From the archive, originally posted by: [ spectre ],1000002000,39291463,00.htm

Cracking open the cybercrime economy  /  Dec 12 2007

Hacking for fun has evolved into hacking for profit, and created a
business model that is nearly as sophisticated as that of legal

“Over the years, the criminal elements, the ones who are making money,
making millions out of all this online crime, are just getting
stronger and stronger. I don’t think we are really winning this war.”

As director of antivirus research for F-Secure, you might expect Mikko
Hypponen to overplay the seriousness of the situation. But according
to the Finnish company, during 2007 the number of samples of malicious
code on its database doubled, having taken 20 years to reach the size
it was at the beginning of this year.

There seems to be some serious evidence then for the idea of an
evolution from hacking and virus writing for fun to creating malicious
code for profit. Security experts are increasingly pointing to the
existence of a “black” or “shadow” cyber-economy, where malware
services are sold online using the same kinds of development methods
and guarantees given by legitimate software vendors.

It is difficult to establish exactly how organised this malware
economy is but, according to David Marcus, security research manager,
McAfee Avert Labs, it’s relatively straightforward to buy not only the
modules to build malware, but also the support services that go with

“From Trojan creation sites out of Germany and the Eastern bloc, you
can purchase kits and support for malware in yearly contracts,” says
Marcus. “They present themselves as a cottage industry which sells
tools or creation kits. It’s hard to tell if it’s a conspiracy or a
bunch of autonomous individuals who are good at covering their

As well as kits and support, legions of compromised computers, or
botnets, can be hired for nefarious purposes — usually for spam runs,
or to perpetrate denial of service attacks. One of the most successful
botnets of 2007 has been “Storm”, so-called due to the hook-line used
to trick victims into opening emails containing the Trojan. In January
this year, the first malware was sent out with the tagline “230 dead
as storm batters Europe”.,1000000189,39285555,00.htm,1000000189,39290540,00.htm
The Storm botnet, estimated now to contain millions of compromised
computers, has advanced defences. The servers that control the botnet
use so-called fast-flux Domain Name System (DNS) techniques to
constantly change their location and names, making them difficult to
locate and shut down. And security researchers who have attempted to
find the command and control servers have suffered denial of service
attacks launched by the controllers of the botnet.

“Storm has been exceptionally successful,” says McAfee’s Marcus. “It’s
used for spam runs, and researchers attempting to locate Storm command
and control servers have come under attack. The hardest part is
finding the key to those channels. They’re not always easy to detect
and find. Some of the communications are encrypted, while some are
difficult to detect from a network point of view. I hate to use the
word evolution, but they’re certainly learning from their successes
and failures. If it weren’t for Storm, bots would be in significant
recession. Some days we’re seeing 1,000 different variants a day.”

Weathering the Storm
Joe Telafici, director of operations at McAfee’s Avert labs, says
Storm is continuing to evolve. “We’ve seen periodic activity from
Storm indicating that it is still actively being maintained. They have
actually ripped out core pieces of functionality to modify the
obfuscation mechanisms that weren’t working any more. Most people keep
changing the wrapper until it gets by [security software] — these guys
changed the functionality.”

In the past year, the development of illegal malware has reached the
point where it is almost as sophisitcated as the traditional software-
development and sales channel, according to Telafici.

“We’ve seen platform development, middleware, solutions sellers and
hosting — all types of software and companies, with the same level of
breakdown,” says Telafici.

One indication of the maturity of the black economy, according to
Telafici, was the recent case of a hacker who wrote a packer [software
used to bypass antivirus protection], “threw in the towel recently as
it wasn’t profitable enough — there’s too much competition. They
opened the source code and walked away.”

Security vendors seem to be powerless to take any action against the
groups in control of botnet networks, especially those who use fast-
flux techniques to move the location of command and control servers.

“With botnets, we are unlikely to make a dent unless we find the guy
who controls the command and control server,” says Telafici.

While law-enforcement agencies have a headstart in tracking
cybercriminals, due to their experience of dealing with…

…economic crimes such as fraud, many of the crimes are seemingly
small, not warranting police attention.

“The majority of cybercriminals are small players for small dollars
and short bursts of traffic,” says Telafici. “On the flip side you see
the amount of effort and money spent protecting spam relays [as in
Storm]. If [security researchers] aren’t careful they get Ddossed
[distributed denial of service attack] by a chunk of the spam network.
That the guys are protecting their turf indicates that in aggregate
the amount of money that is changing hands is significant.”

Game theory, a branch of applied mathematics that models how
adversaries maximise their gains through adapting to each other’s
strategies, features heavily in security assessments of the black
economy. As one player becomes stronger, the other increases its
efforts to gain the upper hand.

“I view it as we’re locked in a Darwinian power struggle,” says
Telafici. “As we up the ante, the black economy adjusts to that, and
it in turn ups the ante.”

Anatomy of the 2007 black economy

Peter Gutmann, a security researcher at the University of Auckland,
says that malware via the affiliate model — where you pay others to
infect users with spyware and Trojans — has become more prevalent in

The affiliate model was pioneered by the site in
2005, which paid webmasters six cents per infected site. Since then
this has been extended to a “vast number of adware affiliates”, says
Gutmann. For example, one adware supplier pays 30 cents for each
install in the US, 20 cents in Canada, 10 cents in the UK, and one or
two cents elsewhere.

Hackers also piggyback malware on legitimate software. According to
the researcher, versions of coolwebsearch co-install a mail zombie and
a keystroke logger, while some peer-to-peer and file-sharing
applications come with bundled adware and spyware.

While standard commercial software vendors sell software as a service,
malware vendors sell malware as a service, which is advertised and
distributed like standard software. Communicating via internet relay
chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders,
click fraud, posting and spam. “If you don’t have it, you can rent it
here,” boasts one post, which also offers online video tutorials.
Prices for services vary by as much as 100-200 percent across sites,
while prices for non-Russian sites are often higher: “If you want the
discount rate, buy via Russian sites,” says Gutmann.

In March the price quoted on malware sites for the Gozi Trojan, which
steals data and sends it to hackers in an encrypted form, was between
$1,000 (£500) and $2,000 for the basic version. Buyers could purchase
add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to
Gutmann. A scammer can buy hosts for a phishing site, buy spam
services to lure victims, buy drops to send the money to, and pay a
cashier to cash out the accounts. “You wonder why anyone still bothers
burgling houses when this is so much easier,” says Gutmann.

Anti-detection vendors sell services to malware and botnet vendors,
who sell stolen credit-card data to middlemen. Those middlemen then
sell that information to fraudsters who deal in stolen credit-card
data and pay a premium for verifiably active accounts. “The money
seems to be in the middlemen,” says Gutmann.

One example of this is the Gozi Trojan. According to reports, the
malware was available this summer as a service from iFrameBiz and, who bought the Trojan from the HangUp team, a group of
Russian hackers. The Trojan server was managed by, and
hosted by the Russian Business Network, which security vendors allege
offered “bullet-proof” hosting for phishing sites and other illicit

According to the University of Auckland, there are many independent
malware developers selling their wares online. Private releases can be
tailored to individual clients, while vendors offer support services,
often bundling anti-detection. For example, the private edition of Hav-
rat version 1.2, a Trojan written by hacker Havalito, is advertised as
being completely undetectable by antivirus companies. If it does get
detected then it will be replaced with a new copy that again is
supposedly undetectable.

Hackers can buy denial of service attacks for $100 (£50) per day,
while spammers can buy CDs with harvested email addresses. Spammers
can also send mail via spam brokers, handled via online forums such

… and One dollar buys 1,000 to 5,000
credits, while $1,000 (£500) buys 10,000 compromised PCs. Credit is
deducted when the spam is accepted by the target mailserver. The
brokers handle spam distribution via open proxies, relays and
compromised PCs, while the sending is usually done from the client’s
PC using broker provided software and control information.

“This is a completely standard commercial business,” says Gutmann.
“The spammers even have their own trade associations.”

Ready-made tools for creating phishing emails, such as fake requests
for bank details, are fairly easy to buy, with many independent
vendors selling them. Bulletproof hosting is also easily available,
while phishers engage spam services to lure users to their sites.

Carders, who mainly deal in stolen credit-card details, openly publish
prices, or engage in private negotiations to decide the price, with
some sources giving bulk discounts for larger purchases. The rate for
credit-card details is approximately $1 for all the details down to
the Card Verification Value (CVV); $10 for details with CVV linked to
a social security number; and $50 for a full bank account.

How is the money laundered?

Scammers use a variety of ways to launder cash. Compromised bank
accounts can be used to launder funds, or struggling companies can be
bribed to turn the money into ready cash. Scammers can find businesses
with a debt of $10,000 (£5,000), and agree to pay them $20,000
(£10,000) if they agree to cash out 50 percent of the funds. Dedicated
cashiers, also known as “money mules”, can also take up to 50 percent
of the funds to move the money via transfer services.

Money can also be laundered by buying and selling merchandise on the
wider black market. Shipper rings can ship PCs to scammers via
intermediaries, which can then be resold.

What is the cost to legitimate business?

As the malware economy grows in sophistication, so do the losses
sustained by legitimate businesses. According to the 2007 Computer
Security Institute computer crime and security survey, these losses
have seen a sharp increase this year.

Robert Richardson, director of the CSI, says the average annual loss
among US businesses due to cybercrime has shot up to $350,424, from
$168,000 in 2006. “Not since the 2004 report have average losses been
this high,” says Richardson.

This year’s survey results are based on the responses of 494 computer
security practitioners in US corporations, government agencies,
financial institutions, medical institutions and universities.

Almost one-fifth (18 percent) of those respondents who suffered one or
more kinds of security incident said they had suffered a targeted
attack aimed exclusively at their organisation, or organisations
within a small subset. Khalid Kark, a principal security analyst at
Forrester, says targeted attacks against companies and institutions
are becoming more common.

“As banks and companies have increased security levels, the hacker
community is casting a much wider net,” says Khalid. “Instead of
hacking into something right away, now it’s low and slow. They’re
determining attack avenues, taking their sweet time to find holes, and
then using stealth [to steal data].”

Financial services companies are being attacked more and more, says
the analyst, while the attacks are increasing in number and

But while the black cyber-economy is maturing, at the moment its main
practitioners seem to be individuals or small groups acting within a
loose web of affiliations that can be quickly established and broken
to evade detection.

F-Secure’s Hypponen blames a lack of international co-operation and
political and social problems for the current situation. “In many
cases these are people with skills but without opportunities,” says
Hypponen. “What if you are born with IT skills in rural China, or in
the middle of Siberia? There is no legal way of making use of the
skills they have.”

While law-enforcement co-operation with government and the IT
community is paramount in addressing the problem in the short term,
longer-term solutions must be found. One way to address the issue of
the growth of the “black cyber-economy” in the long term is to harness
the IT talent in developing countries that otherwise might be co-opted
into illegal activity.

“We have to make it more attractive to be in the white economy than in
the black — when that happens we will turn a corner. We’re starting to
see that happen as companies look to less expensive economies as
places to put people. In Eastern Europe and Asia there are highly
skilled people where there are less opportunities — this is where the
black economy is fuelled now,” says McAfee’s Telafici.

German and Chinese researchers have just released a study that
explores the world of Chinese commercial cybercrime. The researchers
set up virtual PCs running Internet Explorer, then visited nearly
15,000 Chinese websites, deliberately infecting their virtual systems
with whatever crapware happened to be running on the system. Then they
carefully analyzed the infections as they unfurled and encrappified
the virtual instances of Windows, and used the results to reverse-
engineer the way that the malware economy runs.

“The Virus Writers take care of implementing Web-based and
conventional Trojans, and use evasion methods to create covert
Trojans, and then they sell the malware and evasion service,” the
paper says. “Website Masters/Crackers betray their customers or crack
unsafe websites, and sell the visitor traffic of their own or
harvested web sites. Envelope Stealers construct a Web-based Trojan
network by hosting the bought Web-based and conventional Trojans on
compromised computers, and redirect the web site visitors to their Web-
based Trojans. When the Web-based Trojan network is ready, the victims
who visit the malicious web sites will be redirected to and exploited
by the Web-based Trojans, and infected with further conventional
Trojans. These Trojans then steal envelopes and virtual assets from
the victim’s machine.” ”,computer-crime-is-slicker-than-you-think.aspx

Computer crime is slicker than you think
BY David Raikow  /  16 August 2007

If the public’s image of the online criminal–the brilliant but
maladjusted teen breaking into systems just to prove he can–were ever
true, those days are long gone.

Not long after people first figured out how to break into computer
systems, they started creating tools to make it easier for themselves;
not long after that, those tools made their way into the hands of
people who could use them without really understanding how they

Today, few malware developers use their own code. They write it for
the same reason commercial software developers do: to sell it for a
healthy profit. If you’ve ever bought anything online, buying from
them may be disconcertingly familiar. If you want to break into a
computer or steal credit card numbers, you can buy the necessary
software online, just like almost anything else. More than that, you
can find user friendly, point-and-click attack applications that have
been pre-tested and reviewed by experts, and read through customer
feedback before making your purchase.

You might even be able to buy technical support or get a money back
guarantee. Some developers offer their malware through a software-as-a-
service model. If you prefer an even more hands-off approach, you can
simply buy pre-screened credit card numbers and identity information
itself, or sign a services agreement with someone who will do the
dirty work for you. As in many other industries, money has given rise
to professionalism.

Online crime and malware development has become a full-blown and
extremely profitable commercial enterprise that in many ways mirrors
the legitimate software market. “We’re in a world where these guys
might as well just incorporate,” says David Parry, Trend Micro’s
Global Director of Security Education. “There’s certainly more money
in the cybercrime market than the antivirus market. The internet
security industry is a drop in the bucket; we’re talking about
hundreds of billions of dollars.”

“The general dynamics within this market are just like any other
business model,” says to Thomas Holt of the University of North
Carolina at Charlotte’s Department of Criminal Justice. “You have to
offer a good price, you have to be readily able to communicate with
your customers, you have to give them reliable products, because
nobody’s going to buy something if it doesn’t quite work like you say
it can.” According to Shane Coursen, Senior Technical Consultant at
Kaspersky Labs, malware development is easily profitable enough to
attract professional talent.

“The financial model is absolutely huge. The amount of money that a
developer could make at least matches what they can make at a software
company. You could even set it up as a legitimate business, reporting
earnings and everything.” Go To Market Holt leads a team of
researchers that tracks the online marketplaces where malware
developers, brokers, and criminal “service providers” sell their
wares. Starting with nothing more than Google searches, they have
identified a network of approximately 30 publicly accessible sites of
surprising sophistication, with features that rival eBay and Amazon.

The particular marketplaces Holt’s team tracks are generally
incorporated into hacker community forum sites hosted in Russia,
Eastern Europe, and other regions where criminal prosecution and
extradition are difficult or impossible. Prospective sellers post
detailed descriptions of their products and services. Those selling
malware will often including screenshots, claims about resistance to
antivirus or other countermeasures, and penetration capabilities.
Those selling stolen account data will often specify the nationality
of the account, the bank, the type of account (Visa v. Mastercard,
gold v. platinum), and the total value of each account. In many cases,
they will also have complex pricing models, including purchase
minimums and volume discounts.

At the same time, the purchaser sends a sample their product to a
forum moderator — a copy of the malware code or a sample of the
stolen data — who will then review and test it. If the moderator
finds that the product does not work as advertised or that the data is
invalid, they will block the seller from posting; otherwise, they will
post a detailed review alongside the seller’s product description.
Moderators may also block products or services they consider too

VPN services, for example, have been widely turned away by various
site moderators after law enforcement tracked down a particularly well-
known online gang through their VPN connections. Next: A Buyers’
Market Prospective buyers are then free to ask detailed questions
about the product, and actual buyers will post their own feedback and
reviews. “Thank you for a FreeJoiner, is the best program in its class
I have ever seen,” wrote a satisfied customer wrote on one of these
sites. “Purchased a freejoiner 2 and left very happy,” wrote another.

Over time, moderators use their own reviews and customer feedback to
track each seller’s reputation, and maintain rankings ranging from
“Verified Seller” (good) to “Ripper” (bad). Sites will often develop
“blacklists” and “whitelists” to block out or provide quicker access
to specific sellers, and a number of “ripper databases” are
distributed throughout these communities. These “open forum” sites
represent only one subset of the cybercrime market; other models may
look very different, but can be just as sophisticated. Some malware
developers, for example, maintain what amounts to their own channel

“There are programmers who are working for brokers, and the brokers
are selling the malware to other criminals, who are then reselling the
malware to other criminals,” says Trend Micro’s Parry. “When they
capture a bunch of systems, they resell those systems to another
criminal, and another criminal. The actual hacker types don’t want to
get their hands dirty with something that would actually send them to
prison.” Other groups build affiliate networks that tap into
legitimate and semi-legitimate businesses. In a presentation at the
Defcon hacking conference this year, Peter Gutmann of the University
of Auckland’s Department of Computer Science described networks in
which businesses would pay affiliates up to 30 cents for each machine
they infect with spyware or adware.

Some of these companies claim to terminate unethical affiliates and
include user licensing agreements in their software, while the
software itself is hidden and often includes keystroke loggers and
measures to render it difficult or impossible to delete. Customer
Service Just like their go-to-market strategies, the array of services
offered by malware developers and other online criminals have grown in
sophistication alongside their legitimate counterparts. Extensive
customer service, technical support, and update subscriptions have all
become standard practice. “They have to provide good customer support
to compete,” notes Holt.

“If you buy 50 dumps [credit card or bank account records] from
somebody, and 25 of them are invalid, the ‘good’ sellers are the ones
who are going to say, “You know what, here’s 25 dumps in return.’ The
malware writers will say, ‘You know what, if you’re having a problem,
just contact me. I’m always around. I’ll be happy to help you with
whatever I can.'” Some of these vendors focus entirely on services.

They may offer technical support or customisation contracts on
existing malware packages, for example. Others offer to conduct
attacks or spam campaigns on your behalf. One group advertises an hour-
long denial of service attack for $20, and 24 hours for $100, noting
that their botnet is distributed across multiple time zones and can
therefore launch and maintain attacks at any time, day or night. “One
group in particular says, kind of like Dominoes Pizza, ‘if the first
hour of our denial service attack doesn’t work, you get your money
back’,” notes Holt. “That’s pretty common.”

Other operations mirror legitimate software as a service providers.
These “malware-as-a-service” providers rent out access to botnets or
Web-based attack tools. Gutmann noted one example in which a Russian
group rented out its malicious Website. A prospective buyer could get
the 100 visitors for free, but then had to pay US$4 per 1,000 visitors
up to 5,000, US$3.80 per 1000 up to 10000, and US$3.50 per 1,000 if
they bought 10,000 or more. “Software rental is just another way to
get money out of this market,” says Oliver Friedrichs, Symantec’s
Director of Security Response. “It’s common to see authors who write
keyloggers and botnetworks, and then rent them out to people
ultimately who may launch a phishing campaign or a spam campaign.”

Next: Quality Product Given the competition for the enormous sums of
money in the cybercrime market, it is not surprising that the quality
of the products and services available to the would-be cybercriminal
are increasing along with the sophistication of the markets and
vendors. The most recent versions of many malware applications are
extremely user-friendly, with point-and-click graphical interfaces and
a wide range of functionality. They tout their ability to evade
detection and defeat antivirus software and other countermeasures.
Most importantly, they require little or no expertise to use.

“Code has had to become much, much more sophisticated and very
professional in quality in order to turn a profit,” says Friedrichs.
“We’ve certainly seen spyware, for example, that leverages very
advanced rootkit capabilities in order to hide and stay resident on a
system once it’s installed itself.” The availability of cracked
versions of older software and low-cost applications created in
developing countries forces malware writers to polish their product if
they want to compete.

Nevertheless, quality software can command a healthy premium. “Nuclear
Grabber goes for $3,000 because this is a fantastic product that has
multiple functionalities in multiple environments,” Holt says of one
popular attack tool. “So, if you want to do phishing, you can use it
for phishing. If you want a keylogger, you can use it for keylogging.
It’s up to you.” According to Gutmann, some vendors have hired
professional linguists to craft spam messages that bypass filters
while remaining meaningful to the recipient, while phishers use
psychology graduate students to develop scams that will lure victims
into giving up their personal data.

“They have better experts than we do!” he said in his Defcon
presentation. Malware applications are even beginning to incorporate
their own security measures, both to outmaneuver competitors and avoid
detection. A trojan, for example, might update a computer’s antivirus
signatures to block subsequent infection attempts by competing
malware, while server attack tools might install patches or fix
misconfigurations to protect a Web host delivering malicious code to
unsuspecting visitors. “It’s ironic, but the bad guys need security
too,” notes Parry.

“They hack each other, and they want to keep us from getting access to
their backend mechanics.” The bottom line is that the good guys are
facing more and better equipped opponents. ” “Anything that you want
to find, you can buy at these markets,” Holt concludes. “It’s so deep
that you don’t have to have a technical background to really get into
identity theft and credit card fraud and hard core kinds of computer

{Damon Poeter contributed to this article.}


A Layman’s Glossary of Malware Terms
BY Scott Berinato  /  October 08, 2007

76service – A group that orchestrated attacks using the Gozi Trojan
and pioneered a service used to provide clients with subscriptions to
stolen data feeds provided by those attacks.

Blind Drop – A drop that is well hidden and is designed to run while
unattended, until an attacker comes to collect the data. In the case
of remote access Trojans, can also refer to file hidden locally.

Bot – A computer infected with software that allows it to be
controlled by a remote attacker. Also used to refer to the malware
itself which allows that control.

Carder – Someone who trades in stolen credit card and cardholder data.

Downloader – A small piece of code, usually a single instruction, used
in the payload of an exploit to silently fetch a malicious EXE file
from the attacker’s server.

Drop – A clandestine computer or service [such as e-mail account] that
collects data stolen by a Trojan.

Dump – As a noun, used interchangeably with “drop.” As a verb it means
to transfer data onto a machine for analysis, or to discard an exe
after reverse engineering.

exe – A Windows executable program. In a malware attack, the “exe”
refers to the malicious progam which infects the victim’s PC.

Exploit – Code used to take advantage vulnerabilities in software code
and configuration, usually to install malware.

Form-grabber – A program that steals information submitted by a user
to a web site. (Originally forms were the only way to submit user
input to a web server, but now the meaning has changed to encompass
any HTTP communication using a POST request.)

Gozi – One of a family of Trojans written by Russian RATs known as the
HangUp Team, used in a string of attacks orchestrated by a group known
as 76service.

iFrame – A special tag used to load one web page into a part of
another webpage. Used by iFramers to load malicious code, often
JavaScript, onto an otherwise trusted page.

iFramer – A person who places a malicious IFRAME (in-line frame) tag
into web pages, usually on compromised web sites, and then charges
malware developers for access to those iFrames as a distribution
method for Trojans.

Keylogger – A program that logs user input from the keyboard, usually
without the user’s knowledge or permission.

Malware – Any executable code that uses a computer in a way not
authorized by it’s owner. Includes Trojans that install backdoors,
spyware, bot clients, keyloggers, worms, viruses, or other malicious

Packer – A tool used to compress and scramble an EXE file. Used to
hide the malicious nature of malware and thwart analysis by

Padonki – A kind of Russian hacker slang in which words, often obscene
ones, are purposefully misspelled or bastardized.

Pesdato – English transliteration of a Padonki interjection.

RAT – Remote Access Trojan, malware that allows an attacker to
remotely control a infected PC or “bot”.

RATs – The nickname for people who write remote access trojans.

RBN – The Russian Business Network. An infamous ISP used by primarily
Russian malware groups to host malware and drops. The ISP is
reportedly run out of Panama and owned a company operating from the
islands of Seychelles, off the eastern coast of Africa. Variously
described as “opaque,” “dubious,” and “shady.”

Redirect – A feature of HTTP used to automatically forward someone
from one web site to another. In the case of malware, redirects are
done invisibly, sometimes inside iFrames.

Rootkit – Code that plugs into and changes the low-level functions of
an operating system. Used by malware to hide itself from users and
even the operating system itself.

Torpig – A relatively new family of Trojans representing the latest in
malware capabilities, including the ability to hide itself and provide
backdoor access for installing other configurations, components, or
even other Trojans.

Trojan – A program that attempts to hide its malicious code by
masquerading as an innocuous program most commonly through the use of
a “packer.”

Variant – Malware that is produced from the same code base (or
“family”) as a previous version but is different enough to require new
signatures for detection by anti-virus and anti-malware products.

VXer – Originally, a virus writer. Now refers to anyone involved in
the production or use of malware.




Who’s Stealing Your Passwords? Global Hackers Create a New Online
Crime Economy
BY Scott Berinato  /  September 17, 2007

By 2003, online banking was not yet ubiquitous but everyone could see
that, eventually, it would be. Everyone includes Internet criminals,
who by then had already built software capable of surreptitiously
grabbing personal information from online forms, like the ones used
for online banking. The first of these so-called form-grabbing Trojans
was called Berbew.

Inside an Identity Theft Site

Berbew’s creator is believed to be a VXer, or malware developer, named
Smash, who rose to prominence by co-founding the IAACA–International
Association for the Advancement of Criminal Activity-after the Feds
busted up ShadowCrew, Smash’s previous hacking group.

Berbew was wildly effective. Lance James, a researcher with Secure
Science Corp., believes it operated undetected for as long as nine
months and grabbed as much as 113GB of data–millions of personal

Like all exploits, Berbew was eventually detected and contained, but,
as is customary with malware, strands of Berbew’s form-grabbing code
were stitched into new Trojans that had adapted to defenses. The
process is not unlike horticulturalists’ grafting pieces of one plant
onto another in order to create hardier mums.

Thus, Berbew code reappeared in the Trojan A311-Death, and A311- Death
in turn begat a pervasive lineage of malware called the Haxdoor
family, authored by Corpse, who many believe was part of a well-known,
successful hacking group called the HangUp Team, based in the port
city of Archangelsk, Russia, where the Dvina River empties into the
White Sea, near the Arctic Circle.

By 2006, online banking was ubiquitous and form-grabbers had been
refined into remarkably efficient, multi-purpose bots. Corpse himself
was peddling a sophisticated Haxdoor derivative called Nuclear Grabber
for as much as $3,200 per copy. Nordea Bank in Sweden lost 8 million
kronor ($1.1 million) because of it.

But by last October, despite his success, Corpse decided that it was
time to lay low. A message appeared on a discussion board at, a site that sold yet another Haxdoor relative called

“Corpse does cease development spyware? news not new, but many do not
know” reads a post by “sash” translated using Babelfish. It then
quotes Corpse: “I declare about the official curtailment of my
activity of that connected with troyanami [trojans]”

This past January, a reporter for Computer Sweden chatted with Corpse,
pretending to be a potential customer. Corpse tried to sell him
Nuclear Grabber for $3,000 and crowed that banks sweep 99 percent of
online fraud cases under the rug. After Computerworld Australia
published the chat, Corpse disappeared. He hasn’t been heard from

But his form-grabbing code resurfaced, when a friend of Don Jackson
asked him to look at a file he found on his computer, as a favor.

That file led Jackson behind the curtain to find hacking with a level
of sophistication he’d never seen before.

January: Discovery

Don Jackson is a security researcher for SecureWorks, one of dozens of
boutique security firms that have emerged to deal with the inherently
insecure, crime-ridden, ungovernable Internet. Jackson’s company and
others like it usually sell security products, but their real value is
in the research they do. With law enforcement overtaxed by and under-
trained for electronic crime, these firms have become a primary source
of intelligence on underground Internet activity and VXers’ latest

Seems like an expensive hobby for a small company but the expense
associated with the hardcore intel and technically arduous research is
more than paid for by its value as a marketing tool. Being the first
to market, even when your product is bad news about security, wins
press attention and, it’s hoped, customers. As such, the little
security startups stock up on researchers like Jackson who have a
working, or sometimes intimate, knowledge of the criminal hacker
underground. All day, every day, security researchers at these small
companies are dissecting malware that they discover, chatting with bad
guys and poking around their domains.

Still, neither the sheer number of firms and jobs like Jackson’s
created in the past five years, nor the fact that larger companies
like Verizon, Symantec, IBM, and BT are acquiring those companies, are
signs that the good guys are catching up. It’s more a sign of how much
money can be made trying to catch up. Internet crime is profitable for
everyone, except of course its victims.

Jackson’s friend was a victim, but of what he wasn’t sure. All he
could say was that several of his online accounts had been hijacked
and that a scan of his computer turned up a conspicuous executable, or
exe, file, one that wasn’t detected as malware, but wasn’t recognized
as something legitimate either. The friend asked Jackson if, as a
favor, he’d take a look.

Jackson obliged and discovered that the file had been on the system
since December 13, 2006, almost a month. If it turned out to be
something new and malicious, then Jackson had discovered a 0-day
exploit. It would be a publicity boon for SecureWorks.

Jackson downloaded the exe to a lab computer. “Generally, the exe is
not all that exciting to researchers who see hundreds of samples each
month,” says Jackson. “There are some exceptions.” This was not an
exception. Jackson found a derivative of Corpse’s Haxdoor form
grabber, just a new cultivar of an old species, albeit a reasonably
well-crafted one Like several form grabbers before it, this one
intercepted form data before it was SSL-encrypted, meaning that the
little glowing lock in the corner of the browser, the one that online
merchants will tell you ensures you that you’re on a safe page, meant
nothing of the sort.

Jackson named his discovery after the transliteration of a Russian
word he found inside the source code: Pesdato. Later, when he learned
what that word meant in Padonki, a kind of Russian hacker slang, he
changed its name, instead choosing the moniker of a cartoon character
that he made up in grade school: Gozi.

The process of fully deconstructing Gozi took Jackson three days. On
the third day, as he pored over the source code, Jackson noticed that
the sample on his lab computer was communicating with an IP address
that he thought was owned by the Russian Business Network. RBN is a
notorious service provider out of St. Petersburg, Russia that Jackson
and others say is an ISP with a reputation for accommodating spam and
other malware outfits. Normally, Jackson thought, bots would be
stealthier about communicating with RBN. Maybe this was a mistake.
Curious, he decided to poke his head in and look around on the RBN
server that Gozi was talking to.

And what he found stunned him. As he sailed off through the servers
and in and out of files and almost over a database to where Gozi’s
home base was, Jackson found a full-fledged e-commerce operation. It
was slick and accessible, with comprehensive product offerings and a
strong customer focus. Jackson, no one really, had ever seen anything
like it. So business-like. So fully conceived. So professional.

It was early February by the time he found a 3.3 GB file containing
more than 10,000 online credentials taken from 5,200 machines–a stash
he estimated could fetch $2 million on the black market. He called the
FBI as he prepared to go undercover to learn more. If he had known at
the time what pesdato, that Padonki slang word meant, he might have
uttered it under his breath when he realized what he had stumbled on

He had stumbled on to the next phase of Internet crime. Gozi was
significant not because the Gozi Trojan was innovative or hard to
detect. It wasn’t. It was in many ways no different than its four-year
old ancestor Berbew. No, Gozi was significant, Jackson thought,
because it wasn’t really a product at all. It was a service.

The Golden Age

Gozi represents the shift taking place in Internet crime, from
software-based attacks to a service-based economy. Electronic crime
has evolved, from an episodic problem, like bank robberies carried out
by small gangs, to a chronic one, like drug trafficking run by

Already every month, Lance James’ company Secure Science discovers 3
million compromised login credentials–for banks, for online email
accounts, anything requiring a username and password on the Internet–
and intercepts 250,000 stolen credit cards. On an average week, Secure
Science monitors 30-40GB of freshly stolen data, “and that’s just our
company,” says James.

Given that, you think you’d have heard more about Gozi, or about this
chronic condition in general. But you haven’t. Beyond the research
community, Gozi and the other Trojans stealing all this data have been
largely ignored. A half-dozen CSOs and CISOs contacted for this story,
including some representing banks and online merchants, had either
never heard of Gozi or vaguely recalled the name and not much else.
And why would they? Gozi made it through a news cycle and it was
reported without context, with a tally of the known damage, like a
traffic accident. And yet, Gozi wasn’t that at all. It was an idea, a
business model.

Even after it fell out of the news, and despite the fact that Don
Jackson and the FBI believed they knew how it worked, and who was
running it, the Gozi Trojan continued to adapt to defenses, infect
machines and grab personal information.

“Do you have a credit card? They’ve got it,” states another researcher
who used to write malware for a hacking group and who now works
intelligence on the Internet underground and could only speak
anonymously to protect his cover. “I’m not exaggerating. Your numbers
will be compromised four or five times, even if they’re not used yet.”

“I take for granted everything I do on the Internet is public and
everything in my wallet is owned,” adds Chris Hoff, the security
strategist at Crossbeam and former CISO of Westcorp, a $25 billion
financial services company. “But what do I do? Do I pay for everything
in cash like my dad? I defy you to do that. I was at a hotel recently
and I couldn’t get a bottle of water without swiping my credit card.
And I was thirsty! What was I gonna do?”

That’s the thing about this wave of Internet crime. Everyone has
apparently decided that it’s an unavoidable cost of doing business
online, a risk they’re willing to take, and that whatever’s being lost
to crime online is acceptable loss. Banks, merchants, consumers,
they’re thirsty! What are they gonna do?

The cops lack resources and jurisdiction. And in some cases, security
companies are literally shifting their strategies away from trying to
secure machines connected to the Internet; they’re giving up because
they don’t believe it can be done.

It’s a conspiracy of apathy. For the criminals, this is great news.
They stand blinking into the dawn of a golden age of criminal
enterprise. Like Barbary Pirates in the 18th century, and like
Colombian drug cartels in the 1970s, malicious hackers will run amok,
unfettered, unafraid and perhaps even protected. Only they won’t use
muskets or mules. They’ll use malicious code to run syndicates that
will be both less violent and more scalable than in the past.

Now is the criminal hacker’s time. In Archangelsk, Russia, it is the
HangUp Team’s time.

February: Access

What Don Jackson found when he followed Gozi back to the RBN server
was called The home page was pretty and simple, just a
stylized login box.

But how this service worked wasn’t yet clear, so Jackson went
undercover. On carders forums, the online hangouts for people who run
credit card rackets, he found some members who knew about Gozi and
76service. He recognized their avatars–online personas usually marked
by a picture that gets posted with their comments on discussion boards–
as ones that belonged to members of the HangUp Team. “It confirmed to
me they were involved,” Jackson says, “but how still wasn’t clear. For
all I knew, they just sold the bot to someone.”

In response to requests he posted, one of these HangUp Team members e-
mailed Jackson at an anonymous account. The e-mail told
Jackson to log on to a specific IRC chat room with a specific name at
a specific time. Jackson, using a machine configured to hide its
location, did so.

The room was virtually crowded. “I get there, and there’s lots of
conversation. Lots of Russian that’s flying by me,” Jackson says.
Everyone spoke freely. Jackson did not sense any fear of law
enforcement, or curious researchers, snooping. . In fact, Jackson
thinks that a kind of show bidding was taking place. The channel
moderator was offering preview accounts to 76service such that the
users could tour the site. The hope was they’d come back saying
Pesdato! and offer a good price for access.

Jackson asked if he could take a test run, too. If he seemed nervous
and unpracticed about doing business here, it was because he was. “The
moderator says, ‘You don’t speak Russian. Where are you from?’ I say,
‘The UK.’ He says, ‘Only people we know get test runs.'” A few others
derided Jackson for his ignorance and, in so many words, told him to
go away. And that was that.

Plan B: Jackson called on a friend who followed the HangUp Team
closely, almost the way a CIA analyst builds up expertise. He figured
this friend may know how to get access. It was a stab in the dark but
remarkably it worked. One colleague knew all about 76service, which he
said had been online for several months, and he lent Jackson login
credentials to

The 76service Business Model

When Jackson logged in, the genius of 76service became immediately
clear. 76service customers weren’t weren’t paying for already-stolen
credentials. Instead, 76service sold subscriptions or “projects” to
Gozi-infected machines. Usually, projects were sold in 30-day
increments because that’s a billing cycle, enough time to guarantee
that the person who owns the machine with Gozi on it will have logged
in to manage their finances, entering data into forms that could be

Subscribers could log in with their assigned user name and password
any time during the 30-day project. They’d be met with a screen that
told them which of their bots was currently active, and a side bar of
management options. For example, they could pull down the latest drops–
data deposits that the Gozi-infected machines they subscribed to sent
to the servers, like the 3.3 GB one Jackson had found.

A project was like an investment portfolio. Individual Gozi-infected
machines were like stocks and subscribers bought a group of them,
betting they could gain enough personal information from their
portfolio of infected machines to make a profit, mostly by turning
around and selling credentials on the black market. (In some cases,
subscribers would use a few of the credentials themselves).

Some machines, like some stocks, would under perform and provide
little private information. But others would land the subscriber a
windfall of private data. The point was to subscribe to several
infected machines to balance that risk, the way Wall Street fund
managers invest in many stocks to offset losses in one company with
gains in another.

Grabbing forms provides several advantages to both buyer and seller
compared with the old model of pulling account numbers out of
databases and selling them. For the seller, it’s safer. He becomes a
broker; a middle man. He barely handles stolen data. For the buyer,
it’s the added value of an identity compared to a a credential. For
example, a credit card number alone might be worth $5, but add the
three- or four-digit security code associated with that card and the
value triples. Add billing address, phone number, cardholder names and
so forth which allow a buyer to create new lines of credit and the
value can reach into the hundreds of dollars.

Grab the primary and secondary authentication forms used for financial
services login in addition to all that, and you’ve hit the jackpot: a
real person’s full financial identity. Everything that person had
entered into forms online would create an avatar that could be used in
the real world to buy goods, apply for credit and passports, buy cell
phones, open new bank accounts and manipulate old ones. A dossier like
that would be one of the most valuable commodities available on the
information black market.

That’s why the subscription prices were steep. “Prices started at
$1,000 per machine per project,” says Jackson. With some tinkering and
thanks to some loose database configuration, Jackson gained a view
into other people’s accounts. He mostly saw subscriptions that bought
access to only a handful of machines, rarely more than a dozen.

The $1K figure was for “fresh bots”–new infections that hadn’t been
part of a project yet. Used bots that were coming off an expired
project were available, but worth less (and thus, cost less) because
of the increased likelihood that personal information gained from that
machine had already been sold. Customers were urged to act quickly to
get the freshest bots available.

This was another advantage for the seller. Providing the self-service
interface freed up the sellers to create ancillary services. 76service
was extremely customer-focused. “They were there to give you services
that made it a good experience,” Jackson says. You want us to clean up
the reports for you? Sure, for a small fee. You want a report on all
the credentials from one bank in your drop? Hundred bucks, please. For
another $150 a month, we’ll create secure remote drops for you.
Alternative packaging and delivery options? We can do that. Nickel and
dime. Nickel and dime.


Hacker Economics 2: The Conspiracy of Apathy
BY Scott Berinato  /  October 08, 2007

March: Containment

SecureWorks researcher Don Jackson was focused on his technical
analysis of form-grabbing software, but he continued correspondence
with the source who gave him access to After several
email exchanges with Jackson, the source decided that he could trust
him enough to share what he knew about the people behind 76service.
This is part of what he shared.

He told Jackson that the operation was run by just two people, known
as 76 and Exoric. 76 was in Russia. Exoric seemed to be based out

76 was a member of the HangUp Team who broke off to launch this
service. He probably bought the Haxdoor form-grabbing code grafted
onto Gozi from his old crew. He might have traded for it. He also
probably had a relationship with the RBN form his HangUp Team days.
The lack of manpower beyond the two of them might also explain some of
the mistakes 76service made, such as the direct connection to RBN
servers and the site configuration that allowed Jackson to view other
people’s projects. It appears 76 recruited Exoric for his server-side
knowledge, whereas 76 was coding the actual Trojan.

Jackson was sharing all of this with a field agent from the local FBI
office, who sent it up to agents in DC, who in turn coordinated with
Russian authorities on an investigation, according to Jackson. (The
FBI has refused to comment specifically on the case). Meanwhile
Jackson contacted Infraguard which in turn shared his findings with
financial institutions. Jackson wrote an exhaustive technical report,
one of the most detailed ever created, that covered both how Gozi
worked and how the service did, too. After he published it, and his PR
team spread the word, the press pounced: “Gozi Trojan leads to Russian
Data Hoard.”

Gozi had been known to be in the wild for at least three months. But
Jackson also believed that the “Winter Edition” of 76service was by no
means the first edition. He suspected that 76service had been
operating undetected for perhaps as long as 9 months.

But by mid-March, the good guys seemed to be getting ahead of it. Anti-
virus and anti-spyware vendors were adding Gozi signatures to their
products to detect the bot. 76service servers had been sent on the run
as the FBI and ISPs detected and blocked the IP addresses that Gozi
connected to, forcing 76 and Exoric to move the site around
constantly. Around March 12, the loose coalition of FBI, researchers,
ISPs and others finally seemed to get the 76service shut down.

This spurred a fire sale of whatever data had been left unsold at
76service. Jackson says that after March 12, some banks saw hundreds
of accounts opened each day that were traced back to Gozi-grabbed
data. Some of those account holders managed to make several cash
transfers up to $49,000. “They’re playing with limits on fraud,” says
Jackson. That is, they know the banks won’t flag 5 transfers under 50
grand, but will flag one $250,000 transfer. Jackson says many of these
transfers were wired to, of all places, Belgium, though he didn’t know
if anyonehad been caught picking up the cash there. Some other
accounts were detected and blocked from activity before transfers were
made. Jackson says the United States Secret Service was briefed. (The
USSS declined to comment). Gozi and 76service finally seemed to be

But it hardly mattered. By this time, another form-grabbing Trojan had
been discovered.

The new Trojan was called Torpig. Its technical architecture and its
service were nearly identical to Gozi and 76service, including links
to RBN servers. But Torpig was engineered to target bank forms
specifically–excluding less useful (read: valuable) credentials like
email logins or logins for newspaper sites. Torping shipped with a
database of financial Web sites’ URLs and when it recognized one of
these URLs in the browser’s address bar, it woke up and added a
redirect command to the URL.

Jackson says that intelligence suggested that the criminals had set up
real accounts at the banks on Torpig’s hit list and then captured
their own legitimate transaction traffic to see what “normal”
transactions looked like at each bank. This way, they could tailor
each banks’ redirect command to mimic a normal transaction, so that
filters wouldn’t register anomalous activity. Jackson called it “Gozi
on steroids.” It has proven much more problematic to researchers,
banks and law enforcement. Shutting it down has been far more
difficult than taking out Gozi, too, because Torpig communicated with
a network of servers. Gozi had only connected to the one RBN server.

That is, until March 21, when 76service was discovered back online,
running off of a new server in Hong Kong. By March 27, Jackson had
confirmed that it used a new variant of Gozi, undetected by filters.
It was the “spring edition.”

Distributed Pain/Concentrated Gain

The HangUp Team’s online art gallery is populated with a disturbing
mishmash of images and messages like “Fraud 4ever” and “In Fraud We
Trust” (One picture, for example, combines a picture of Hitler, a
Cannibas leaf and the head of Eugene Kaspersky, who owns a Russian-
based anti-virus company, on a platter.) And yes, pictures of its
members often include what have come to be hackneyed criminal hacker
clichés, with members posing with their cash, for example.

But do not mistake this culture for incompetence. HangUp Team is one a
number of highly successful businesses that some researchers claim
earn their members millions of dollars per month. “As a security
professional you don’t want to say you’re impressed by them,” says
“John” (not his real name), the security professional at a large bank
who agreed to talk only if he could remain anonymous, because he
didn’t have permission from his bank to speak. “But they’re better run
and managed than many organizations. They’re properly funded, they
have a clear goal, they’re performance driven, focused on a single
mission. It’s like an MBA case study of success.”

There are two key tenets underscoring that success: Distributed pain
with concentrated gain, and distributed risk.

The more important of these is distributed pain with concentrated
gain. The massive size of the market that Internet criminals prey on
allows them to spread losses across hundreds or thousands of victims.
“If you take $10 off of 10,000 credit cards, you’ve made $100,000 that
no one victim either recognized or felt enough to care,” says Jim
Maloney, a former CSO at who now runs his own security
consulting firm. “Then scale that up to five different banks’ credit
cards.” Each bank loses rougly $20,000. “The gain is concentrated for
this one hacker group but the penalty to each bank is still written
off as acceptable loss.

“Then go to law enforcement. Unless they hear from many victims and
can aggregate the problem as one big one, so that the resources
required to chase it down are justified, they won’t, they can’t chase
it down.”

And if they did decide to open an investigation, who do they go after?
That’s the distributed risk element. Groups like the HangUp Team, and
76 himself, deal in access to credentials. 76, for example, barely
handles stolen data. He also contracts out the distribution of his
malware. And he sells to people who themselves don’t commit fraud with
the credentials but usually turn around and sell them to still others
who actually commit the final fraud by turning stolen information into
money and goods.

That’s several links in a supply chain all sharing the risk (It’s
instructive to note that, according to several researchers, one of the
biggest frustrations for groups like HangUp Team recently has been
“newbies” to the credentials market who buy a credit card and
immediately rack up tens of thousands of dollars in luxury goods on
that card–essentially concentrating the pain and raising a red flag
that can threaten to put the good guys on the scent. It’s reminiscent
of the movie Goodfellas, when, after the Lufthansa heist, Robert
DeNiro’s character nervously castigates his crew for bringing
attention to themselves by showing up at a Christmas party with new
cars and furs.)

The Internet criminals’ model perfectly mirrors the drug cartel model,
which relies on a stratified market that spreads the risk out to
pushers, distributors, mules, manufacturers, and all the money flows
up, to the cartel. Disrupting the middle men–and that’s what HangUp
Team is becoming–doesn’t solve the problem. Other middle men will
simply arise to fill the void, much the way Smash started the IAACA to
fill the void left by ShadowCrew when it was taken down.

“Information is currency, that’s the radical change,” says Chris
Rouland, CTO and IBM Distinguished Engineer with IBM’s Internet
Security Systems group. “These guys don’t need to steal from anyone.
They’ve moved themselves way up the value chain.”

April: The iFrame Problem

In early April, the Spring Edition 76service server in Hong Kong was
taken down. Filters added the new Gozi variant to their lists of
detected malware. On the run again, 76 and Exoric would fold up their
tent and modify Gozi to be undetectable again while they found a new
place to set up shop. And when they did, the steps would start again,
the two sides entwined in an endless, uneasy foxtrot.

Jackson continued to help where he could but much of this was out of
his hands. He had since immersed himself in another facet of 76service–
its distribution mechanism.

No matter how inspired the idea of a subscription to infected machines
was, or how cleverly engineered the bot that infected those machines
was, 76’s and Exoric’s success with 76service, surprisingly, relied on
something they didn’t develop themselves, but rather contracted out:
distribution, for which they used iFrames, a browser feature that
allows Web sites to deliver content from a remote Web site within a
frame on a page. Think of stock quotes origination from one site
streamed into a small box on another site. (For more about iFrames,
see Death by iFrame.) 76 and Exoric used iFrames to infect computers –
but in April they had contracted this part of the work out to another

Jackson found a partial list of sites hosting the iFrames used
exclusively for Gozi. Jackson sampled 5,848 pages, only a portion of
the infected pages on his partial list (meaning 76 and Exoric probably
paid tens of thousands of dollars for iFrame infections). Some of the
iFramed sites on his list were offline. Some had been cleaned up. But
2,079 of them, more than a third of the sample, still had the code
online, ready to deliver new, undetectable versions of Gozi as soon as
they were ready. A month later, when Jackson took attendance again, 98
percent of the 2,079 were still hosting the iFrame.

Even if Gozi was gone for good, the iFramers would be happy to resell
access to these iFrames to the next malware developer.

Transferred Risk

As much as the HangUp Team has relied on distributed pain for its
success, financial institutions have relied on transferred risk to
keep the Internet crime problem from becoming a consumer cause and
damaging their businesses. So far, it has been cheaper to follow
regulations enough to pass audits and then pay for the fraud rather
than implement more serious security. “If you look at the volume of
loss versus revenue, it’s not horribly bad yet,” says Chris Hoff, with
a nod to the criminal hacker’s strategy of distributed pain. “The
banks say, ‘Regulations say I need to do these seven things, so I do
them and let’s hope the technology to defend against this catches

“John” the security executive at the bank, one of the only security
professionals from financial services who agreed to speak for this
story, says “If you audited a financial institution, you wouldn’t find
many out of compliance. From a legal perspective, banks can spin that
around and say there’s nothing else we could do.”

The banks know how much data Lance James at Secure Science is
monitoring; some of them are his clients. The researcher with
expertise on the HangUp Team calls consumers’ ability to transfer
funds online “the dumbest thing I’ve ever seen. You can’t walk into
the branch of a bank with a mask on and no ID and make a transfer. So
why is it okay online?”

And yet banks push online banking to customers with one hand while the
other hand pushes problems like Gozi away, into acceptable loss
budgets and insurance–transferred risk.

As long as consumers don’t raise a fuss, and thus far they haven’t in
any meaningful way, the banks have little to fear from their

But perhaps the only reason consumers don’t raise a fuss is because
the banks have both overstated the safety and security of online
banking and downplayed negative events around it, like the existence
of Gozi and 76service.

So did the banks create a false sense of security or did consumers
drive them to not address it through their apathy? The banks
themselves might argue that they are acting responsibly. It’s hard to
tell since most decline to talk about the problem. Bill Nelson is
president of the Financial Services Information Sharing and Analysis
Center, or FS-ISAC, a group for bank security executives where they
can safely share intelligence and other information. Membership in the
FS-ISAC has increased from 68 in 2004 to 2,200 this year. “That’s not
a lack of interest,” says Nelson.

Nelson was the closest person to bank security executives who would
speak on the record. He bristled at the notion that banks are
carelessly pushing services they can’t secure. “It’s being
misinterpreted that banks don’t care about security. They spend
millions of dollars on this. These are good, quality people,” Nelson

If anything, say Nelson and others, blaming banks is precisely
backwards. If you want to point fingers look at their customers,
who’ve created the demand for the product in the first place. “It’s
kind of ridiculous to think you wouldn’t, as a bank, use the Internet
as a transport,” notes Hoff. “If you’re not offering some form of
online banking, you’re going to wither away and go out of business.”

Eric Johnson, an economist at Dartmouth who recently published a study
on malware on peer-to-peer networks says, “Customers are the banks’
worst enemies here. Customers are exposing lots of material that
creates an environment for identity theft.”

Indeed, many malware problems are intimately connected to insecure PCs
and finicky consumers who, even if they say otherwise, value
convenience over security. As one CISO at a bank put it–anonymously,
of course, “Users are pretty dumb.”


Hacker Economics 3: MPACK and the Next Wave of Malware
BYScott Berinato  /  October 08, 2007

May: A Poor Re-emergence

The hackers known as 76 and Exoric weren’t just the managers of
76service; they were also clients. Through his undercover work,
SecureWorks researcher Don Jackson found that Exoric himself owned a
project – a portfolio of trojan-infected machines – just like the ones
the team sold. Only, since access was free to him, his was a much
bigger project, with hundreds of bots focused exclusively on Gozi-
infected machines in Mexico and Chile (.mx and .cl domains), and no 30-
day expiration. For a while, Exoric also used his own storefront for
the Latin and South American markets, called GucciService.

But by May the business was strained by the constant pursuit of
researchers writing signatures to detect Gozi and law enforcement
working with them to find and take down the 76service servers.

Early in the month, Jackson was able to say “Gozi isn’t working. No
one is going to the site.” At this time, his personal site was also
the victim of what he termed a poor DDoS attack that lasted 36 hours.
Soon after that, when he visited, he found it abandoned,
with a simple message: “I choose shadow. Please, never come back

It seemed that, finally, it was over. But it wasn’t, of course. In
fact even before Jackson found abandoned, a new Gozi
variant was already at work, and it would be learned that it had been
infecting machines since at least April 14. This latest Gozi bot was
better than ever. It had added keystroke logging as an alternative to
form grabbing. And recognizing that researchers were their primary
adversaries, the new version added features to stymie detection and
reverse engineering. “Every copy of Gozi has a unique infection ID,”
explains Jackson. “So when data comes into the server it can check
against the ID to make sure it’s a valid infection. This new version
also checked to see what your bot had sent before. Basically it could
shut you off if you kept logging in without delivering good data,
which is what researchers do.” The new version also logged the bot’s
IP address so that it could be blocked from communicating with the

But there were problems. A programming glitch caused the service to
create huge files of redundant information, interrupting service to
customers while the duo tried to fix it. “That’s why QA testing is so
important,” deadpans Jackson. They had only nabbed about 500MB of data
off of 200 infected PCs when their new ISP, which Jackson says was
based in Panama, took them offline again.

It was a poor reemergence. Lurking on a discussion board with a
colleague who could translate Russian, Jackson found a post by someone
named 57, a hacker thought to be part of the HangUp Team. 57 wrote
that 76 broke off work with Exoric because the two were spending more
time on the lam than they did running the service.

The FBI had wound down on the case, according to Jackson (though in an
official statement given to CSO from the press office, the FBI says it
welcomes any leads on information related to Gozi and 76service, which
it termed “unique”). While they continued to monitor some accounts
they knew were connected to 76service, Jackson didn’t think it would
progress beyond that. 76service was officially defunct. By early June,
76 and Exoric had dissolved their partnership.

But 57 also seemed to indicate that 76 was back with HangUp Team and
busy rewriting the Gozi form grabber. The new architecture would allow
76 to hide the drop servers from prying eyes, making it harder to
interrupt or shut services down.

Jackson predicted at the time that a new 76service would follow in
kind. After all, 76service didn’t fail because of the service model.
It failed because of a lack of manpower to secure and manage the
service. It couldn’t scale. “I think they cobbled together Gozi and
76service to see what it could do,” says Jackson. “They realize what
they need to do next. They spotted weaknesses. Torpig was the next
step; it was better. Now what’s next?” With the help of the HangUp
Team, a 76service-like site capable of enduring its own success, will
return using some descendant of Gozi or Torpig.
Next: A Radical New Strategy for Banks?

The Radical New Strategy?

If users are, as one bank CISO said, dumb; and if banks can just write
off their losses; and if the Internet is fundamentally insecure; and
if vendors defenses can’t keep up; and if law enforcement is
overmatched; what happens next?

Don Jackson thinks that the banks will simply transfer more of the
risk. “The banks are worried but their answer is not to track these
guys down or be more diligent about security,” says Jackson, who says
he remembers talking about this with bank security types at last
year’s Information Systems Security Assocaition (ISSA) conference.
“Their answer is to shift more responsibility on to their customers.
They’ll lower fraud limits, the amount of stolen funds they’ll cover.
They’ll make it harder for consumers to prove they were defrauded–and
easier to say it was the customer’s fault.. You’ll have to prove that
you kept your end of the deal by patching your system and so forth.
Watch the terms of use for online banking. I think you’ll see

Like Jackson, Chris Rouland of IBM ISS believes the days of acceptable
loss at the banks are numbered, but he has a hard time seeing a “blame
the customer” strategy succeed. “These write-offs, this thing about
putting it on consumers, it will end. It has to,” he says.

Rouland says that he is rethinking security at a fundamental level,
and many others in the industry are as well. “We’re basically telling
banks that client security is your problem, not [your customers’]
problem. We’re saying all the awareness in the world can not
adequately secure client machines. Telling customers to secure
themselves will not work. We believe that in order to fix the problem,
you have to protect customers’ customers. You have no choice.”

Notice Rouland did not say you have to secure the client. He never
says the banks must figure out a way to protect that machine. That’s
careful and deliberate, because Rouland doesn’t believe that’s what
banks have to do. When it comes to security PCs, Rouland’s advice is
radical: Give up.

“In the next generation,” he says, “we will all do business with
infected end points,” he says.

He was asked to repeat what he said, just to be sure. So he did: “Our
strategy is we have to figure out how you do business with an infected
computer. How do you secure a transaction with an infected machine?
Whoever figures out how to do that first will win.”

June: Disturbing Developments

By mid-June, Gozi was practically forgotten, and the new thing was
MPACK. This one even had some veteran researchers muttering pesdato!

A typical Trojan like Gozi might rely on one exploit to try and open
up a connection with the target PC. MPACK, on the other hand, is a
briefcase full of exploits, a dozen or more of them. Mostly they’re
old exploits, but the idea is that if you try 15 different lock picks,
one is bound to get you in. What’s more, MPACK then reports back to
its server which exploits worked where and stores that information in
a database, an intelligence function used to effectively pack the
briefcases with the most successful lock picks. The practice seems to
have vastly increased the successful infection rate of PCs that visit
sites delivering MPACK.

MPACK is actually sold with malware such that once the briefcase of
exploits gets access, a Trojan–often Torpig–will be delivered to the
PC. Other Trojans, like Apophis (which steals digital certificates)
and even the old Nuclear Grabber that Corpse was hocking more than a
year ago are also available in conjunction with MPACK. It costs
hundreds to thousands of dollars.

Researchers still trying to penetrate this service say that MPACK is
being sold by sash, likely the same as “sash” who posted news of
Corpse’s semi-retirement on the discussion board. (Sash
sells Pinch, too). Sash in turn seems to be working with Step57, a
group likely run by 57, the HangUp Team coder who Jackson had found
who posted the news of 76service’s demise. All of these players have
connections to the Russian Business Network, according to several
researchers, including Jackson.

MPACK’s multiple-exploit technique was used before in an exploit
called WebAttacker. But MPACK is more effective because of iFrames.
Disturbingly, the iFramers seem to have come up with some automated
exploit kit capable infecting a massive number of Web pages with
illicit iFrames in a short period of time, “like a machine gun
spraying holes in sites” says Lance James. The first round of iFrame
injections created to deliver MPACK showed up, literally, overnight–
more than 10,000 pages were infected, mostly on Italian sites. Since
then the process has repeated itself, moving country to country.
Thousands of infections all at once.

Researchers are still trying to understand what allows the deployment
of so many iFrames so quickly. Mostly they’re reporting on rumors and
theories. Using a virtual host to infect many sites is one working
theory. But no one knows yet for sure how it’s done. What they do know
is iFraming is officially pandemic. “The iFramers are making a
killing,” Jackson says. “They don’t get their hands dirty with the
actual malware. They just break into a server with scripts. It’s a
good business to be in right now.”

Fraud 4ever

“The thing about MPACK,” says James, “this is the start of the whole
thing.” By this he seems to mean that Golden Age of Internet Crime,
that dawning era. “They’re starting to think like architects instead
of engineers.” MPACK brings together the best iFrames, the best
exploits and some state-of-the-art malware into a single package all
of which is being improved constantly, and sold with a focus on
customer service. In marketing parlance, it’s not a product, it’s a

Business is good. Internet criminals operate with de facto immunity.
The pool of vulnerable computers to exploit remains massive. The
target financial institutions still treat their crime as acceptable
loss. Law enforcement is otherwise occupied. And technical defenses
are mere market conditions to adapt to. For example, when some clever
banks came up with a way to beat keylogging by having users use
“virtual keyboards” on the screen, criminal hackers just developed
Briz, code that captures the pixels around the cursor, the pictures of
the characters being typed. Problem solved.

The criminals innovate. Some tactics will make the hair on your neck
prickle. Rumors persist of a nasty Brazilian banking Trojan that can
change banking account numbers, routing numbers, balance, and payment/
transfer values by injecting HTML or even whole, cloned HTTP requests
into an online banking session on the fly, such that the person
banking would see false information that reflected their intentions
and not the actual transfer. Chris Rouland of IBM has seen similar
functionality in a bot called Grams.

Prg, another form-grabbing Trojan discovered last October, makes
researchers awfully nervous. New variants emerge every couple of
months and managed to steal tens of GB of data before being detected.
Its encryption is strong and well-designed, its ability to hide itself
with anti-forensics deft.

In June, Don Jackson found a new Prg variant. It shipped with a
development kit which allows anyone who buys it to adapt the code on
the fly in order to evade anti-virus and anti-spyware. On the server
where he found it, he also found a staging area where new variants
were already developed and waiting to be released as soon as the
defenses recognized and blocked the current variant. He also found a
couple of drops for two different groups who had bought Prg and
distributed it through both iFrames and some good old-fashioned “click-
on-this-link” emails. The drops comprised 10,000 account credentials,
including second factors of authentication and answers to those
security check questions like your mother’s maiden name meant to layer
extra security into the online banking process.

“There’s a consumer side of me that says, Be cautious but life must go
on. Someone somehow will take care of this,” says Christopher Hoff.
“And the security side of me wants to curl up in the fetal position
and not go out.”

After Jackson discovered the Prg variant, he learned of two more Gozi
variants found in the wild. The EXE inside these versions is called
76.exe, and is probably the product of 76’s reunion with the HangUp
Team. It’s pesdato! It has vastly improved its server network and
obfuscation techniques. It bounces traffic from country to country. It
hides its drops well. In fact, Jackson’s not sure what it even
connects to. He’s looking for the front end, the next 76service. He
knows it’s out there. But so far he can’t find it.

Leave a Reply