Once organised crime got involved in malicious activities on the web, everything changed, Auckland University’s IT security guru, Peter Gutmann, told the audience at Computerworld's Security Briefing, held in Auckland last week.
Outsourcing is huge in today’s commercial malware industry, he says. Mail is sent via spam brokers, who handle spam distribution via open proxies, relays and compromised PCs. There are even spam hosts, who will supply customers with email lists and fresh IP numbers and who will send out bulk mail or direct mailing, he says. Many of these spam hosts are located in China, where control of the internet is rigorous — but only when it comes to pro-democracy websites, says Gutmann.
Anti-detection is also popularly outsourced, says Gutmann. There are anti-detection engines that detect anti-virus software before it can detect the rootkit, he says. It works like a virus scanner in reverse, he says, and removes its kernel hooks if a rootkit-scanner is run to evade detection by the scanner.
When there is a problem, cybercriminals seem to find a solution. Not only are professional programmers contracted to write malicious code, spammers are hiring linguists to bypass filters, and phishers are employing psychology graduates to scam victims, he says.
The driver behind this market is, obviously, monetary gain, says Gutmann. The underground world of cyber criminals has its own sophisticated money laundering business, where funds are moved and laundered in many different ways, for example using compromised bank accounts, he says. There are also cashiers who will cash out and move the funds for you — for a share of the money, of course.Email addresses, zero-day exploits and credit card numbers are available for sale online. Credit card checks are easily done via IRC (internet relay chat) botnets — right down to the CVV number, the three digit number on the back of the card which is required as an extra check by some merchants.
“This is more sophisticated than many merchants,” says Gutmann.
Spammers routinely break into legitimate users’ PCs to send spam, he says. They are not after what is on your computer, they are after your network connection, he says. The botnets are growing at a rate of tens of thousands of machines every day.
The evolution of botnets follows that of file-sharing networks, says Gutmann. IRC botnets are being replaced by peer-to-peer botnets, which are more damage-resistant than centrally controlled IRC-based systems.
The Agobot is one example of a botnet that requires little or no programming knowledge to use, he says.
“It’s source code is freely available, it’s a well-written, cross-platform C++ implementation with modular design,” he says.
Some of its features are packet sniffing and rootkit capabilities, and typical commands include harvest email, start and stop spamming, and start keylogging.
Another example is the Spybot, which follows the same pattern as Agobot, but is oriented more towards spying and system manipulation, he says. Its capabilities include retrieving passwords and files and simulating keypresses on a PC keyboard.