have been some reports about vulnerabilities in dropzone kits, and I am sure that one could find other ways to access a dropzone.

Dancho: With Zeus clearly reaching a monocultural stage within the cybercrime marketplace, a remotely exploitable flaw within the kit's web interface could trigger an effect often seen from a white hat's perspective. In fact, there have been cases of cybercriminals hijacking one another's Zeus botnet due to insecurely configured web servers.

Do you believe these are isolated incidents, or a logical development in the long term, which could contribute to the rise of underground turf wars?

Thorsten: I think that this is a logical development: If I would be an attacker, it would be way easier to simply exploit other dropzones than doing all the hard work on my own (buying the kit, hosting it, exploiting machines etc.). And with tools such as ZeuS Tracker I could also easily find other dropzones and perform my attack on a larger scale.

Dancho: Since not every cybercriminal is willing to invest money into purchasing the very latest Zeus release, hundreds of them continue using old releases while continuing to update the "Web Injections" list.

A few months ago, based on an observation of ongoing discussions on the topic, I became aware of the fact that certain cybercriminals are in fact attempting to use the ZeusTracker to build hit list of potentially exploitable targets.

A trend, a fad, or someone's basically scratching the surface here?

Thorsten: I see this as a trend: since the information is freely available, it makes sense from an attacker's point of view to take advantage of it. Presumably it requires only some coding effort to crawl ZeuS Tracker, extract the info about the dropzone, and then probe it for open access or vulnerabilities.

Managed crimeware services, or raw crimeware logs as a service? -->

Dancho: Embracing the Cybercrime-as-a-Service model, opportunistic cybercriminals have been offering managed crimeware services for a few years now. In fact, some of the services truly demonstrate the dynamics of the cybercrime ecosystem by offering items that were once exclusive, now a commodity, as a bonus for extended use of the crimeware service.

In between, there's another no so well publicized market segment that's becoming a rather popular business proposition these days. It's the actual sale of gigabytes of raw crimeware/accounting data based on a recent period of time, or for a particular country only, with the customer not even having to rent access to a managed crimeware service.

Do you think the sale of raw crimeware data will surpass the growth of managed crimeware services in general? Is quantity proportional to quality in this case, and does this developing market segment makes it even easier for novice cybercriminals to obtain access to raw crimeware logs?

Thorsten: Yes, I also noticed this when studying underground boards/channels. However, I am not sure about this: if you buy raw logs, you can not be sure if you obtain some interesting info or only junk. As an attacker, I would prefer to target specific people and try to collect "interesting" data. Raw logs can contain surprising info, but you can also not be sure whether the seller removed interesting data such as credit card numbers, or if the seller has already abused the stolen credentials (which then lowers its value).

Dancho: Over the past year, cybercriminals have started monetizing the actual buzz surrounding web malware exploitation kits, and banking malware in general, by backdooring and releasing for free copies of these kits, proving that there's no such thing as a free malware kit, unless of course it's backdoored.

How big do you think is the potential of a underground model where potential cybercriminals unknowingly allow the sophisticated/opportunistic ones to harvest the data they were able to aggregate, in between forwarding the responsibility for maintaining the botnet/campaign to the novice cybercriminal?

Thorsten: Yes, an addition to the famous Mr. Brain phishing kit backdoors. In the phishing world this model works pretty well, see the study by my colleagues from UCSB. I think this could also easily work for dropzones and other types of web-based exploit kits. If an attacker puts some effort into hiding his backdoor in the code, then it might be undetected for some time. And again it is an easy way for an attacker to obtain stolen data: instead of setting up the whole campaign on his own, he just has to put some effort into hiding the backdoor.

Dancho: There are now web malware exploitation kits, which include a "seller module" allowing the cybercriminal to rent access to, or manage separate campaigns for other people. Do you believe that these kits would inevitably mature from today's tool for exploitation, to tomorrow's cybercrime-facilitating platform?

Thorsten: This definitely has potential to become a trend. Renting the whole platform for some time or only for specific campaigns actually makes sense: perhaps an attacker just wants to have some credentials for specific services and thus he can avoid the overhead by renting a framework. I expect that this kind of "service" will continue to expand.

Dancho: It's a "public secret" that thanks to quality assurance services within the cybercrime ecosystem, signature-based scanning is easily bypassed, and on the majority of occasions the people behind the campaigns would even measure the detection rate of their binaries before releasing them in the wild. The process is, of course, entirely automated and cost-effective from a cybercriminal's perspective.

Thorsten: Some researchers also built such a system - “PolyPack" is a research project at the University of Michigan aimed at understanding the impact of malware packers on modern antivirus products.

PolyPack highlights the failure of signature-based antivirus against common, widely available packers, investigates the role that diversity plays in the capabilities of both the packers and antivirus engines, and demonstrates the ease and efficacy with which an attacker could deploy an online packing service for nefarious purposes in a deployment model known as crimeware-as-a-service (CaaS).

The PolyPack web service uses an array of packers and antivirus engines to evaluate the effect that each packer has on the detection capabilities of the antivirus engines. Our current implementation employs 10 of the most common packers observed in the wild and 10 popular antivirus engines. A submitted binary is packed by each of the 10 packers and then analyzed by each of the 10 antivirus engines. The details of a fewexample results are available to the public.”

On TROYAK's takedown, and crimeware fighting strategies -->

Dancho: Where do you see the gap between the epidemic growth of crimeware, and the average end user's awareness still orbiting around perimeter defense solutions such as antivirus, or the practice of excluding client-side vulnerabilities from the big picture?

Thorsten: Going through related articles,  it becomes clear that AV is definitely behind the latest attacks and it is no surprise that we see a prospering underground ecosystem.

While the user awareness is rising due to media attention and everything, I think that we still need to do some work in that area: users need to understand that the Internet is not always a safe place and that they need to be responsible when surfing the web. Security best practices like regular patching or not clicking on everything are not followed by many, I think that's definitely an area that we need to improve.

Dancho: What's worse in this situation? The reactive, post-infection awareness building process, or the false feeling of security offered by two-factor authentication tokens with the end user unaware of the fact that their sessions are hijacked on-the-fly each time they interact with their E-banking provider?

Thorsten: That's a good point! Security solutions can not protect you against everything, a two-factor authentication on a compromised machine does not help much. People will learn due to security incidents, but the process can be a pain and the attackers always have some reward.

Dancho: Over the past week, the cybercrime-friendly TROYAK-AS has been struggling to remain online despite numerous attempts to take it down.

How beneficial are these takedowns in the long, and in the short term, considering the fact that the industry and the cybercrime ecosystem are both, in a "learning mode" of each other's tactics?

Thorsten: That's actually a good question and I have already spent quite some time with discussions on the subject. Taking down a cybercrime-friendly AS or taking down botnets such as Waledac always has two facets: on the one hand, it is good to do this since we can then stop to crime operation and the criminals can then not abuse the infected machines anymore. Side-effects such as spam, credential stealing and similar malicious actions then also stop. On the short run, it is thus good since we make the life of the attackers harder.

On the other hand, there are also reasons not to stop malicious AS or not to take down botnets: we loose some precious insights. When shutting down TROYAK-AS, many ZeuS servers went offline, but the attackers do presumably not stop doing their stuff: they will simply move to another hoster, continue the operation, and learn their lessons to stay under the radar longer next time. Thus we force an arms-race and force the attackers to evolve.

At the same time, the defenders need to closely follow the attackers: previously, we knew that many ZeuS server were hosted at TROYAK and could study them (perhaps also together with the police, in order to track down the actual attackers). Now we need to search for new locations and update our knowledge, such that we can follow the attackers again. On the long run, this kind of takedown actions thus forces an arms race and evolution at the attacker's side.

Dancho: Also, which practice do you think should get more priority in the long term? Shutting down the botnets, going after the ISPs, or putting more efforts into going after the individuals behind these campaigns?

My point - the Internet can be a pretty small place if you can get international law enforcement agencies, private sector companies and the academic community to start constructively sharing data, and prioritizing the gangs/incidents.

Thorsten: Going after the actual individuals who run the botnets (Police arrest Mariposa botnet masters, 12M+ hosts compromised) would be the best approach: only when we can catch them, they will stop doing harm. A good example here is the group behind Storm Worm: they had built an interesting, peer-to-peer based botnet that was rather successful and infected hundreds of thousands of machines (presumably also making quite some cash).

When Storm was shut down, it did not take too long and Waledac appeared: the malware has evolved, but many of the concepts stayed the same (e.g., spam template language). Waledac was recently shut down and the attackers can not send commands to the infected machines anymore.

However, I expect that we see a new, evolved attack by the same group in the near future since they will presumably not stop doing their harm. Instead, they will likely find new ways to make the botnet more robust next time. Unfortunately, going after the attackers is a tough task: collaboration among international law enforcement agencies can take some time, there is also lots of bureaucracy involved.But if we collaborate, I think this would definitely improve the overall situation.

Pros and cons of disconnecting malware-infected customers from the Internet -->

Dancho: Whether a cybercrime-friendly ISP goes down or not, cybercriminals proved that they have the contingency planning in place to continue their malicious operations elsewhere.

Has the time come for ISPs (Internet Service Providers) to start disconnecting malware-infected customers from the Internet, instead of basically notifying them that they're infected?

Thorsten: Disconnecting is presumably not an optimal solution and I expect that not many ISPs will do this. After all, the customers will definitely not like this, the ISP do not have much incentive to do this, and ISPs also often do not have the necessary expertise/infrastructure to detect infections. There could also be legal caveats prohibiting ISPs to do this, after all they are typically only providing the service and they need to make sure that the customer can reach the network.

Notifications would be nice, I hope that more ISPs adopt this model in the future and finally start to do something. After all, they are in a good position to do this - perhaps some legal ruling would help here, forcing ISPs to pro-actively adopting some security mechanisms. Actually some German ISPs plan to build such a system, the government will also support this. I think this is a step in the right direction, let's see how such a systems works in practice.

Dancho: Having an active cybercrime-friendly ISP is one thing, but having it online with no bots connecting to it since their ISP disconnected them is entirely another.

Virtually, it undermines a huge percentage of the services currently offered within the cybercrime ecosystem.

What do you think?

Thorsten: But it also has some drawbacks: why would an ISP do this (if not force by some laws)? For an average user who can choose between an ISP that disconnects him when his machine is compromised and an ISP who takes no action, the customer will presumably choose the latter.

I know that there are good reasons to disconnect infected machines, but I am not sure whether this will get wide-spread adoption in the near future. Some ISPs have implemented Walled Gardens such that they can separate infected machines and inform the user, perhaps some more ISPs adopt that model.

Dancho: In conclusion, are you optimist, a pessimist, perhaps even a realist in respect to solving the crimeware problem, once and for all?

Thorsten: As a researcher, I am an optimist that we will solve some of the problems and come to good solutions for some of the current problems. Taking a look 10 years back: we had Windows 98 and Windows 2000 has been released. Compared to Windows 7, we now have some huge improvements and I hope that we can say the same in 10 years when we haver better operating systems and detection mechanisms.

But I am also a little realist: we will not solve everything and the "human factor" will still be a problem in the future. Social engineering tricks will presumably always work and threats like rogue AV solutions highlight this aspect: many people well for these tricks and the attackers made a small fortune out of rogue AV.

Editorial standards